From dfc015ffcc4ae114acd65c65d99cc64ac1e97106 Mon Sep 17 00:00:00 2001
From: Muhammet Orazov <916295+morazow@users.noreply.github.com>
Date: Wed, 28 Jun 2023 11:51:27 +0200
Subject: [PATCH] #50: Upgraded hadoop-client dependency to fix CVE (#61)
Fixes #50
---
dependencies.md | 161 ++++++++++++++++++-----------------
doc/changes/changelog.md | 1 +
doc/changes/changes_1.3.3.md | 2 +-
doc/changes/changes_2.0.1.md | 2 +-
doc/changes/changes_2.0.4.md | 30 +++++++
pk_generated_parent.pom | 2 +-
pom.xml | 52 ++++-------
7 files changed, 134 insertions(+), 116 deletions(-)
create mode 100644 doc/changes/changes_2.0.4.md
diff --git a/dependencies.md b/dependencies.md
index 9bc50e2..1012312 100644
--- a/dependencies.md
+++ b/dependencies.md
@@ -7,96 +7,99 @@
| ------------------------------- | --------------------------------------------- |
| [Apache Parquet Hadoop][0] | [The Apache Software License, Version 2.0][1] |
| Apache Hadoop Client Aggregator | [Apache License, Version 2.0][2] |
-| [Scala Library][3] | [Apache-2.0][4] |
-| [error-reporting-java][5] | [MIT License][6] |
+| [snappy-java][3] | [Apache-2.0][4] |
+| [Scala Library][5] | [Apache-2.0][6] |
+| [error-reporting-java][7] | [MIT License][8] |
## Test Dependencies
| Dependency | License |
| ------------------------------- | ----------------------------------------- |
-| [JUnit Jupiter (Aggregator)][7] | [Eclipse Public License v2.0][8] |
-| [mockito-core][9] | [The MIT License][10] |
-| [mockito-junit-jupiter][9] | [The MIT License][10] |
-| [Hamcrest][11] | [BSD License 3][12] |
-| [scalatest][13] | [the Apache License, ASL Version 2.0][14] |
+| [JUnit Jupiter (Aggregator)][9] | [Eclipse Public License v2.0][10] |
+| [mockito-core][11] | [The MIT License][12] |
+| [mockito-junit-jupiter][11] | [The MIT License][12] |
+| [Hamcrest][13] | [BSD License 3][14] |
+| [scalatest][15] | [the Apache License, ASL Version 2.0][16] |
## Plugin Dependencies
| Dependency | License |
| ------------------------------------------------------- | --------------------------------------------- |
-| [SonarQube Scanner for Maven][15] | [GNU LGPL 3][16] |
-| [Apache Maven Compiler Plugin][17] | [Apache-2.0][2] |
-| [Apache Maven Enforcer Plugin][18] | [Apache-2.0][2] |
-| [Maven Flatten Plugin][19] | [Apache Software Licenese][2] |
-| [scala-maven-plugin][20] | [Public domain (Unlicense)][21] |
-| [ScalaTest Maven Plugin][22] | [the Apache License, ASL Version 2.0][14] |
-| [OpenFastTrace Maven Plugin][23] | [GNU General Public License v3.0][24] |
-| [Project keeper maven plugin][25] | [The MIT License][26] |
-| [org.sonatype.ossindex.maven:ossindex-maven-plugin][27] | [ASL2][1] |
-| [Maven Surefire Plugin][28] | [Apache-2.0][2] |
-| [Versions Maven Plugin][29] | [Apache License, Version 2.0][2] |
-| [duplicate-finder-maven-plugin Maven Mojo][30] | [Apache License 2.0][31] |
-| [Apache Maven Deploy Plugin][32] | [Apache-2.0][2] |
