2.8.1 Security update - fix for CVE-2024-36114

Fixed CVE-2024-36114 GHSA-973x-65j7-xcf4 via transitive version update.
Updated dependencies.

Security

• #318: CVE-2024-36114: io.airlift:aircompressor:jar:0.21:compile

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Added io.airlift:aircompressor:0.27

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.3.1 to 4.3.2
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.1 to 3.5.0
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922 to 4.0.0.4121

2.8.0: Simplify GCS Configuration

This release allows configuring Google Cloud Storage (GCS) via a CONNECTION instead of uploading the credentials JSON file to BucketFS. This avoids exposing GCP credentials as file in BucketFS and simplifies configuration. See the user guide for details.
Please note for backwards compatibility you can still provide the GCS credentials as a file although CSE recommends configuring Google Cloud Storage (GCS) via a CONNECTION.

Features

• #316: Allowed specifying GCS credentials via CONNECTION

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Added com.github.mwiede:jsch:0.2.17
• Updated com.google.guava:guava:32.1.3-jre to 33.2.0-jre
• Updated com.google.oauth-client:google-oauth-client:1.34.1 to 1.36.0
• Updated com.nimbusds:nimbus-jose-jwt:9.37.3 to 9.39.1
• Updated io.dropwizard.metrics:metrics-core:4.2.23 to 4.2.25
• Updated io.grpc:grpc-netty:1.60.0 to 1.63.0
• Updated io.netty:netty-codec-http2:4.1.108.Final to 4.1.109.Final
• Updated org.apache.commons:commons-compress:1.26.0 to 1.26.1
• Updated org.apache.logging.log4j:log4j-1.2-api:2.22.0 to 2.23.1
• Updated org.apache.logging.log4j:log4j-api:2.22.0 to 2.23.1
• Updated org.apache.logging.log4j:log4j-core:2.22.0 to 2.23.1
• Updated org.jetbrains.kotlin:kotlin-stdlib:1.9.21 to 1.9.24
• Updated org.slf4j:jul-to-slf4j:2.0.9 to 2.0.13

Runtime Dependency Updates

• Updated ch.qos.logback:logback-classic:1.2.13 to 1.5.6
• Updated ch.qos.logback:logback-core:1.2.13 to 1.5.6

Test Dependency Updates

• Updated com.dimafeng:testcontainers-scala-scalatest_2.13:0.41.0 to 0.41.3
• Updated com.exasol:exasol-testcontainers:7.0.1 to 7.1.0
• Updated com.exasol:extension-manager-integration-test-java:0.5.7 to 0.5.11
• Updated nl.jqno.equalsverifier:equalsverifier:3.15.4 to 3.16.1
• Updated org.junit.jupiter:junit-jupiter-engine:5.10.1 to 5.10.2
• Updated org.mockito:mockito-core:5.8.0 to 5.12.0
• Updated org.testcontainers:localstack:1.19.3 to 1.19.8

Plugin Dependency Updates

• Updated com.diffplug.spotless:spotless-maven-plugin:2.41.0 to 2.43.0
• Updated com.exasol:error-code-crawler-maven-plugin:2.0.2 to 2.0.3
• Updated com.exasol:project-keeper-maven-plugin:4.3.0 to 4.3.1
• Updated net.alchim31.maven:scala-maven-plugin:4.8.1 to 4.9.1
• Updated org.apache.maven.plugins:maven-jar-plugin:3.3.0 to 3.4.1
• Updated org.apache.maven.plugins:maven-toolchains-plugin:3.1.0 to 3.2.0
• Updated org.codehaus.mojo:exec-maven-plugin:3.1.1 to 3.2.0

Extension

Compile Dependency Updates

• Updated @exasol/extension-manager-interface:0.4.1 to 0.4.2

Development Dependency Updates

• Updated eslint:^8.55.0 to ^8.56.0
• Updated @types/node:^20.10.4 to ^20.12.12
• Updated @typescript-eslint/parser:^6.13.2 to ^7.9.0
• Updated ts-jest:^29.1.1 to ^29.1.2
• Updated typescript:^5.3.3 to ^5.4.5
• Updated @typescript-eslint/eslint-plugin:^6.13.2 to ^7.9.0
• Updated ts-node:^10.9.1 to ^10.9.2
• Updated esbuild:^0.19.8 to ^0.21.2

2.7.12 Dependency upgrades

Dependencies upgraded to fix CVE-2024-29131, CVE-2024-29133 and CVE-2024-29025

Features

• #303: CVE-2024-29131: org.apache.commons:commons-configuration2:jar:2.8.0:compile
• #304: CVE-2024-29133: org.apache.commons:commons-configuration2:jar:2.8.0:compile
• #306: CVE-2024-29025: io.netty:netty-codec-http:jar:4.1.100.Final:compile

