diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml index d7a38b4..39612b7 100644 --- a/.github/workflows/broken_links_checker.yml +++ b/.github/workflows/broken_links_checker.yml @@ -13,6 +13,8 @@ on: jobs: linkChecker: runs-on: ubuntu-latest + permissions: + contents: read defaults: run: shell: "bash" diff --git a/.github/workflows/ci-build-next-java.yml b/.github/workflows/ci-build-next-java.yml index 8886e10..e8302fe 100644 --- a/.github/workflows/ci-build-next-java.yml +++ b/.github/workflows/ci-build-next-java.yml @@ -15,7 +15,6 @@ jobs: shell: "bash" permissions: contents: read - checks: write # Allow scacap/action-surefire-report concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -35,9 +34,3 @@ jobs: mvn --batch-mode --update-snapshots clean package -DtrimStackTrace=false \ -Djava.version=17 \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn - - name: Publish Test Report for Java 17 - uses: scacap/action-surefire-report@v1 - if: ${{ always() && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' }} - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - fail_if_no_tests: false diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index f400651..399b9b0 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -15,8 +15,7 @@ jobs: shell: bash } permissions: { - contents: read, - checks: write + contents: read } concurrency: { group: '${{ github.workflow }}-${{ github.ref }}-${{ matrix.exasol_db_version }}', diff --git a/.github/workflows/dependencies_update.yml b/.github/workflows/dependencies_update.yml index 9f536ee..0fa7180 100644 --- a/.github/workflows/dependencies_update.yml +++ b/.github/workflows/dependencies_update.yml @@ -61,14 +61,6 @@ jobs: env: { CREATED_ISSUES: '${{ inputs.vulnerability_issues }}' } - - name: Project Keeper Fix - id: project-keeper-fix - run: | - mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects . - - name: Project Keeper Fix for updated Project Keeper version - id: project-keeper-fix-2 - run: | - mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects . - name: Generate Pull Request comment id: pr-comment run: | @@ -81,7 +73,11 @@ jobs: echo 'It updates dependencies.' >> "$GITHUB_OUTPUT" fi echo >> "$GITHUB_OUTPUT" - echo '# ⚠️ This PR does not trigger CI workflows by default ⚠️' >> "$GITHUB_OUTPUT" + echo '# ⚠️ Notes ⚠️' >> "$GITHUB_OUTPUT" + echo '## Run PK fix manually' >> "$GITHUB_OUTPUT" + echo 'Due to restrictions workflow `dependencies_update.yml` cannot update other workflows, see https://github.com/exasol/project-keeper/issues/578 for details.' >> "$GITHUB_OUTPUT" + echo 'Please checkout this PR locally and run `mvn com.exasol:project-keeper-maven-plugin:fix --projects .`' >> "$GITHUB_OUTPUT" + echo '## This PR does not trigger CI workflows' >> "$GITHUB_OUTPUT" echo 'Please click the **Close pull request** button and then **Reopen pull request** to trigger running checks.' >> "$GITHUB_OUTPUT" echo 'See https://github.com/exasol/project-keeper/issues/534 for details.' >> "$GITHUB_OUTPUT" echo 'EOF' >> "$GITHUB_OUTPUT" diff --git a/dependencies.md b/dependencies.md index b17e806..2a1ae5d 100644 --- a/dependencies.md +++ b/dependencies.md @@ -42,36 +42,37 @@ | [avro4s-core][43] | [MIT][22] | | [Testcontainers :: Kafka][44] | [MIT][45] | | [Joda-Time][46] | [Apache License, Version 2.0][5] | +| [ClassGraph][47] | [The MIT License (MIT)][45] | ### Plugin Dependencies | Dependency | License | | ------------------------------------------------------- | --------------------------------------------- | -| [SonarQube Scanner for Maven][47] | [GNU LGPL 3][48] | -| [Apache Maven Toolchains Plugin][49] | [Apache License, Version 2.0][5] | -| [Apache Maven Compiler Plugin][50] | [Apache-2.0][5] | -| [Apache Maven Enforcer Plugin][51] | [Apache-2.0][5] | -| [Maven Flatten Plugin][52] | [Apache Software Licenese][5] | -| [org.sonatype.ossindex.maven:ossindex-maven-plugin][53] | [ASL2][14] | -| [scala-maven-plugin][54] | [Public domain (Unlicense)][55] | -| [ScalaTest Maven Plugin][56] | [the Apache License, ASL Version 2.0][19] | -| [Apache Maven Javadoc Plugin][57] | [Apache-2.0][5] | -| [Maven Surefire Plugin][58] | [Apache-2.0][5] | -| [Versions Maven Plugin][59] | [Apache License, Version 2.0][5] | -| [duplicate-finder-maven-plugin Maven Mojo][60] | [Apache License 2.0][11] | -| [Apache Maven Assembly Plugin][61] | [Apache-2.0][5] | -| [Apache Maven JAR Plugin][62] | [Apache License, Version 2.0][5] | -| [Artifact reference checker and unifier][63] | [MIT License][64] | -| [Maven Failsafe Plugin][65] | [Apache-2.0][5] | -| [JaCoCo :: Maven Plugin][66] | [EPL-2.0][67] | -| [error-code-crawler-maven-plugin][68] | [MIT License][69] | -| [Reproducible Build Maven Plugin][70] | [Apache 2.0][14] | -| [Project Keeper Maven plugin][71] | [The MIT License][72] | -| [OpenFastTrace Maven Plugin][73] | [GNU General Public License v3.0][74] | -| [Scalastyle Maven Plugin][75] | [Apache 2.0][11] | -| [spotless-maven-plugin][76] | [The Apache Software License, Version 2.0][5] | -| [scalafix-maven-plugin][77] | [BSD-3-Clause][78] | -| [Exec Maven Plugin][79] | [Apache License 2][5] | +| [SonarQube Scanner for Maven][48] | [GNU LGPL 3][49] | +| [Apache Maven Toolchains Plugin][50] | [Apache-2.0][5] | +| [Apache Maven Compiler Plugin][51] | [Apache-2.0][5] | +| [Apache Maven Enforcer Plugin][52] | [Apache-2.0][5] | +| [Maven Flatten Plugin][53] | [Apache Software Licenese][5] | +| [org.sonatype.ossindex.maven:ossindex-maven-plugin][54] | [ASL2][14] | +| [scala-maven-plugin][55] | [Public domain (Unlicense)][56] | +| [ScalaTest Maven Plugin][57] | [the Apache License, ASL Version 2.0][19] | +| [Apache Maven Javadoc Plugin][58] | [Apache-2.0][5] | +| [Maven Surefire Plugin][59] | [Apache-2.0][5] | +| [Versions Maven Plugin][60] | [Apache License, Version 2.0][5] | +| [duplicate-finder-maven-plugin Maven Mojo][61] | [Apache License 2.0][11] | +| [Apache Maven Assembly Plugin][62] | [Apache-2.0][5] | +| [Apache Maven JAR Plugin][63] | [Apache-2.0][5] | +| [Artifact reference checker and unifier][64] | [MIT License][65] | +| [Maven Failsafe Plugin][66] | [Apache-2.0][5] | +| [JaCoCo :: Maven Plugin][67] | [EPL-2.0][68] | +| [error-code-crawler-maven-plugin][69] | [MIT License][70] | +| [Reproducible Build Maven Plugin][71] | [Apache 2.0][14] | +| [Project Keeper Maven plugin][72] | [The MIT License][73] | +| [OpenFastTrace