-| [Apache Maven GPG Plugin][33] | [Apache License, Version 2.0][2] |
-| [Apache Maven Source Plugin][34] | [Apache License, Version 2.0][2] |
-| [Apache Maven Javadoc Plugin][35] | [Apache-2.0][2] |
-| [Nexus Staging Maven Plugin][36] | [Eclipse Public License][37] |
-| [Maven Failsafe Plugin][38] | [Apache-2.0][2] |
-| [JaCoCo :: Maven Plugin][39] | [Eclipse Public License 2.0][40] |
-| [error-code-crawler-maven-plugin][41] | [MIT License][42] |
-| [Reproducible Build Maven Plugin][43] | [Apache 2.0][1] |
-| [Maven Clean Plugin][44] | [The Apache Software License, Version 2.0][1] |
-| [Maven Resources Plugin][45] | [The Apache Software License, Version 2.0][1] |
-| [Maven JAR Plugin][46] | [The Apache Software License, Version 2.0][1] |
-| [Maven Install Plugin][47] | [The Apache Software License, Version 2.0][1] |
-| [Maven Site Plugin 3][48] | [The Apache Software License, Version 2.0][1] |
+| [SonarQube Scanner for Maven][17] | [GNU LGPL 3][18] |
+| [Apache Maven Compiler Plugin][19] | [Apache-2.0][2] |
+| [Apache Maven Enforcer Plugin][20] | [Apache-2.0][2] |
+| [Maven Flatten Plugin][21] | [Apache Software Licenese][2] |
+| [org.sonatype.ossindex.maven:ossindex-maven-plugin][22] | [ASL2][1] |
+| [Maven Surefire Plugin][23] | [Apache-2.0][2] |
+| [Versions Maven Plugin][24] | [Apache License, Version 2.0][2] |
+| [scala-maven-plugin][25] | [Public domain (Unlicense)][26] |
+| [ScalaTest Maven Plugin][27] | [the Apache License, ASL Version 2.0][16] |
+| [OpenFastTrace Maven Plugin][28] | [GNU General Public License v3.0][29] |
+| [Project keeper maven plugin][30] | [The MIT License][31] |
+| [duplicate-finder-maven-plugin Maven Mojo][32] | [Apache License 2.0][33] |
+| [Apache Maven Deploy Plugin][34] | [Apache-2.0][2] |
+| [Apache Maven GPG Plugin][35] | [Apache License, Version 2.0][2] |
+| [Apache Maven Source Plugin][36] | [Apache License, Version 2.0][2] |
+| [Apache Maven Javadoc Plugin][37] | [Apache-2.0][2] |
+| [Nexus Staging Maven Plugin][38] | [Eclipse Public License][39] |
+| [Maven Failsafe Plugin][40] | [Apache-2.0][2] |
+| [JaCoCo :: Maven Plugin][41] | [Eclipse Public License 2.0][42] |
+| [error-code-crawler-maven-plugin][43] | [MIT License][44] |
+| [Reproducible Build Maven Plugin][45] | [Apache 2.0][1] |
+| [Maven Clean Plugin][46] | [The Apache Software License, Version 2.0][1] |
+| [Maven Resources Plugin][47] | [The Apache Software License, Version 2.0][1] |
+| [Maven JAR Plugin][48] | [The Apache Software License, Version 2.0][1] |
+| [Maven Install Plugin][49] | [The Apache Software License, Version 2.0][1] |
+| [Maven Site Plugin 3][50] | [The Apache Software License, Version 2.0][1] |
[0]: https://parquet.apache.org
[1]: http://www.apache.org/licenses/LICENSE-2.0.txt
[2]: https://www.apache.org/licenses/LICENSE-2.0.txt
-[3]: https://www.scala-lang.org/
-[4]: https://www.apache.org/licenses/LICENSE-2.0
-[5]: https://github.com/exasol/error-reporting-java/
