0.6.14 Fix CVE-2024-47535: io.netty:netty-common:jar:4.1.108.Final:provided

This release fixes CVE-2024-47535 in transitive production dependency io.netty:netty-common:jar:4.1.108.Final:provided added by com.exasol:exasol-test-setup-abstraction-java.

Security

• #67: Fixed CVE-2024-47535 in io.netty:netty-common:jar:4.1.108.Final:provided

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:bucketfs-java:3.1.2 to 3.2.0
• Updated org.apache.commons:commons-compress:1.26.1 to 1.27.1
• Updated org.slf4j:slf4j-jdk14:2.0.12 to 2.0.16

Runtime Dependency Updates

• Updated org.eclipse.parsson:parsson:1.1.6 to 1.1.7

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:7.0.1 to 7.1.1
• Updated com.exasol:test-db-builder-java:3.5.4 to 3.6.0
• Updated org.itsallcode:junit5-system-extensions:1.2.0 to 1.2.2
• Updated org.junit.jupiter:junit-jupiter-engine:5.10.2 to 5.11.3
• Updated org.junit.jupiter:junit-jupiter-params:5.10.2 to 5.11.3
• Updated org.mockito:mockito-junit-jupiter:5.11.0 to 5.14.2
• Updated org.testcontainers:junit-jupiter:1.19.7 to 1.20.3

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.2 to 2.0.3
• Updated com.exasol:project-keeper-maven-plugin:4.3.0 to 4.4.0
• Added com.exasol:quality-summarizer-maven-plugin:0.2.0
• Updated io.github.zlika:reproducible-build-maven-plugin:0.16 to 0.17
• Updated org.apache.maven.plugins:maven-clean-plugin:2.5 to 3.4.0
• Updated org.apache.maven.plugins:maven-deploy-plugin:3.1.1 to 3.1.2
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.1 to 3.5.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.5 to 3.5.1
• Updated org.apache.maven.plugins:maven-gpg-plugin:3.2.2 to 3.2.7
• Updated org.apache.maven.plugins:maven-install-plugin:2.4 to 3.1.3
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.6.3 to 3.10.1
• Updated org.apache.maven.plugins:maven-resources-plugin:2.6 to 3.3.1
• Updated org.apache.maven.plugins:maven-site-plugin:3.3 to 3.9.1
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.5 to 3.5.1
• Updated org.apache.maven.plugins:maven-toolchains-plugin:3.1.0 to 3.2.0
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.2 to 2.17.1
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922 to 4.0.0.4121
• Updated org.sonatype.plugins:nexus-staging-maven-plugin:1.6.13 to 1.7.0

0.6.13 Fixes CVE-2024-29025 in io.netty:netty-codec-http:jar:4.1.100.Final:provided

This release fixes vulnerability CVE-2024-29025 in io.netty:netty-codec-http:jar:4.1.100.Final:provided.

Excluded vulnerability This release contains vulnerability CVE-2017-10355 in fr.turri:aXMLRPC for connecting to ExaOperation during tests. We accept this vulnerability (CWE-833: Deadlock) as we assume that we only connect to the known endpoint ExaOperations.

Security

• #65: Fixed CVE-2024-29025 in io.netty:netty-codec-http:jar:4.1.100.Final:provided

Dependency Updates

Compile Dependency Updates

• Updated org.apache.commons:commons-compress:1.26.0 to 1.26.1
• Updated org.jacoco:org.jacoco.core:0.8.11 to 0.8.12

Runtime Dependency Updates

• Updated org.eclipse.parsson:parsson:1.1.5 to 1.1.6

Test Dependency Updates

• Updated com.exasol:test-db-builder-java:3.5.3 to 3.5.4
• Updated org.jacoco:org.jacoco.agent:0.8.11 to 0.8.12
• Updated org.mockito:mockito-junit-jupiter:5.10.0 to 5.11.0
• Updated org.testcontainers:junit-jupiter:1.19.6 to 1.19.7

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.0 to 2.0.2
• Updated com.exasol:project-keeper-maven-plugin:4.1.0 to 4.3.0
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.12.1 to 3.13.0
• Updated org.apache.maven.plugins:maven-gpg-plugin:3.1.0 to 3.2.2
• Updated org.jacoco:jacoco-maven-plugin:0.8.11 to 0.8.12
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594 to 3.11.0.3922

0.6.12: Fix CVE-2024-25710 and CVE-2024-26308 in compile dependency `org.apache.commons:commons-compress`

Summary

This release fixes vulnerabilities CVE-2024-25710 and CVE-2024-26308 in compile dependency org.apache.commons:commons-compress.