Maven Plugin][74] | [GNU General Public License v3.0][75] | +| [Scalastyle Maven Plugin][76] | [Apache 2.0][11] | +| [spotless-maven-plugin][77] | [The Apache Software License, Version 2.0][5] | +| [scalafix-maven-plugin][78] | [BSD-3-Clause][79] | +| [Exec Maven Plugin][80] | [Apache License 2][5] | ## Extension @@ -79,7 +80,7 @@ | Dependency | License | | ----------------------------------------- | ------- | -| [@exasol/extension-manager-interface][80] | MIT | +| [@exasol/extension-manager-interface][81] | MIT | [0]: https://www.scala-lang.org/ [1]: https://www.apache.org/licenses/LICENSE-2.0 @@ -128,37 +129,38 @@ [44]: https://java.testcontainers.org [45]: http://opensource.org/licenses/MIT [46]: https://www.joda.org/joda-time/ -[47]: http://sonarsource.github.io/sonar-scanner-maven/ -[48]: http://www.gnu.org/licenses/lgpl.txt -[49]: https://maven.apache.org/plugins/maven-toolchains-plugin/ -[50]: https://maven.apache.org/plugins/maven-compiler-plugin/ -[51]: https://maven.apache.org/enforcer/maven-enforcer-plugin/ -[52]: https://www.mojohaus.org/flatten-maven-plugin/ -[53]: https://sonatype.github.io/ossindex-maven/maven-plugin/ -[54]: http://github.com/davidB/scala-maven-plugin -[55]: http://unlicense.org/ -[56]: https://www.scalatest.org/user_guide/using_the_scalatest_maven_plugin -[57]: https://maven.apache.org/plugins/maven-javadoc-plugin/ -[58]: https://maven.apache.org/surefire/maven-surefire-plugin/ -[59]: https://www.mojohaus.org/versions/versions-maven-plugin/ -[60]: https://basepom.github.io/duplicate-finder-maven-plugin -[61]: https://maven.apache.org/plugins/maven-assembly-plugin/ -[62]: https://maven.apache.org/plugins/maven-jar-plugin/ -[63]: https://github.com/exasol/artifact-reference-checker-maven-plugin/ -[64]: https://github.com/exasol/artifact-reference-checker-maven-plugin/blob/main/LICENSE -[65]: https://maven.apache.org/surefire/maven-failsafe-plugin/ -[66]: https://www.jacoco.org/jacoco/trunk/doc/maven.html -[67]: https://www.eclipse.org/legal/epl-2.0/ -[68]: https://github.com/exasol/error-code-crawler-maven-plugin/ -[69]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE -[70]: http://zlika.github.io/reproducible-build-maven-plugin -[71]: https://github.com/exasol/project-keeper/ -[72]: https://github.com/exasol/project-keeper/blob/main/LICENSE -[73]: https://github.com/itsallcode/openfasttrace-maven-plugin -[74]: https://www.gnu.org/licenses/gpl-3.0.html -[75]: http://www.scalastyle.org -[76]: https://github.com/diffplug/spotless -[77]: https://github.com/evis/scalafix-maven-plugin -[78]: https://opensource.org/licenses/BSD-3-Clause -[79]: https://www.mojohaus.org/exec-maven-plugin -[80]: https://registry.npmjs.org/@exasol/extension-manager-interface/-/extension-manager-interface-0.4.1.tgz +[47]: https://github.com/classgraph/classgraph +[48]: http://sonarsource.github.io/sonar-scanner-maven/ +[49]: http://www.gnu.org/licenses/lgpl.txt +[50]: https://maven.apache.org/plugins/maven-toolchains-plugin/ +[51]: https://maven.apache.org/plugins/maven-compiler-plugin/ +[52]: https://maven.apache.org/enforcer/maven-enforcer-plugin/ +[53]: https://www.mojohaus.org/flatten-maven-plugin/ +[54]: https://sonatype.github.io/ossindex-maven/maven-plugin/ +[55]: http://github.com/davidB/scala-maven-plugin +[56]: http://unlicense.org/ +[57]: https://www.scalatest.org/user_guide/using_the_scalatest_maven_plugin +[58]: https://maven.apache.org/plugins/maven-javadoc-plugin/ +[59]: https://maven.apache.org/surefire/maven-surefire-plugin/ +[60]: https://www.mojohaus.org/versions/versions-maven-plugin/ +[61]: https://basepom.github.io/duplicate-finder-maven-plugin +[62]: https://maven.apache.org/plugins/maven-assembly-plugin/ +[63]: https://maven.apache.org/plugins/maven-jar-plugin/ +[64]: https://github.com/exasol/artifact-reference-checker-maven-plugin/ +[65]: https://github.com/exasol/artifact-reference-checker-maven-plugin/blob/main/LICENSE +[66]: https://maven.apache.org/surefire/maven-failsafe-plugin/ +[67]: https://www.jacoco.org/jacoco/trunk/doc/maven.html +[68]: https://www.eclipse.org/legal/epl-2.0/ +[69]: https://github.com/exasol/error-code-crawler-maven-plugin/ +[70]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE +[71]: http://zlika.github.io/reproducible-build-maven-plugin +[72]: https://github.com/exasol/project-keeper/ +[73]: https://github.com/exasol/project-keeper/blob/main/LICENSE +[74]: https://github.com/itsallcode/openfasttrace-maven-plugin +[75]: https://www.gnu.org/licenses/gpl-3.0.html +[76]: http://www.scalastyle.org +[77]: https://github.com/diffplug/spotless +[78]: https://github.com/evis/scalafix-maven-plugin +[79]: https://opensource.org/licenses/BSD-3-Clause +[80]: https://www.mojohaus.org/exec-maven-plugin +[81]: https://registry.npmjs.org/@exasol/extension-manager-interface/-/extension-manager-interface-0.4.1.tgz diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index 7233f97..b209bd3 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [1.7.6](changes_1.7.6.md) * [1.7.5](changes_1.7.5.md) * [1.7.4](changes_1.7.4.md) * [1.7.3](changes_1.7.3.md) diff --git a/doc/changes/changes_1.7.6.md b/doc/changes/changes_1.7.6.md new file mode 100644 index 0000000..9641c4d --- /dev/null +++ b/doc/changes/changes_1.7.6.md @@ -0,0 +1,28 @@ +# Kafka Connector Extension 1.7.6, released 2024-07-05 + +Code name: Fix CVE-2021-47621 + +## Summary + +Fixes CVE-2021-47621. + +## Security + +* #98: CVE-2021-47621: io.github.classgraph:classgraph:jar:4.8.21:test + +## Dependency Updates + +### Exasol Kafka Connector Extension + +#### Test Dependency Updates + +* Added `io.github.classgraph:classgraph:4.8.174` + +#### Plugin Dependency Updates + +* Updated `com.exasol:error-code-crawler-maven-plugin:2.0.2` to `2.0.3` +* Updated `com.exasol:project-keeper-maven-plugin:4.3.0` to `4.3.3` +* Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.4.1` to `3.5.0` +* Updated `org.apache.maven.plugins:maven-jar-plugin:3.3.0` to `3.4.1` +* Updated `org.apache.maven.plugins:maven-toolchains-plugin:3.1.0` to `3.2.0` +* Updated `org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922` to `4.0.0.4121` diff --git a/doc/user_guide/user_guide.md b/doc/user_guide/user_guide.md index 2110add..5adc927 100644 --- a/doc/user_guide/user_guide.md +++ b/doc/user_guide/user_guide.md @@ -61,7 +61,7 @@ checksum provided together with the jar file. To check the SHA256 sum of the downloaded jar, run the command: ```sh -sha256sum exasol-kafka-connector-extension-1.7.5.jar +sha256sum exasol-kafka-connector-extension-1.7.6.jar ``` ### Building From Source @@ -84,7 +84,7 @@ sbt assembly ``` The packaged jar file should be located at -`target/scala-2.12/exasol-kafka-connector-extension-1.7.5.jar`. +`target/scala-2.12/exasol-kafka-connector-extension-1.7.6.jar`. ### Create an Exasol BucketFS Bucket @@ -106,7 +106,7 @@ jar, please make sure the BucketFS ports are open. Upload the jar file using the `curl` command: ```bash -curl -X PUT -T exasol-kafka-connector-extension-1.7.5.jar \ +curl -X PUT -T exasol-kafka-connector-extension-1.7.6.jar \ http://w:@:2580// ``` @@ -135,12 +135,12 @@ OPEN SCHEMA KAFKA_EXTENSION; CREATE OR REPLACE JAVA SET SCRIPT KAFKA_CONSUMER(...) EMITS (...) AS %scriptclass com.exasol.cloudetl.kafka.KafkaConsumerQueryGenerator; - %jar /buckets/bfsdefault//exasol-kafka-connector-extension-1.7.5.jar; + %jar /buckets/bfsdefault//exasol-kafka-connector-extension-1.7.6.jar; / CREATE OR REPLACE JAVA SET SCRIPT KAFKA_IMPORT(...) EMITS (...) AS %scriptclass com.exasol.cloudetl.kafka.KafkaTopicDataImporter; - %jar /buckets/bfsdefault//exasol-kafka-connector-extension-1.7.5.jar; + %jar /buckets/bfsdefault//exasol-kafka-connector-extension-1.7.6.jar; / CREATE OR REPLACE JAVA SET SCRIPT KAFKA_METADATA( @@ -150,7 +150,7 @@ CREATE OR REPLACE JAVA SET SCRIPT KAFKA_METADATA( ) EMITS (partition_index DECIMAL(18, 0), max_offset DECIMAL(36,0)) AS %scriptclass com.exasol.cloudetl.kafka.KafkaTopicMetadataReader; - %jar /buckets/bfsdefault//exasol-kafka-connector-extension-1.7.5.jar; + %jar /buckets/bfsdefault//exasol-kafka-connector-extension-1.7.6.jar; / ``` diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index b9e4fde..d1224cf 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,7 +3,7 @@ 4.0.0 com.exasol kafka-connector-extension-generated-parent - 1.7.5 + 1.7.6 pom UTF-8 @@ -39,12 +39,12 @@ org.sonarsource.scanner.maven sonar-maven-plugin - 3.11.0.3922 + 4.0.0.4121 org.apache.maven.plugins maven-toolchains-plugin - 3.1.0 + 3.2.0 @@ -77,7 +77,7 @@ org.apache.maven.plugins maven-enforcer-plugin - 3.4.1 + 3.5.0 enforce-maven @@ -230,7 +230,7 @@ org.apache.maven.plugins maven-jar-plugin - 3.3.0 + 3.4.1 default-jar @@ -315,7 +315,7 @@ com.exasol error-code-crawler-maven-plugin - 2.0.2 + 2.0.3 verify diff --git a/pom.xml b/pom.xml index 70dfaac..a24618d 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ 4.0.0 com.exasol kafka-connector-extension - 1.7.5 + 1.7.6 Exasol Kafka Connector Extension Exasol Kafka Extension for accessing Apache Kafka https://github.com/exasol/kafka-connector-extension/ @@ -268,6 +268,13 @@ 2.12.7 test + + + io.github.classgraph + classgraph + 4.8.174 + test + @@ -476,7 +483,7 @@ com.exasol project-keeper-maven-plugin - 4.3.0 + 4.3.3 @@ -634,7 +641,7 @@ kafka-connector-extension-generated-parent com.exasol - 1.7.5 + 1.7.6 pk_generated_parent.pom diff --git a/release_config.yml b/release_config.yml deleted file mode 100644 index 45f75e8..0000000 --- a/release_config.yml +++ /dev/null @@ -1,3 +0,0 @@ -release-platforms: - - GitHub -language: Java