-[6]: https://github.com/exasol/error-reporting-java/blob/main/LICENSE
-[7]: https://junit.org/junit5/
-[8]: https://www.eclipse.org/legal/epl-v20.html
-[9]: https://github.com/mockito/mockito
-[10]: https://github.com/mockito/mockito/blob/main/LICENSE
-[11]: http://hamcrest.org/JavaHamcrest/
-[12]: http://opensource.org/licenses/BSD-3-Clause
-[13]: http://www.scalatest.org
-[14]: http://www.apache.org/licenses/LICENSE-2.0
-[15]: http://sonarsource.github.io/sonar-scanner-maven/
-[16]: http://www.gnu.org/licenses/lgpl.txt
-[17]: https://maven.apache.org/plugins/maven-compiler-plugin/
-[18]: https://maven.apache.org/enforcer/maven-enforcer-plugin/
-[19]: https://www.mojohaus.org/flatten-maven-plugin/
-[20]: http://github.com/davidB/scala-maven-plugin
-[21]: http://unlicense.org/
-[22]: https://www.scalatest.org/user_guide/using_the_scalatest_maven_plugin
-[23]: https://github.com/itsallcode/openfasttrace-maven-plugin
-[24]: https://www.gnu.org/licenses/gpl-3.0.html
-[25]: https://github.com/exasol/project-keeper/
-[26]: https://github.com/exasol/project-keeper/blob/main/LICENSE
-[27]: https://sonatype.github.io/ossindex-maven/maven-plugin/
-[28]: https://maven.apache.org/surefire/maven-surefire-plugin/
-[29]: https://www.mojohaus.org/versions/versions-maven-plugin/
-[30]: https://github.com/basepom/duplicate-finder-maven-plugin
-[31]: http://www.apache.org/licenses/LICENSE-2.0.html
-[32]: https://maven.apache.org/plugins/maven-deploy-plugin/
-[33]: https://maven.apache.org/plugins/maven-gpg-plugin/
-[34]: https://maven.apache.org/plugins/maven-source-plugin/
-[35]: https://maven.apache.org/plugins/maven-javadoc-plugin/
-[36]: http://www.sonatype.com/public-parent/nexus-maven-plugins/nexus-staging/nexus-staging-maven-plugin/
-[37]: http://www.eclipse.org/legal/epl-v10.html
-[38]: https://maven.apache.org/surefire/maven-failsafe-plugin/
-[39]: https://www.jacoco.org/jacoco/trunk/doc/maven.html
-[40]: https://www.eclipse.org/legal/epl-2.0/
-[41]: https://github.com/exasol/error-code-crawler-maven-plugin/
-[42]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE
-[43]: http://zlika.github.io/reproducible-build-maven-plugin
-[44]: http://maven.apache.org/plugins/maven-clean-plugin/
-[45]: http://maven.apache.org/plugins/maven-resources-plugin/
-[46]: http://maven.apache.org/plugins/maven-jar-plugin/
-[47]: http://maven.apache.org/plugins/maven-install-plugin/
-[48]: http://maven.apache.org/plugins/maven-site-plugin/
+[3]: https://github.com/xerial/snappy-java
+[4]: https://www.apache.org/licenses/LICENSE-2.0.html
+[5]: https://www.scala-lang.org/
+[6]: https://www.apache.org/licenses/LICENSE-2.0
+[7]: https://github.com/exasol/error-reporting-java/
+[8]: https://github.com/exasol/error-reporting-java/blob/main/LICENSE
+[9]: https://junit.org/junit5/
+[10]: https://www.eclipse.org/legal/epl-v20.html
+[11]: https://github.com/mockito/mockito
+[12]: https://github.com/mockito/mockito/blob/main/LICENSE