Security

• #63: Fixed CVE-2024-25710 and CVE-2024-26308 in compile dependency org.apache.commons:commons-compress

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:bucketfs-java:3.1.0 to 3.1.2
• Updated jakarta.json:jakarta.json-api:2.1.2 to 2.1.3
• Updated org.apache.commons:commons-compress:1.24.0 to 1.26.0
• Updated org.jacoco:org.jacoco.core:0.8.10 to 0.8.11
• Updated org.slf4j:slf4j-jdk14:2.0.9 to 2.0.12

Runtime Dependency Updates

• Updated org.eclipse.parsson:parsson:1.1.4 to 1.1.5

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.6.2 to 7.0.1
• Updated com.exasol:test-db-builder-java:3.5.0 to 3.5.3
• Updated org.jacoco:org.jacoco.agent:0.8.10 to 0.8.11
• Updated org.junit.jupiter:junit-jupiter-engine:5.10.0 to 5.10.2
• Updated org.junit.jupiter:junit-jupiter-params:5.10.0 to 5.10.2
• Updated org.mockito:mockito-junit-jupiter:5.5.0 to 5.10.0
• Updated org.testcontainers:junit-jupiter:1.19.0 to 1.19.6

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.3.0 to 2.0.0
• Updated com.exasol:project-keeper-maven-plugin:2.9.12 to 4.1.0
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.11.0 to 3.12.1
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.0 to 3.4.1
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.1.2 to 3.2.5
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.5.0 to 3.6.3
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.1.2 to 3.2.5
• Added org.apache.maven.plugins:maven-toolchains-plugin:3.1.0
• Updated org.codehaus.mojo:flatten-maven-plugin:1.5.0 to 1.6.0
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.0 to 2.16.2
• Updated org.jacoco:jacoco-maven-plugin:0.8.10 to 0.8.11
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184 to 3.10.0.2594

0.6.11: Fix CVE-2023-42503

Summary

This release fixes CVE-2023-42503 in org.apache.commons:commons-compress by upgrading dependencies.

Known issue: Transitive dependency io.netty:netty-handler used by software.amazon.awssdk:cloudformation in scope provided contains vulnerability CVE-2023-4586. We assume that the AWS SDK's usage of netty is not affected.

Security

• #61: Fixed CVE-2023-42503 in org.apache.commons:commons-compress

Dependency Updates

Compile Dependency Updates

• Updated org.apache.commons:commons-compress:1.23.0 to 1.24.0
• Updated org.slf4j:slf4j-jdk14:2.0.7 to 2.0.9

Runtime Dependency Updates

• Updated org.eclipse.parsson:parsson:1.1.2 to 1.1.4

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.6.0 to 6.6.2
• Updated com.exasol:test-db-builder-java:3.4.2 to 3.5.0
• Updated org.junit.jupiter:junit-jupiter-engine:5.9.3 to 5.10.0
• Updated org.junit.jupiter:junit-jupiter-params:5.9.3 to 5.10.0
• Updated org.mockito:mockito-junit-jupiter:5.4.0 to 5.5.0
• Updated org.testcontainers:junit-jupiter:1.18.3 to 1.19.0

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.2.3 to 1.3.0
• Updated com.exasol:project-keeper-maven-plugin:2.9.7 to 2.9.12
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.3.0 to 3.4.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.0.0 to 3.1.2
• Updated org.apache.maven.plugins:maven-gpg-plugin:3.0.1 to 3.1.0
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.0.0 to 3.1.2
• Updated org.basepom.maven:duplicate-finder-maven-plugin:1.5.1 to 2.0.1
• Updated org.codehaus.mojo:flatten-maven-plugin:1.4.1 to 1.5.0
• Updated org.codehaus.mojo:versions-maven-plugin:2.15.0 to 2.16.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.9 to 0.8.10

0.6.10: Reduce dependencies

Summary

This release uses readable and sortable names for UDF debug log files written to target/udf-logs/. The release also replaces code that causes an unnecessary dependency on slf4j-api.

Features

• #56: Used readable and sortable names for UDF debug log files.

Refactoring

• #55: Replaced code using slf4j-api

0.6.9: Upgrade dependencies on top of 0.6.8

Summary

This release fixes the following vulnerability in provided dependency io.netty:netty-handler:

• CVE-2023-34462, severity CWE-770: Allocation of Resources Without Limits or Throttling (6.5)

Security

• #57: Upgraded dependencies

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:bucketfs-java:3.0.0 to 3.1.0
• Updated com.exasol:error-reporting-java:1.0.0 to 1.0.1
• Updated jakarta.json:jakarta.json-api:2.1.1 to 2.1.2
• Updated org.apache.commons:commons-compress:1.22 to 1.23.0
• Updated org.jacoco:org.jacoco.core:0.8.8 to 0.8.10
• Removed org.slf4j:slf4j-api:2.0.6
• Added org.slf4j:slf4j-jdk14:2.0.7

Runtime Dependency Updates

• Added org.eclipse.parsson:parsson:1.1.2
• Removed org.glassfish:jakarta.json:2.0.1

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.5.1 to 6.6.0
• Updated org.jacoco:org.jacoco.agent:0.8.8 to 0.8.10
• Updated org.junit.jupiter:junit-jupiter-engine:5.9.2 to 5.9.3
• Updated org.junit.jupiter:junit-jupiter-params:5.9.2 to 5.9.3
• Updated org.mockito:mockito-junit-jupiter:5.1.1 to 5.4.0
• Updated org.testcontainers:junit-jupiter:1.17.6 to 1.18.3