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Updated com.exasol:parquet-io-java:2.0.6 to 2.0.8
• Added io.netty:netty-codec-http2:4.1.108.Final
• Removed io.netty:netty-handler:4.1.101.Final
• Added org.apache.commons:commons-configuration2:2.10.1
• Added org.glassfish.jersey.containers:jersey-container-servlet-core:2.41
• Added org.glassfish.jersey.containers:jersey-container-servlet:2.41
• Added org.glassfish.jersey.core:jersey-client:2.41
• Added org.glassfish.jersey.core:jersey-common:2.41
• Added org.glassfish.jersey.core:jersey-server:2.41
• Added org.glassfish.jersey.inject:jersey-hk2:2.41

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:7.0.0 to 7.0.1
• Updated com.exasol:hamcrest-resultset-matcher:1.6.3 to 1.6.5
• Updated com.exasol:test-db-builder-java:3.5.3 to 3.5.4
• Removed org.glassfish.jersey.core:jersey-common:2.41

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.0 to 2.0.2
• Updated com.exasol:project-keeper-maven-plugin:4.1.0 to 4.3.0
• Updated org.apache.maven.plugins:maven-assembly-plugin:3.6.0 to 3.7.1
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.12.1 to 3.13.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.11 to 0.8.12
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594 to 3.11.0.3922

2.7.11: upgrade zookeeper to fix CVE-2024-23944

Summary

Zookeeper dependency was upgraded to address CVE-2024-23944.

Security

• #300: Fixed CVE-2024-23944 in org.apache.zookeeper:zookeeper:jar:3.9.1:compile

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Updated org.apache.zookeeper:zookeeper:3.9.1 to 3.9.2

2.7.10: Security fixes in transitive dependencies

Summary

Fix CVEs in transitive dependencies, upgrade of PK to 4.1.0

Features

• #294: CVE-2023-52428: com.nimbusds:nimbus-jose-jwt:jar:9.8.1:compile
• #295: CVE-2024-25710: org.apache.commons:commons-compress
• #296: CVE-2024-26308: org.apache.commons:commons-compress

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Added com.nimbusds:nimbus-jose-jwt:9.37.3
• Updated org.apache.commons:commons-compress:1.25.0 to 1.26.0

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.3.1 to 2.0.0
• Updated com.exasol:project-keeper-maven-plugin:2.9.17 to 4.1.0
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.11.0 to 3.12.1
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.2 to 3.2.5
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.2 to 3.2.5
• Added org.apache.maven.plugins:maven-toolchains-plugin:3.1.0
• Updated org.codehaus.mojo:flatten-maven-plugin:1.5.0 to 1.6.0

2.7.9: Fix CVE-2023-6378

Summary

This release fixes vulnerability CVE-2023-6378 (CWE-502: Deserialization of Untrusted Data (7.1)) in the following dependencies:

• ch.qos.logback:logback-classic:jar:1.2.10:compile
• ch.qos.logback:logback-core:jar:1.2.10:compile

Security

• #288: Fixed CVE-2023-6378 in ch.qos.logback:logback-core:jar:1.2.10:compile
• #289: Fixed CVE-2023-6378 in ch.qos.logback:logback-classic:jar:1.2.10:compile

Refactoring

• #290: Added tests to verify importing many files works

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Updated com.exasol:import-export-udf-common-scala_2.13:1.1.1 to 2.0.0
• Updated com.google.protobuf:protobuf-java:3.25.0 to 3.25.1
• Updated io.dropwizard.metrics:metrics-core:4.2.22 to 4.2.23
• Updated io.grpc:grpc-netty:1.59.0 to 1.60.0
• Updated io.netty:netty-handler:4.1.100.Final to 4.1.101.Final
• Updated org.apache.commons:commons-compress:1.24.0 to 1.25.0
• Updated org.apache.commons:commons-lang3:3.13.0 to 3.14.0
• Updated org.apache.logging.log4j:log4j-1.2-api:2.21.1 to 2.22.0
• Updated org.apache.logging.log4j:log4j-api:2.21.1 to 2.22.0
• Updated org.apache.logging.log4j:log4j-core:2.21.1 to 2.22.0
• Updated org.apache.orc:orc-core:1.9.1 to 1.9.2
• Updated org.jetbrains.kotlin:kotlin-stdlib:1.9.20 to 1.9.21
• Removed org.slf4j:slf4j-reload4j:2.0.9

Runtime Dependency Updates

• Added ch.qos.logback:logback-classic:1.2.13
• Added ch.qos.logback:logback-core:1.2.13

