3.0.4 Fixed vulnerability CVE-2024-47535 in io.netty:netty-common:jar:4.1.104.Final:test

This release fixes the following vulnerability:

CVE-2024-47535 (CWE-400) in dependency io.netty:netty-common:jar:4.1.104.Final:test

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-47535?component-type=maven&component-name=io.netty%2Fnetty-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-47535
• GHSA-xq3w-v528-46rv

Security

• #41: Fixed vulnerability CVE-2024-47535 in dependency io.netty:netty-common:jar:4.1.104.Final:test

Dependency Updates

Test Dependency Updates

• Removed com.exasol:bucketfs-java:3.2.0
• Updated com.exasol:exasol-test-setup-abstraction-java:2.1.4 to 2.1.5
• Removed com.exasol:exasol-testcontainers:7.1.1
• Updated com.exasol:test-db-builder-java:3.5.4 to 3.6.0
• Updated com.google.cloud:google-cloud-bigquery:2.42.3 to 2.43.3
• Removed com.google.protobuf:protobuf-java:3.25.5
• Added io.netty:netty-common:4.1.115.Final
• Removed org.json:json:20240303
• Updated org.junit.jupiter:junit-jupiter:5.11.0 to 5.11.3
• Updated org.mockito:mockito-junit-jupiter:5.13.0 to 5.14.2
• Updated org.testcontainers:jdbc:1.20.1 to 1.20.3
• Updated org.testcontainers:junit-jupiter:1.20.1 to 1.20.3

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.3.3 to 4.4.0
• Added com.exasol:quality-summarizer-maven-plugin:0.2.0
• Updated io.github.zlika:reproducible-build-maven-plugin:0.16 to 0.17
• Updated org.apache.maven.plugins:maven-clean-plugin:2.5 to 3.4.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.5 to 3.5.1
• Updated org.apache.maven.plugins:maven-install-plugin:2.4 to 3.1.3
• Updated org.apache.maven.plugins:maven-jar-plugin:3.4.1 to 3.4.2
• Updated org.apache.maven.plugins:maven-resources-plugin:2.6 to 3.3.1
• Updated org.apache.maven.plugins:maven-site-plugin:3.3 to 3.9.1
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.5 to 3.5.1
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.2 to 2.17.1

3.0.3 Fix CVE-2024-7254 in test dependency `com.google.protobuf:protobuf-java:3.25.2`

This release fixes CVE-2024-7254 in transitive test dependency com.google.protobuf:protobuf-java:3.25.2.

Security

• #39: Fixed CVE-2024-7254 test dependency com.google.protobuf:protobuf-java:3.25.2

Dependency Updates

Test Dependency Updates

• Added com.exasol:bucketfs-java:3.2.0
• Updated com.exasol:exasol-test-setup-abstraction-java:2.1.2 to 2.1.4
• Added com.exasol:exasol-testcontainers:7.1.1
• Updated com.exasol:hamcrest-resultset-matcher:1.6.5 to 1.7.0
• Updated com.google.cloud:google-cloud-bigquery:2.38.2 to 2.42.3
• Added com.google.protobuf:protobuf-java:3.25.5
• Updated org.hamcrest:hamcrest:2.2 to 3.0
• Updated org.junit.jupiter:junit-jupiter:5.10.2 to 5.11.0
• Updated org.mockito:mockito-junit-jupiter:5.11.0 to 5.13.0
• Updated org.slf4j:slf4j-jdk14:2.0.12 to 2.0.16
• Updated org.testcontainers:jdbc:1.19.7 to 1.20.1
• Updated org.testcontainers:junit-jupiter:1.19.7 to 1.20.1

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.2 to 2.0.3
• Updated com.exasol:project-keeper-maven-plugin:4.3.0 to 4.3.3
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.1 to 3.5.0
• Updated org.apache.maven.plugins:maven-jar-plugin:3.3.0 to 3.4.1
• Updated org.apache.maven.plugins:maven-toolchains-plugin:3.1.0 to 3.2.0
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922 to 4.0.0.4121

3.0.2 Excluded vulnerabilities CVE-2024-23081, CVE-2024-23082

We assume that google-cloud-storage uses the library correctly.
This release excludes the following 2 vulnerabilities:

CVE-2024-23081 (CWE-476) in dependency org.threeten:threetenbp:jar:1.6.8:test

ThreeTen Backport v1.6.8 was discovered to contain a NullPointerException via the component org.threeten.bp.LocalDate::compareTo(ChronoLocalDate).

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-23081?component-type=maven&component-name=org.threeten%2Fthreetenbp&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23081
• https://gist.github.com/LLM4IG/3cc9183dcd887020368a0bafeafec5e3

CVE-2024-23082 (CWE-190) in dependency org.threeten:threetenbp:jar:1.6.8:test

ThreeTen Backport v1.6.8 was discovered to contain an integer overflow via the component org.threeten.bp.format.DateTimeFormatter::parse(CharSequence, ParsePosition).

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-23082?component-type=maven&component-name=org.threeten%2Fthreetenbp&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23082
• https://gist.github.com/LLM4IG/d2618f5f4e5ac37eb75cff5617e58b90

Security

• #35: Excluded vulnerability CVE-2024-23081 in dependency org.threeten:threetenbp:jar:1.6.8:test
• #36: Excluded vulnerability CVE-2024-23082 in dependency org.threeten:threetenbp:jar:1.6.8:test

3.0.1 Fix CVE-2024-29025 in dependencies

This release fixed vulnerability CVE-2024-29025 in dependencies.

Security

• #33: Fixed CVE-2024-29025 in io.netty:netty-codec-http:jar:4.1.107.Final:test

Excluded Vulnerability We accept vulnerability CVE-2017-10355 (CWE-833: Deadlock) in test dependency xerces:xercesImpl:jar:2.12.2 as we assume that we only connect to the known endpoint ExaOperations.

Excluded Vulnerability We temporarily accept vulnerability CVE-2024-23081 in test dependency org.threeten:threetenbp:jar:1.6.8:test.

Dependency Updates

Test Dependency Updates

• Updated com.exasol:exasol-test-setup-abstraction-java:2.1.0 to 2.1.2
• Updated com.exasol:test-db-builder-java:3.5.3 to 3.5.4
• Updated com.exasol:udf-debugging-java:0.6.12 to 0.6.13
• Updated com.google.cloud:google-cloud-bigquery:2.38.1 to 2.38.2

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.1 to 2.0.2
• Updated com.exasol:project-keeper-maven-plugin:4.2.0 to 4.3.0
• Updated org.apache.maven.plugins:maven-assembly-plugin:3.6.0 to 3.7.1
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.12.1 to 3.13.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.11 to 0.8.12
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594 to 3.11.0.3922

Charset is always `utf-8`, deprecated IMPORT_DATA_TYPES `FROM_RESULT_SET` value

The behaviour when it comes to character sets is now simplified,
The target char set is now always UTF-8.
The IMPORT_DATA_TYPES property (and value FROM_RESULT_SET) are now deprecated (change in vs-common-jdbc):
An exception will be thrown when users useFROM_RESULT_SET. The exception message warns the user that the value is no longer supported and the property itself is also deprecated.

Refactoring

• #22: Updated tests to include Exasol V8, update to vsjdbc 12.0.0

Dependency Updates

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.0 to 2.0.1
• Updated com.exasol:project-keeper-maven-plugin:4.1.0 to 4.2.0

2.2.5: Fixed vulnerabilities CVE-2024-25710 and CVE-2024-26308 in test dependencies

Summary

This is a security release in which we updated test dependency com.exasol:udf-debugging-java to fix vulnerabilities CVE-2024-25710 and CVE-2024-26308 in its transitive dependencies.

Security

• #29: Fixed vulnerability CVE-2024-25710 and CVE-2024-26308

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:virtual-schema-common-jdbc:11.0.2 to 12.0.0

Test Dependency Updates

• Updated com.exasol:exasol-test-setup-abstraction-java:2.0.4 to 2.1.0
• Updated com.exasol:hamcrest-resultset-matcher:1.6.1 to 1.6.5
• Updated com.exasol:test-db-builder-java:3.5.1 to 3.5.3
• Updated com.exasol:udf-debugging-java:0.6.11 to 0.6.12
• Updated com.exasol:virtual-schema-common-jdbc:11.0.2 to 12.0.0
• Updated com.google.cloud:google-cloud-bigquery:2.33.2 to 2.38.1
• Updated org.json:json:20231013 to 20240303
• Updated org.junit.jupiter:junit-jupiter:5.10.0 to 5.10.2
• Updated org.mockito:mockito-junit-jupiter:5.6.0 to 5.11.0
• Updated org.slf4j:slf4j-jdk14:1.7.36 to 2.0.12
• Updated org.testcontainers:jdbc:1.19.1 to 1.19.7
• Updated org.testcontainers:junit-jupiter:1.19.1 to 1.19.7

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.3.1 to 2.0.0
• Updated com.exasol:project-keeper-maven-plugin:2.9.14 to 4.1.0
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.11.0 to 3.12.1
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.1.2 to 3.2.5
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.1.2 to 3.2.5
• Added org.apache.maven.plugins:maven-toolchains-plugin:3.1.0
• Updated org.codehaus.mojo:flatten-maven-plugin:1.5.0 to 1.6.0
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.1 to 2.16.2

2.2.4: Dependency Upgrade on Top of 2.2.3

Summary

This release fixes vulnerability CVE-2023-5072 in transitive test dependency to org.json:json via com.google.cloud:google-cloud-bigquery by updating dependencies.

Security

• #27: Fixed vulnerability CVE-2023-5072 in org.json:json

Dependency Updates

Test Dependency Updates

• Updated com.google.cloud:google-cloud-bigquery:2.33.1 to 2.33.2
• Added org.json:json:20231013
• Updated org.mockito:mockito-junit-jupiter:5.5.0 to 5.6.0
• Updated org.testcontainers:jdbc:1.19.0 to 1.19.1
• Updated org.testcontainers:junit-jupiter:1.19.0 to 1.19.1

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.3.0 to 1.3.1
• Updated com.exasol:project-keeper-maven-plugin:2.9.12 to 2.9.14
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.0 to 3.4.1
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.0 to 2.16.1
• Updated org.jacoco:jacoco-maven-plugin:0.8.10 to 0.8.11
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184 to 3.10.0.2594

2.2.3: Fix CVE-2023-42503 in test dependency

Summary

This release fixes CVE-2023-42503 in test dependency org.apache.commons:commons-compress.

Known issue: Transitive test dependency io.netty:netty-handler of software.amazon.awssdk:cloudformation contains vulnerability CVE-2023-4586 (CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') (6.5)). We assume that the AWS client's usage of netty-handler is not affected by the vulnerability.

Security

• #25: Fixed CVE-2023-42503 in test dependency org.apache.commons:commons-compress

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:virtual-schema-common-jdbc:10.5.0 to 11.0.2

Test Dependency Updates

• Updated com.exasol:exasol-test-setup-abstraction-java:2.0.2 to 2.0.4
• Updated com.exasol:hamcrest-resultset-matcher:1.6.0 to 1.6.1
• Updated com.exasol:test-db-builder-java:3.4.2 to 3.5.1
• Updated com.exasol:udf-debugging-java:0.6.8 to 0.6.11
• Updated com.exasol:virtual-schema-common-jdbc:10.5.0 to 11.0.2
• Removed com.fasterxml.jackson.core:jackson-databind:2.15.2
• Updated com.google.cloud:google-cloud-bigquery:2.29.0 to 2.33.1
• Updated org.junit.jupiter:junit-jupiter:5.9.3 to 5.10.0
• Updated org.mockito:mockito-junit-jupiter:5.4.0 to 5.5.0
• Added org.slf4j:slf4j-jdk14:1.7.36
• Updated org.testcontainers:jdbc:1.18.3 to 1.19.0
• Updated org.testcontainers:junit-jupiter:1.18.3 to 1.19.0

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.2.3 to 1.3.0
• Updated com.exasol:project-keeper-maven-plugin:2.9.7 to 2.9.12
• Updated org.apache.maven.plugins:maven-assembly-plugin:3.5.0 to 3.6.0
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.3.0 to 3.4.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.0.0 to 3.1.2
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.0.0 to 3.1.2
• Updated org.basepom.maven:duplicate-finder-maven-plugin:1.5.1 to 2.0.1
• Updated org.codehaus.mojo:flatten-maven-plugin:1.4.1 to 1.5.0
• Updated org.codehaus.mojo:versions-maven-plugin:2.15.0 to 2.16.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.9 to 0.8.10

2.2.2: Dependency Upgrade on top of 2.2.1

Summary

This release fixes vulnerabilities by updating dependencies.

Features

• #23: Updated dependencies

Dependency Updates

Test Dependency Updates

• Updated com.exasol:exasol-test-setup-abstraction-java:2.0.1 to 2.0.2
• Updated com.fasterxml.jackson.core:jackson-databind:2.15.0 to 2.15.2
• Updated com.google.cloud:google-cloud-bigquery:2.25.0 to 2.29.0
• Updated org.mockito:mockito-junit-jupiter:5.3.1 to 5.4.0
• Updated org.testcontainers:jdbc:1.18.0 to 1.18.3
• Updated org.testcontainers:junit-jupiter:1.18.0 to 1.18.3

2.2.1: Dependency Upgrade on Top of 2.2.0

Summary

This release updates dependencies and stops ignoring vulnerabilities sonatype-2020-0026, sonatype-2020-0926, and sonatype-2022-6438 that had been masked in the past.

This release ignores vulnerability CVE-2020-8908 in transitive dependency com.google.guava:guava:jar:31.1 via com.google.cloud:google-cloud-bigquery as guava is only used in tests while production code is not affected.

Features

• #20: Fixed dependency check vulnerability findings

Dependency Updates

Test Dependency Updates

• Updated com.exasol:exasol-test-setup-abstraction-java:2.0.0 to 2.0.1
• Updated com.exasol:hamcrest-resultset-matcher:1.5.2 to 1.6.0
• Updated com.fasterxml.jackson.core:jackson-databind:2.14.2 to 2.15.0
• Updated com.google.cloud:google-cloud-bigquery:2.23.2 to 2.25.0
• Updated org.junit.jupiter:junit-jupiter:5.9.2 to 5.9.3
• Updated org.mockito:mockito-junit-jupiter:5.2.0 to 5.3.1
• Updated org.testcontainers:jdbc:1.17.6 to 1.18.0
• Updated org.testcontainers:junit-jupiter:1.17.6 to 1.18.0

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.2.2 to 1.2.3
• Updated com.exasol:project-keeper-maven-plugin:2.9.4 to 2.9.7
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.10.1 to 3.11.0
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.2.1 to 3.3.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.0.0-M8 to 3.0.0
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M8 to 3.0.0
• Added org.basepom.maven:duplicate-finder-maven-plugin:1.5.1
• Updated org.codehaus.mojo:flatten-maven-plugin:1.3.0 to 1.4.1
• Updated org.codehaus.mojo:versions-maven-plugin:2.14.2 to 2.15.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.8 to 0.8.9