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.2.2 to 1.2.3
• Updated com.exasol:project-keeper-maven-plugin:2.9.3 to 2.9.7
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.10.1 to 3.11.0
• Updated org.apache.maven.plugins:maven-deploy-plugin:3.0.0 to 3.1.1
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.1.0 to 3.3.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.0.0-M8 to 3.0.0
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.4.1 to 3.5.0
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M8 to 3.0.0
• Added org.basepom.maven:duplicate-finder-maven-plugin:1.5.1
• Updated org.codehaus.mojo:flatten-maven-plugin:1.3.0 to 1.4.1
• Updated org.codehaus.mojo:versions-maven-plugin:2.14.2 to 2.15.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.8 to 0.8.9

0.6.8: Improved LocalServiceExposer

Summary

Enhanced interface LocalServiceExposer and simplified usage.

Features

• #53: Enhanced interface LocalServiceExposer and simplified usage.

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:bucketfs-java:2.6.0 to 3.0.0

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.5.0 to 6.5.1
• Updated org.mockito:mockito-junit-jupiter:5.0.0 to 5.1.1

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.2.1 to 1.2.2
• Updated com.exasol:project-keeper-maven-plugin:2.9.1 to 2.9.3
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.0.0-M7 to 3.0.0-M8
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M7 to 3.0.0-M8
• Updated org.codehaus.mojo:versions-maven-plugin:2.13.0 to 2.14.2

0.6.7: Upgrade dependencies on top of 0.6.6

Summary

This release upgrades dependencies incl. exasol-test-setup-abstraction-java 2.0.0 to adapt to the updated API.

Features

• #51: Updated to exasol-test-setup-abstraction-java 2.0.0

Dependency Updates

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.4.1 to 6.5.0
• Updated com.exasol:test-db-builder-java:3.4.1 to 3.4.2
• Updated org.junit.jupiter:junit-jupiter-engine:5.9.1 to 5.9.2
• Updated org.junit.jupiter:junit-jupiter-params:5.9.1 to 5.9.2
• Updated org.mockito:mockito-junit-jupiter:4.10.0 to 5.0.0

0.6.6: Dependency Upgrade

Summary

Updated dependencies after breaking changes in interface of bucketfs-java to re-enable compatibility with newer versions of bucketfs-java used by other libraries, e.g. exasol-testcontainers.

Changes

• #46: Updated dependencies
• #42: Documented known issue of JaCoCo failing on Windows.

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:bucketfs-java:2.4.1 to 2.6.0
• Updated org.slf4j:slf4j-api:2.0.4 to 2.0.6

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.3.1 to 6.4.1
• Updated org.mockito:mockito-junit-jupiter:4.9.0 to 4.10.0

0.6.5: Updated dependencies on top of 0.6.4

Summary

In this release we fixed a version collision between the BucketFS library used in this project and exasol-test-setup-abstraction-java that led to a class-not-found error in certain combinations.

Known Issues

This project depends on an Amazon AWS SDK which in turn depends on the Netty HTTP server version 4.1.77. This versions has a vulnerability in certificate validation that can allow to man-in-the-middle attacks. Unfortunately, no update of the AWS SDK is available at the time of this release.

Bugfixes

• #43: Fixed BucketFS library version collisions

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:bucketfs-java:2.3.0 to 2.4.1
• Updated com.exasol:error-reporting-java:0.4.1 to 1.0.0
• Updated jakarta.json:jakarta.json-api:2.1.0 to 2.1.1
• Updated org.apache.commons:commons-compress:1.21 to 1.22
• Updated org.slf4j:slf4j-api:1.7.36 to 2.0.4

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.1.2 to 6.3.1
• Updated com.exasol:test-db-builder-java:3.3.3 to 3.4.1
• Updated org.junit.jupiter:junit-jupiter-engine:5.8.2 to 5.9.1
• Updated org.junit.jupiter:junit-jupiter-params:5.8.2 to 5.9.1
• Updated org.mockito:mockito-junit-jupiter:4.6.1 to 4.9.0
• Updated org.testcontainers:junit-jupiter:1.17.2 to 1.17.6

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.1.1 to 1.2.1
• Updated com.exasol:project-keeper-maven-plugin:2.4.6 to 2.9.1
• Updated io.github.zlika:reproducible-build-maven-plugin:0.15 to 0.16
• Updated org.apache.maven.plugins:maven-deploy-plugin:3.0.0-M2 to 3.0.0
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.0.0 to 3.1.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.0.0-M4 to 3.0.0-M7
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.4.0 to 3.4.1
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M4 to 3.0.0-M7
• Updated org.codehaus.mojo:flatten-maven-plugin:1.2.7 to 1.3.0
• Updated org.codehaus.mojo:versions-maven-plugin:2.10.0 to 2.13.0