+[13]: http://hamcrest.org/JavaHamcrest/
+[14]: http://opensource.org/licenses/BSD-3-Clause
+[15]: http://www.scalatest.org
+[16]: http://www.apache.org/licenses/LICENSE-2.0
+[17]: http://sonarsource.github.io/sonar-scanner-maven/
+[18]: http://www.gnu.org/licenses/lgpl.txt
+[19]: https://maven.apache.org/plugins/maven-compiler-plugin/
+[20]: https://maven.apache.org/enforcer/maven-enforcer-plugin/
+[21]: https://www.mojohaus.org/flatten-maven-plugin/
+[22]: https://sonatype.github.io/ossindex-maven/maven-plugin/
+[23]: https://maven.apache.org/surefire/maven-surefire-plugin/
+[24]: https://www.mojohaus.org/versions/versions-maven-plugin/
+[25]: http://github.com/davidB/scala-maven-plugin
+[26]: http://unlicense.org/
+[27]: https://www.scalatest.org/user_guide/using_the_scalatest_maven_plugin
+[28]: https://github.com/itsallcode/openfasttrace-maven-plugin
+[29]: https://www.gnu.org/licenses/gpl-3.0.html
+[30]: https://github.com/exasol/project-keeper/
+[31]: https://github.com/exasol/project-keeper/blob/main/LICENSE
+[32]: https://github.com/basepom/duplicate-finder-maven-plugin
+[33]: http://www.apache.org/licenses/LICENSE-2.0.html
+[34]: https://maven.apache.org/plugins/maven-deploy-plugin/
+[35]: https://maven.apache.org/plugins/maven-gpg-plugin/
+[36]: https://maven.apache.org/plugins/maven-source-plugin/
+[37]: https://maven.apache.org/plugins/maven-javadoc-plugin/
+[38]: http://www.sonatype.com/public-parent/nexus-maven-plugins/nexus-staging/nexus-staging-maven-plugin/
+[39]: http://www.eclipse.org/legal/epl-v10.html
+[40]: https://maven.apache.org/surefire/maven-failsafe-plugin/
+[41]: https://www.jacoco.org/jacoco/trunk/doc/maven.html
+[42]: https://www.eclipse.org/legal/epl-2.0/
+[43]: https://github.com/exasol/error-code-crawler-maven-plugin/
+[44]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE
+[45]: http://zlika.github.io/reproducible-build-maven-plugin
+[46]: http://maven.apache.org/plugins/maven-clean-plugin/
+[47]: http://maven.apache.org/plugins/maven-resources-plugin/
+[48]: http://maven.apache.org/plugins/maven-jar-plugin/
+[49]: http://maven.apache.org/plugins/maven-install-plugin/
+[50]: http://maven.apache.org/plugins/maven-site-plugin/
diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
index 47e7be8..716f2c4 100644
--- a/doc/changes/changelog.md
+++ b/doc/changes/changelog.md
@@ -1,5 +1,6 @@
# Changes
+* [2.0.4](changes_2.0.4.md)
* [2.0.3](changes_2.0.3.md)
* [2.0.2](changes_2.0.2.md)
* [2.0.1](changes_2.0.1.md)
diff --git a/doc/changes/changes_1.3.3.md b/doc/changes/changes_1.3.3.md
index 8327e03..1c76db3 100644
--- a/doc/changes/changes_1.3.3.md
+++ b/doc/changes/changes_1.3.3.md
@@ -4,7 +4,7 @@ Code name: Fix vulnerabilities in dependencies
## Summary
-This release fixes [sonatype-2022-5401](https://ossindex.sonatype.org/vulnerability/sonatype-2022-5401) in reload4j.
+This release fixes `sonatype-2022-5401` in reload4j.
