From 5985eec12a8a45b1640574804cf35a5e89beaf35 Mon Sep 17 00:00:00 2001 From: Christoph Kuhnke Date: Mon, 29 Jul 2024 11:46:05 +0200 Subject: [PATCH] =?UTF-8?q?#74:=20Fixed=20vulnerability=20CVE-2024-25638?= =?UTF-8?q?=20by=20updating=20dependency=20dnsja=E2=80=A6va:dnsjava:jar:3.?= =?UTF-8?q?4.0=20(#75)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * #74: Fixed vulnerability CVE-2024-25638 by updating dependency dnsjava:dnsjava:jar:3.4.0 Co-authored-by: Christoph Pirkl <4711730+kaklakariada@users.noreply.github.com> --- .github/workflows/dependencies_update.yml | 2 +- dependencies.md | 149 +++++++++++----------- doc/changes/changelog.md | 1 + doc/changes/changes_2.0.10.md | 28 ++++ pk_generated_parent.pom | 2 +- pom.xml | 20 ++- 6 files changed, 120 insertions(+), 82 deletions(-) create mode 100644 doc/changes/changes_2.0.10.md diff --git a/.github/workflows/dependencies_update.yml b/.github/workflows/dependencies_update.yml index 1bf502f..0fa7180 100644 --- a/.github/workflows/dependencies_update.yml +++ b/.github/workflows/dependencies_update.yml @@ -75,7 +75,7 @@ jobs: echo >> "$GITHUB_OUTPUT" echo '# ⚠️ Notes ⚠️' >> "$GITHUB_OUTPUT" echo '## Run PK fix manually' >> "$GITHUB_OUTPUT" - echo 'Due to restrictions workflow `dependencies_update.yml` can't update other workflows, see https://github.com/exasol/project-keeper/issues/578 for details.' >> "$GITHUB_OUTPUT" + echo 'Due to restrictions workflow `dependencies_update.yml` cannot update other workflows, see https://github.com/exasol/project-keeper/issues/578 for details.' >> "$GITHUB_OUTPUT" echo 'Please checkout this PR locally and run `mvn com.exasol:project-keeper-maven-plugin:fix --projects .`' >> "$GITHUB_OUTPUT" echo '## This PR does not trigger CI workflows' >> "$GITHUB_OUTPUT" echo 'Please click the **Close pull request** button and then **Reopen pull request** to trigger running checks.' >> "$GITHUB_OUTPUT" diff --git a/dependencies.md b/dependencies.md index f66b662..0a8fab7 100644 --- a/dependencies.md +++ b/dependencies.md @@ -12,46 +12,47 @@ | [Apache Avro][6] | [Apache-2.0][5] | | [Apache Commons Compress][7] | [Apache-2.0][5] | | [Apache Commons Configuration][8] | [Apache-2.0][5] | -| [Scala Library][9] | [Apache-2.0][10] | -| [error-reporting-java][11] | [MIT License][12] | +| [dnsjava][9] | [BSD-3-Clause][10] | +| [Scala Library][11] | [Apache-2.0][12] | +| [error-reporting-java][13] | [MIT License][14] | ## Test Dependencies | Dependency | License | | ------------------------------------------ | ----------------------------------------- | -| [JUnit Jupiter (Aggregator)][13] | [Eclipse Public License v2.0][14] | -| [mockito-core][15] | [MIT][16] | -| [mockito-junit-jupiter][15] | [MIT][16] | -| [Hamcrest][17] | [BSD License 3][18] | -| [scalatest][19] | [the Apache License, ASL Version 2.0][20] | -| [EqualsVerifier \| release normal jar][21] | [Apache License, Version 2.0][5] | +| [JUnit Jupiter (Aggregator)][15] | [Eclipse Public License v2.0][16] | +| [mockito-core][17] | [MIT][18] | +| [mockito-junit-jupiter][17] | [MIT][18] | +| [Hamcrest][19] | [BSD License 3][20] | +| [scalatest][21] | [the Apache License, ASL Version 2.0][22] | +| [EqualsVerifier \| release normal jar][23] | [Apache License, Version 2.0][5] | ## Plugin Dependencies | Dependency | License | | ------------------------------------------------------- | ----------------------------------------- | -| [SonarQube Scanner for Maven][22] | [GNU LGPL 3][23] | -| [Apache Maven Toolchains Plugin][24] | [Apache-2.0][5] | -| [Apache Maven Compiler Plugin][25] | [Apache-2.0][5] | -| [Apache Maven Enforcer Plugin][26] | [Apache-2.0][5] | -| [Maven Flatten Plugin][27] | [Apache Software Licenese][5] | -| [org.sonatype.ossindex.maven:ossindex-maven-plugin][28] | [ASL2][1] | -| [Maven Surefire Plugin][29] | [Apache-2.0][5] | -| [Versions Maven Plugin][30] | [Apache License, Version 2.0][5] | -| [scala-maven-plugin][31] | [Public domain (Unlicense)][32] | -| [ScalaTest Maven Plugin][33] | [the Apache License, ASL Version 2.0][20] | -| [OpenFastTrace Maven Plugin][34] | [GNU General Public License v3.0][35] | -| [Project Keeper Maven plugin][36] | [The MIT License][37] | -| [duplicate-finder-maven-plugin Maven Mojo][38] | [Apache License 2.0][39] | -| [Apache Maven Deploy Plugin][40] | [Apache-2.0][5] | -| [Apache Maven GPG Plugin][41] | [Apache-2.0][5] | -| [Apache Maven Source Plugin][42] | [Apache License, Version 2.0][5] | -| [Apache Maven Javadoc Plugin][43] | [Apache-2.0][5] | -| [Nexus Staging Maven Plugin][44] | [Eclipse Public License][45] | -| [Maven Failsafe Plugin][46] | [Apache-2.0][5] | -| [JaCoCo :: Maven Plugin][47] | [EPL-2.0][48] | -| [error-code-crawler-maven-plugin][49] | [MIT License][50] | -| [Reproducible Build Maven Plugin][51] | [Apache 2.0][1] | +| [SonarQube Scanner for Maven][24] | [GNU LGPL 3][25] | +| [Apache Maven Toolchains Plugin][26] | [Apache-2.0][5] | +| [Apache Maven Compiler Plugin][27] | [Apache-2.0][5] | +| [Apache Maven Enforcer Plugin][28] | [Apache-2.0][5] | +| [Maven Flatten Plugin][29] | [Apache Software Licenese][5] | +| [org.sonatype.ossindex.maven:ossindex-maven-plugin][30] | [ASL2][1] | +| [Maven Surefire Plugin][31] | [Apache-2.0][5] | +| [Versions Maven Plugin][32] | [Apache License, Version 2.0][5] | +| [scala-maven-plugin][33] | [Public domain (Unlicense)][34] | +| [ScalaTest Maven Plugin][35] | [the Apache License, ASL Version 2.0][22] | +| [OpenFastTrace Maven Plugin][36] | [GNU General Public License v3.0][37] | +| [Project Keeper Maven plugin][38] | [The MIT License][39] | +| [duplicate-finder-maven-plugin Maven Mojo][40] | [Apache License 2.0][41] | +| [Apache Maven Deploy Plugin][42] | [Apache-2.0][5] | +| [Apache Maven GPG Plugin][43] | [Apache-2.0][5] | +| [Apache Maven Source Plugin][44] | [Apache License, Version 2.0][5] | +| [Apache Maven Javadoc Plugin][45] | [Apache-2.0][5] | +| [Nexus Staging Maven Plugin][46] | [Eclipse Public License][47] | +| [Maven Failsafe Plugin][48] | [Apache-2.0][5] | +| [JaCoCo :: Maven Plugin][49] | [EPL-2.0][50] | +| [error-code-crawler-maven-plugin][51] | [MIT License][52] | +| [Reproducible Build Maven Plugin][53] | [Apache 2.0][1] | [0]: https://parquet.apache.org [1]: http://www.apache.org/licenses/LICENSE-2.0.txt @@ -62,46 +63,48 @@ [6]: https://avro.apache.org [7]: https://commons.apache.org/proper/commons-compress/ [8]: https://commons.apache.org/proper/commons-configuration/ -[9]: https://www.scala-lang.org/ -[10]: https://www.apache.org/licenses/LICENSE-2.0 -[11]: https://github.com/exasol/error-reporting-java/ -[12]: https://github.com/exasol/error-reporting-java/blob/main/LICENSE -[13]: https://junit.org/junit5/ -[14]: https://www.eclipse.org/legal/epl-v20.html -[15]: https://github.com/mockito/mockito -[16]: https://opensource.org/licenses/MIT -[17]: http://hamcrest.org/JavaHamcrest/ -[18]: http://opensource.org/licenses/BSD-3-Clause -[19]: http://www.scalatest.org -[20]: http://www.apache.org/licenses/LICENSE-2.0 -[21]: https://www.jqno.nl/equalsverifier -[22]: http://sonarsource.github.io/sonar-scanner-maven/ -[23]: http://www.gnu.org/licenses/lgpl.txt -[24]: https://maven.apache.org/plugins/maven-toolchains-plugin/ -[25]: https://maven.apache.org/plugins/maven-compiler-plugin/ -[26]: https://maven.apache.org/enforcer/maven-enforcer-plugin/ -[27]: https://www.mojohaus.org/flatten-maven-plugin/ -[28]: https://sonatype.github.io/ossindex-maven/maven-plugin/ -[29]: https://maven.apache.org/surefire/maven-surefire-plugin/ -[30]: https://www.mojohaus.org/versions/versions-maven-plugin/ -[31]: http://github.com/davidB/scala-maven-plugin -[32]: http://unlicense.org/ -[33]: https://www.scalatest.org/user_guide/using_the_scalatest_maven_plugin -[34]: https://github.com/itsallcode/openfasttrace-maven-plugin -[35]: https://www.gnu.org/licenses/gpl-3.0.html -[36]: https://github.com/exasol/project-keeper/ -[37]: https://github.com/exasol/project-keeper/blob/main/LICENSE -[38]: https://basepom.github.io/duplicate-finder-maven-plugin -[39]: http://www.apache.org/licenses/LICENSE-2.0.html -[40]: https://maven.apache.org/plugins/maven-deploy-plugin/ -[41]: https://maven.apache.org/plugins/maven-gpg-plugin/ -[42]: https://maven.apache.org/plugins/maven-source-plugin/ -[43]: https://maven.apache.org/plugins/maven-javadoc-plugin/ -[44]: http://www.sonatype.com/public-parent/nexus-maven-plugins/nexus-staging/nexus-staging-maven-plugin/ -[45]: http://www.eclipse.org/legal/epl-v10.html -[46]: https://maven.apache.org/surefire/maven-failsafe-plugin/ -[47]: https://www.jacoco.org/jacoco/trunk/doc/maven.html -[48]: https://www.eclipse.org/legal/epl-2.0/ -[49]: https://github.com/exasol/error-code-crawler-maven-plugin/ -[50]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE -[51]: http://zlika.github.io/reproducible-build-maven-plugin +[9]: https://github.com/dnsjava/dnsjava +[10]: https://opensource.org/licenses/BSD-3-Clause +[11]: https://www.scala-lang.org/ +[12]: https://www.apache.org/licenses/LICENSE-2.0 +[13]: https://github.com/exasol/error-reporting-java/ +[14]: https://github.com/exasol/error-reporting-java/blob/main/LICENSE +[15]: https://junit.org/junit5/ +[16]: https://www.eclipse.org/legal/epl-v20.html +[17]: https://github.com/mockito/mockito +[18]: https://opensource.org/licenses/MIT +[19]: http://hamcrest.org/JavaHamcrest/ +[20]: http://opensource.org/licenses/BSD-3-Clause +[21]: http://www.scalatest.org +[22]: http://www.apache.org/licenses/LICENSE-2.0 +[23]: https://www.jqno.nl/equalsverifier +[24]: http://sonarsource.github.io/sonar-scanner-maven/ +[25]: http://www.gnu.org/licenses/lgpl.txt +[26]: https://maven.apache.org/plugins/maven-toolchains-plugin/ +[27]: https://maven.apache.org/plugins/maven-compiler-plugin/ +[28]: https://maven.apache.org/enforcer/maven-enforcer-plugin/ +[29]: https://www.mojohaus.org/flatten-maven-plugin/ +[30]: https://sonatype.github.io/ossindex-maven/maven-plugin/ +[31]: https://maven.apache.org/surefire/maven-surefire-plugin/ +[32]: https://www.mojohaus.org/versions/versions-maven-plugin/ +[33]: http://github.com/davidB/scala-maven-plugin +[34]: http://unlicense.org/ +[35]: https://www.scalatest.org/user_guide/using_the_scalatest_maven_plugin +[36]: https://github.com/itsallcode/openfasttrace-maven-plugin +[37]: https://www.gnu.org/licenses/gpl-3.0.html +[38]: https://github.com/exasol/project-keeper/ +[39]: https://github.com/exasol/project-keeper/blob/main/LICENSE +[40]: https://basepom.github.io/duplicate-finder-maven-plugin +[41]: http://www.apache.org/licenses/LICENSE-2.0.html +[42]: https://maven.apache.org/plugins/maven-deploy-plugin/ +[43]: https://maven.apache.org/plugins/maven-gpg-plugin/ +[44]: https://maven.apache.org/plugins/maven-source-plugin/ +[45]: https://maven.apache.org/plugins/maven-javadoc-plugin/ +[46]: http://www.sonatype.com/public-parent/nexus-maven-plugins/nexus-staging/nexus-staging-maven-plugin/ +[47]: http://www.eclipse.org/legal/epl-v10.html +[48]: https://maven.apache.org/surefire/maven-failsafe-plugin/ +[49]: https://www.jacoco.org/jacoco/trunk/doc/maven.html +[50]: https://www.eclipse.org/legal/epl-2.0/ +[51]: https://github.com/exasol/error-code-crawler-maven-plugin/ +[52]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE +[53]: http://zlika.github.io/reproducible-build-maven-plugin diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index 08045b8..47f2e4d 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [2.0.10](changes_2.0.10.md) * [2.0.9](changes_2.0.9.md) * [2.0.8](changes_2.0.8.md) * [2.0.7](changes_2.0.7.md) diff --git a/doc/changes/changes_2.0.10.md b/doc/changes/changes_2.0.10.md new file mode 100644 index 0000000..74bc7df --- /dev/null +++ b/doc/changes/changes_2.0.10.md @@ -0,0 +1,28 @@ +# Parquet for Java 2.0.10, released 2024-07-29 + +Code name: Fix CVE-2024-25638 in dependency + +## Summary + +This release fixes vulnerability CVE-2024-25638 by updating transitive dependency `dnsjava:dnsjava:jar:3.4.0`. + +## Security Issues + +* #74: Fixed vulnerability CVE-2024-25638 by updating dependency `dnsjava:dnsjava:jar:3.4.0`. + +## Dependency Updates + +### Compile Dependency Updates + +* Added `dnsjava:dnsjava:3.6.0` +* Updated `org.apache.commons:commons-configuration2:2.10.1` to `2.11.0` +* Updated `org.apache.parquet:parquet-hadoop:1.13.1` to `1.14.1` +* Updated `org.scala-lang:scala-library:2.13.13` to `2.13.14` + +### Test Dependency Updates + +* Updated `org.junit.jupiter:junit-jupiter:5.10.2` to `5.10.3` + +### Plugin Dependency Updates + +* Updated `com.exasol:project-keeper-maven-plugin:4.3.2` to `4.3.3` diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index 3516bd3..6a726ab 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,7 +3,7 @@ 4.0.0 com.exasol parquet-io-java-generated-parent - 2.0.9 + 2.0.10 pom UTF-8 diff --git a/pom.xml b/pom.xml index 0f35f12..ccb99a7 100644 --- a/pom.xml +++ b/pom.xml @@ -3,18 +3,18 @@ 4.0.0 com.exasol parquet-io-java - 2.0.9 + 2.0.10 Parquet for Java This project provides a library that reads Parquet files into Java objects. https://github.com/exasol/parquet-io-java/ parquet-io-java-generated-parent com.exasol - 2.0.9 + 2.0.10 pk_generated_parent.pom - 2.13.13 + 2.13.14 2.13 5.12.0 @@ -22,7 +22,7 @@ org.apache.parquet parquet-hadoop - 1.13.1 + 1.14.1 @@ -145,7 +145,13 @@ org.apache.commons commons-configuration2 - 2.10.1 + 2.11.0 + + + + dnsjava + dnsjava + 3.6.0 org.scala-lang @@ -161,7 +167,7 @@ org.junit.jupiter junit-jupiter - 5.10.2 + 5.10.3 test @@ -287,7 +293,7 @@ com.exasol project-keeper-maven-plugin - 4.3.2 + 4.3.3