#61: Fix CVE-2023-42503 in org.apache.commons:commons-compress (#62)

.gitattributes

@@ -4,6 +4,9 @@ pk_generated_parent.pom                                          linguist-genera
 .github/workflows/broken_links_checker.yml                       linguist-generated=true
 .github/workflows/ci-build-next-java.yml                         linguist-generated=true
 .github/workflows/dependencies_check.yml                         linguist-generated=true
-.github/workflows/release_droid_prepare_original_checksum.yml    linguist-generated=true
 .github/workflows/release_droid_print_quick_checksum.yml         linguist-generated=true
 .github/workflows/release_droid_release_on_maven_central.yml     linguist-generated=true
+.github/workflows/release_droid_upload_github_release_assets.yml linguist-generated=true
+
+.settings/org.eclipse.jdt.core.prefs linguist-generated=true
+.settings/org.eclipse.jdt.ui.prefs   linguist-generated=true

.github/workflows/ci-build.yml

@@ -8,21 +8,27 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
       cancel-in-progress: true
     steps:
+      - name: Free Disk Space
+        run: |
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /usr/share/dotnet
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Set up JDK 11
+      - name: Set up JDK 11 & 17
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
-          java-version: 11
-          cache: 'maven'
+          distribution: "temurin"
+          java-version: |
+            17
+            11
+          cache: "maven"
       - name: Cache SonarCloud packages
         uses: actions/cache@v3
         with:
@@ -33,7 +39,7 @@ jobs:
         run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties"
       - name: Run tests and build with Maven
         run: |
-          mvn --batch-mode clean verify \
+          JAVA_HOME=$JAVA_HOME_11_X64 mvn --batch-mode clean verify \
               -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
               -DtrimStackTrace=false
       - name: Publish Test Report
@@ -44,12 +50,12 @@ jobs:
       - name: Sonar analysis
         if: ${{ env.SONAR_TOKEN != null }}
         run: |
-          mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
+          JAVA_HOME=$JAVA_HOME_17_X64 mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
               -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
               -DtrimStackTrace=false \
               -Dsonar.organization=exasol \
               -Dsonar.host.url=https://sonarcloud.io \
-              -Dsonar.login=$SONAR_TOKEN
+              -Dsonar.token=$SONAR_TOKEN
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/release_droid_prepare_original_checksum.yml

@@ -5,18 +5,22 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest
     steps:
+      - name: Free Disk Space
+        run: |
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /usr/share/dotnet
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
+          distribution: "temurin"
           java-version: 11
-          cache: 'maven'
+          cache: "maven"
       - name: Enable testcontainer reuse
         run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties"
       - name: Run tests and build with Maven
@@ -28,4 +32,4 @@ jobs:
         with:
           name: original_checksum
           retention-days: 5
-          path: original_checksum
+          path: original_checksum

.gitignore

@@ -5,6 +5,8 @@ pom.xml.versionsBackup
 .classpath
 .project
 /.settings/org.eclipse.jdt.apt.core.prefs
+/.settings/org.eclipse.core.resources.prefs
+/.settings/org.eclipse.m2e.core.prefs
 # .settings : we need Eclipse settings for code formatter and clean-up rules
 target
 .cache

.project-keeper.yml

@@ -5,4 +5,7 @@ sources:
       - maven_central
       - integration_tests
 linkReplacements:
-  - "https://github.com/hamcrest/JavaHamcrest/hamcrest-all|https://github.com/hamcrest/JavaHamcrest"
+  - "https://github.com/hamcrest/JavaHamcrest/hamcrest-all|https://github.com/hamcrest/JavaHamcrest"
+excludes:
+  - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build.yml'"
+  - "E-PK-CORE-18: Outdated content: '.github/workflows/release_droid_prepare_original_checksum.yml'"

doc/changes/changes_0.6.11.md

@@ -0,0 +1,46 @@
+# Udf Debugging Java 0.6.11, released 2023-09-26
+
+Code name: Fix CVE-2023-42503
+
+## Summary
+
+This release fixes CVE-2023-42503 in `org.apache.commons:commons-compress` by upgrading dependencies.
+
+**Known issue:** Transitive dependency `io.netty:netty-handler` used by `software.amazon.awssdk:cloudformation` in scope `provided` contains vulnerability CVE-2023-4586. We assume that the AWS SDK's usage of netty is not affected. 
+
+## Security
+
+* #61: Fixed CVE-2023-42503 in `org.apache.commons:commons-compress`
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Updated `org.apache.commons:commons-compress:1.23.0` to `1.24.0`
+* Updated `org.slf4j:slf4j-jdk14:2.0.7` to `2.0.9`
+
+### Runtime Dependency Updates
+
+* Updated `org.eclipse.parsson:parsson:1.1.2` to `1.1.4`
+
+### Test Dependency Updates
+
+* Updated `com.exasol:exasol-testcontainers:6.6.0` to `6.6.2`
+* Updated `com.exasol:test-db-builder-java:3.4.2` to `3.5.0`
+* Updated `org.junit.jupiter:junit-jupiter-engine:5.9.3` to `5.10.0`
+* Updated `org.junit.jupiter:junit-jupiter-params:5.9.3` to `5.10.0`
+* Updated `org.mockito:mockito-junit-jupiter:5.4.0` to `5.5.0`
+* Updated `org.testcontainers:junit-jupiter:1.18.3` to `1.19.0`
+
+### Plugin Dependency Updates
+
+* Updated `com.exasol:error-code-crawler-maven-plugin:1.2.3` to `1.3.0`
+* Updated `com.exasol:project-keeper-maven-plugin:2.9.7` to `2.9.12`
+* Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.3.0` to `3.4.0`
+* Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.0.0` to `3.1.2`
+* Updated `org.apache.maven.plugins:maven-gpg-plugin:3.0.1` to `3.1.0`
+* Updated `org.apache.maven.plugins:maven-surefire-plugin:3.0.0` to `3.1.2`
+* Updated `org.basepom.maven:duplicate-finder-maven-plugin:1.5.1` to `2.0.1`
+* Updated `org.codehaus.mojo:flatten-maven-plugin:1.4.1` to `1.5.0`
+* Updated `org.codehaus.mojo:versions-maven-plugin:2.15.0` to `2.16.0`
+* Updated `org.jacoco:jacoco-maven-plugin:0.8.9` to `0.8.10`