## Features
diff --git a/doc/changes/changes_2.0.1.md b/doc/changes/changes_2.0.1.md
index c61a3a8..7928d23 100644
--- a/doc/changes/changes_2.0.1.md
+++ b/doc/changes/changes_2.0.1.md
@@ -7,7 +7,7 @@ Code name: Update Dependencies
This release fixes vulnerabilities by updating dependencies:
* `com.fasterxml.woodstox:woodstox-core:jar:5.3.0:compile`: CVE-2022-40152
-* `com.fasterxml.jackson.core:jackson-core:jar:2.12.7:compile`: [sonatype-2022-6438](https://ossindex.sonatype.org/vulnerability/sonatype-2022-6438)
+* `com.fasterxml.jackson.core:jackson-core:jar:2.12.7:compile`: sonatype-2022-6438
* `commons-net:commons-net:jar:3.6:compile`: CVE-2021-37533
## Features
diff --git a/doc/changes/changes_2.0.4.md b/doc/changes/changes_2.0.4.md
new file mode 100644
index 0000000..26d55df
--- /dev/null
+++ b/doc/changes/changes_2.0.4.md
@@ -0,0 +1,30 @@
+# Parquet for Java 2.0.4, released 2023-06-28
+
+Code name: Updated dependencies to fix CVE vulnerabilities
+
+## Summary
+
+This release updates `Hadoop` dependency to fix CVE vulnerabilities.
+
+## Security
+
+* #50: Upgraded Hadoop dependency to fix CVE vulnerabilities
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Updated `org.apache.hadoop:hadoop-client:3.3.5` to `3.3.6`
+* Updated `org.apache.parquet:parquet-hadoop:1.13.0` to `1.13.1`
+* Updated `org.scala-lang:scala-library:2.13.10` to `2.13.11`
+* Added `org.xerial.snappy:snappy-java:1.1.10.1`
+
+### Test Dependency Updates
+
+* Updated `org.junit.jupiter:junit-jupiter:5.9.2` to `5.9.3`
+* Updated `org.mockito:mockito-core:5.3.1` to `5.4.0`
+* Updated `org.mockito:mockito-junit-jupiter:5.3.1` to `5.4.0`
+
+### Plugin Dependency Updates
+
+* Updated `org.itsallcode:openfasttrace-maven-plugin:1.6.1` to `1.6.2`
diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom
index fa8fd4d..11ca625 100644
--- a/pk_generated_parent.pom
+++ b/pk_generated_parent.pom
@@ -3,7 +3,7 @@
4.0.0
com.exasol
parquet-io-java-generated-parent
- 2.0.3
+ 2.0.4
pom
UTF-8
diff --git a/pom.xml b/pom.xml
index 175d882..b845a86 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,35 +3,31 @@
4.0.0
com.exasol
parquet-io-java
- 2.0.3
+ 2.0.4
Parquet for Java
This project provides a library that reads Parquet files into Java objects.
https://github.com/exasol/parquet-io-java/
+
+ parquet-io-java-generated-parent
+ com.exasol
+ 2.0.4
+ pk_generated_parent.pom
+
- 2.13.10
+ 2.13.11
2.13
- 5.3.1
+ 5.4.0
-
-
- ossrh
- https://oss.sonatype.org/content/repositories/snapshots
-
-
- ossrh
- https://oss.sonatype.org/service/local/staging/deploy/maven2/
-
-
org.apache.parquet
parquet-hadoop
- 1.13.0
+ 1.13.1
org.apache.hadoop
hadoop-client
- 3.3.5
+ 3.3.6
@@ -101,6 +97,11 @@
+
+ org.xerial.snappy
+ snappy-java
+ 1.1.10.1
+
org.scala-lang
scala-library
@@ -115,7 +116,7 @@
org.junit.jupiter
junit-jupiter
- 5.9.2
+ 5.9.3
test
@@ -217,7 +218,7 @@
org.itsallcode
openfasttrace-maven-plugin
- 1.6.1
+ 1.6.2
trace-requirements
@@ -244,17 +245,6 @@
-
- org.sonatype.ossindex.maven
- ossindex-maven-plugin
-
-
-
- sonatype-2022-5732
-
-
-
org.basepom.maven
duplicate-finder-maven-plugin
@@ -283,10 +273,4 @@
-
- parquet-io-java-generated-parent
- com.exasol
- 2.0.3
- pk_generated_parent.pom
-