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.6.3 to 7.0.0
• Updated com.exasol:extension-manager-integration-test-java:0.5.5 to 0.5.7
• Updated com.exasol:hamcrest-resultset-matcher:1.6.2 to 1.6.3
• Updated com.exasol:test-db-builder-java:3.5.1 to 3.5.3
• Updated nl.jqno.equalsverifier:equalsverifier:3.15.3 to 3.15.4
• Updated org.mockito:mockito-core:5.7.0 to 5.8.0
• Updated org.testcontainers:localstack:1.19.1 to 1.19.3

Plugin Dependency Updates

• Updated com.diffplug.spotless:spotless-maven-plugin:2.40.0 to 2.41.0
• Updated com.exasol:project-keeper-maven-plugin:2.9.15 to 2.9.17
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.1.2 to 3.2.2
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.6.2 to 3.6.3
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.1.2 to 3.2.2
• Updated org.codehaus.mojo:exec-maven-plugin:3.1.0 to 3.1.1
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.1 to 2.16.2

Extension

Compile Dependency Updates

• Updated @exasol/extension-manager-interface:0.4.0 to 0.4.1

Development Dependency Updates

• Updated eslint:^8.53.0 to ^8.55.0
• Updated @types/node:^20.8.10 to ^20.10.4
• Updated @typescript-eslint/parser:^6.9.1 to ^6.13.2
• Updated typescript:^5.2.2 to ^5.3.3
• Updated @typescript-eslint/eslint-plugin:^6.9.1 to ^6.13.2
• Updated esbuild:^0.19.5 to ^0.19.8

2.7.8: Access to public S3 buckets without credentials

Summary

Implemented an option to access public S3 buckets without credentials.

Features

• #283: Support publicly available S3 buckets without credentials

2.7.7: Using shared integration tests

Summary

This release refactors the extension to use shared integration tests to simplify the source code.

Refactoring

• #284: Used shared extension integration tests

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Updated com.google.protobuf:protobuf-java:3.24.4 to 3.25.0
• Updated io.dropwizard.metrics:metrics-core:4.2.21 to 4.2.22
• Updated org.jetbrains.kotlin:kotlin-stdlib:1.9.10 to 1.9.20

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.6.2 to 6.6.3
• Updated com.exasol:extension-manager-integration-test-java:0.5.4 to 0.5.5
• Updated com.exasol:hamcrest-resultset-matcher:1.6.1 to 1.6.2
• Updated nl.jqno.equalsverifier:equalsverifier:3.15.2 to 3.15.3
• Added org.glassfish.jersey.core:jersey-common:2.41
• Updated org.junit.jupiter:junit-jupiter-engine:5.10.0 to 5.10.1
• Updated org.mockito:mockito-core:5.6.0 to 5.7.0

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:2.9.14 to 2.9.15
• Updated org.apache.maven.plugins:maven-clean-plugin:3.3.1 to 3.3.2
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.6.0 to 3.6.2

Extension

Compile Dependency Updates

• Updated @exasol/extension-manager-interface:0.3.1 to 0.4.0

Development Dependency Updates

• Updated eslint:^8.47.0 to ^8.53.0
• Updated @jest/globals:^29.6.3 to ^29.7.0
• Updated @types/node:^20.5.4 to ^20.8.10
• Updated @typescript-eslint/parser:^6.4.1 to ^6.9.1
• Updated typescript:^5.1.6 to ^5.2.2
• Updated @typescript-eslint/eslint-plugin:^6.4.1 to ^6.9.1
• Updated jest:29.6.3 to 29.7.0
• Updated esbuild:^0.19.2 to ^0.19.5

2.7.6: Fix Vulnerabilities CVE-2023-44981 and CVE-2023-46120

Summary

This release fixes vulnerabilities

• CVE-2023-42503 by overriding version 3.6.3 of transitive dependency org.apache.zookeeper:zookeeper via org.apache.hadoop:hadoop-common
• CVE-2023-46120 by excluding transitive dependency com.rabbitmq:amqp-client via org.alluxio:alluxio-core-client-hdfs

Security

• #281: Fixed vulnerabilities CVE-2023-44981 and CVE-2023-46120

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Updated com.exasol:parquet-io-java:2.0.5 to 2.0.6
• Updated com.google.guava:guava:32.1.2-jre to 32.1.3-jre
• Updated io.dropwizard.metrics:metrics-core:4.2.20 to 4.2.21
• Updated io.grpc:grpc-netty:1.56.1 to 1.59.0
• Updated io.netty:netty-handler:4.1.99.Final to 4.1.100.Final
• Updated org.apache.logging.log4j:log4j-1.2-api:2.20.0 to 2.21.1
• Updated org.apache.logging.log4j:log4j-api:2.20.0 to 2.21.1
• Updated org.apache.logging.log4j:log4j-core:2.20.0 to 2.21.1
• Added org.apache.zookeeper:zookeeper:3.9.1

Test Dependency Updates

• