Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#476 Fix vulnerability CVE-2023-4759 in dependency org.eclipse.jgit:org.eclipse.jgit #477

Merged
merged 3 commits into from
Sep 25, 2023
Merged

#476 Fix vulnerability CVE-2023-4759 in dependency org.eclipse.jgit:org.eclipse.jgit #477

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a06f87e
#476: Fixed vulnerability CVE-2023-4759
kaklakariada Sep 25, 2023
059c343
Downgrade slf4j-jdk14
kaklakariada Sep 25, 2023
5d954fc
Update checkout action
kaklakariada Sep 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/broken_links_checker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Configure broken links checker
run: |
mkdir -p ./target
Expand All @@ -27,6 +27,6 @@ jobs:
']}' > ./target/broken_links_checker.json
- uses: gaurav-nelson/github-action-markdown-link-check@v1
with:
use-quiet-mode: 'yes'
use-verbose-mode: 'yes'
use-quiet-mode: "yes"
use-verbose-mode: "yes"
config-file: ./target/broken_links_checker.json
6 changes: 3 additions & 3 deletions .github/workflows/ci-build-next-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,15 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
distribution: 'temurin'
distribution: "temurin"
java-version: 17
cache: 'maven'
cache: "maven"
- name: Run tests and build with Maven
run: |
mvn --batch-mode --update-snapshots clean package -DtrimStackTrace=false \
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up JDK 11 & 17
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/dependencies_check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,14 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Set up JDK 11
uses: actions/setup-java@v3
with:
distribution: 'temurin'
distribution: "temurin"
java-version: 11
cache: 'maven'
cache: "maven"
- name: Install Projects
run: mvn --batch-mode install -DskipTests # This fixes https://github.com/exasol/project-keeper/issues/330
- name: Checking dependencies for vulnerabilities
run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml
run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml
2 changes: 1 addition & 1 deletion .github/workflows/release_droid_prepare_original_checksum.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up JDK 11
Expand Down
7 changes: 3 additions & 4 deletions .github/workflows/release_droid_print_quick_checksum.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,16 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up JDK 11
uses: actions/setup-java@v3
with:
distribution: 'temurin'
distribution: "temurin"
java-version: 11
cache: 'maven'
cache: "maven"
- name: Build with Maven skipping tests
run: mvn --batch-mode clean verify -DskipTests
- name: Print checksum
run: echo 'checksum_start==';find target -maxdepth 1 -name *.jar -exec sha256sum "{}" + | xargs;echo '==checksum_end'

6 changes: 3 additions & 3 deletions .github/workflows/release_droid_release_on_maven_central.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,15 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Maven Central Repository
uses: actions/setup-java@v3
with:
distribution: 'temurin'
distribution: "temurin"
java-version: 11
cache: 'maven'
cache: "maven"
server-id: ossrh
server-username: MAVEN_USERNAME
server-password: MAVEN_PASSWORD
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/release_droid_upload_github_release_assets.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,23 +4,23 @@ on:
workflow_dispatch:
inputs:
upload_url:
description: 'Assets upload URL'
description: "Assets upload URL"
required: true

jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up JDK 11
uses: actions/setup-java@v3
with:
distribution: 'temurin'
distribution: "temurin"
java-version: 11
cache: 'maven'
cache: "maven"
- name: Build with Maven skipping tests
run: mvn --batch-mode clean verify -DskipTests
- name: Generate sha256sum files
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/test_linux_build_on_windows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up JDK 11
Expand Down Expand Up @@ -65,7 +65,7 @@ jobs:
needs: build-on-linux
steps:
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up JDK 11
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/test_on_windows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up JDK 11
Expand Down
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,7 +234,7 @@ For GitHub Actions you can solve this by adding `fetch-depth: 0` to the checkout

```yaml
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
```
Expand Down
1 change: 1 addition & 0 deletions doc/changes/changelog.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

67 changes: 67 additions & 0 deletions doc/changes/changes_2.9.12.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# Project Keeper 2.9.12, released 2023-09-25

Code name: Fix vulnerability CVE-2023-4759

## Summary

This release fixes vulnerability CVE-2023-4759 in dependency `org.eclipse.jgit:org.eclipse.jgit`.

## Security

* #476: Fixed vulnerability CVE-2023-4759 in dependency `org.eclipse.jgit:org.eclipse.jgit`

## Dependency Updates

### Project-Keeper Shared Model Classes

#### Compile Dependency Updates

* Updated `org.eclipse.jgit:org.eclipse.jgit:6.6.0.202305301015-r` to `6.7.0.202309050840-r`

#### Test Dependency Updates

* Updated `nl.jqno.equalsverifier:equalsverifier:3.15.1` to `3.15.2`

### Project Keeper Core

#### Compile Dependency Updates

* Updated `com.exasol:project-keeper-shared-model-classes:2.9.11` to `2.9.12`

#### Runtime Dependency Updates

* Updated `com.exasol:project-keeper-java-project-crawler:2.9.11` to `2.9.12`

#### Test Dependency Updates

* Updated `com.exasol:project-keeper-shared-test-setup:2.9.11` to `2.9.12`
* Updated `nl.jqno.equalsverifier:equalsverifier:3.15.1` to `3.15.2`

### Project Keeper Command Line Interface

#### Compile Dependency Updates

* Updated `com.exasol:project-keeper-core:2.9.11` to `2.9.12`

#### Test Dependency Updates

* Updated `com.exasol:project-keeper-shared-test-setup:2.9.11` to `2.9.12`

### Project Keeper Maven Plugin

#### Compile Dependency Updates

* Updated `com.exasol:project-keeper-core:2.9.11` to `2.9.12`

### Project Keeper Java Project Crawler

#### Compile Dependency Updates

* Updated `com.exasol:project-keeper-shared-model-classes:2.9.11` to `2.9.12`
* Updated `org.eclipse.jgit:org.eclipse.jgit:6.6.0.202305301015-r` to `6.7.0.202309050840-r`

### Project Keeper Shared Test Setup

#### Compile Dependency Updates

* Updated `com.exasol:project-keeper-shared-model-classes:2.9.11` to `2.9.12`
8 changes: 4 additions & 4 deletions parent-pom/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
</repository>
</distributionManagement>
<properties>
<revision>2.9.11</revision>
<revision>2.9.12</revision>
<maven.version>3.9.4</maven.version>
<junit.version>5.10.0</junit.version>
<xmlunit.version>2.9.1</xmlunit.version>
Expand Down Expand Up @@ -104,7 +104,7 @@
<dependency>
<groupId>org.eclipse.jgit</groupId>
<artifactId>org.eclipse.jgit</artifactId>
<version>6.6.0.202305301015-r</version>
<version>6.7.0.202309050840-r</version>
</dependency>
<dependency>
<groupId>net.steppschuh.markdowngenerator</groupId>
Expand Down Expand Up @@ -161,7 +161,7 @@
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-jdk14</artifactId>
<version>1.7.36</version>
<version>1.7.36</version> <!-- Version 1.7.x required to fix error 'SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".' -->
<scope>test</scope>
</dependency>
<dependency>
Expand Down Expand Up @@ -197,7 +197,7 @@
<dependency>
<groupId>nl.jqno.equalsverifier</groupId>
<artifactId>equalsverifier</artifactId>
<version>3.15.1</version>
<version>3.15.2</version>
<scope>test</scope>
</dependency>
<!-- overriding vulnerable version -->
Expand Down
2 changes: 1 addition & 1 deletion ...keeper/src/main/resources/non_maven_templates/.github/workflows/project-keeper-verify.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0

Expand Down
6 changes: 3 additions & 3 deletions project-keeper/src/main/resources/templates/.github/workflows/broken_links_checker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Configure broken links checker
run: |
mkdir -p ./target
Expand All @@ -27,6 +27,6 @@ jobs:
']}' > ./target/broken_links_checker.json
- uses: gaurav-nelson/github-action-markdown-link-check@v1
with:
use-quiet-mode: 'yes'
use-verbose-mode: 'yes'
use-quiet-mode: "yes"
use-verbose-mode: "yes"
config-file: ./target/broken_links_checker.json
2 changes: 1 addition & 1 deletion project-keeper/src/main/resources/templates/.github/workflows/ci-build-native-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: graalvm/setup-graalvm@v1
Expand Down
6 changes: 3 additions & 3 deletions project-keeper/src/main/resources/templates/.github/workflows/ci-build-next-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,15 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
distribution: 'temurin'
distribution: "temurin"
java-version: 17
cache: 'maven'
cache: "maven"
- name: Run tests and build with Maven
run: |
mvn --batch-mode --update-snapshots clean package -DtrimStackTrace=false $skipNativeImage \
Expand Down
2 changes: 1 addition & 1 deletion project-keeper/src/main/resources/templates/.github/workflows/ci-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up JDK 11 & 17
Expand Down
8 changes: 4 additions & 4 deletions project-keeper/src/main/resources/templates/.github/workflows/dependencies_check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,12 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Set up JDK 11
uses: actions/setup-java@v3
with:
distribution: 'temurin'
distribution: "temurin"
java-version: 11
cache: 'maven'
cache: "maven"
- name: Checking dependencies for vulnerabilities
run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml
run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml
2 changes: 1 addition & 1 deletion ...rc/main/resources/templates/.github/workflows/release_droid_prepare_original_checksum.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up JDK 11
Expand Down
Loading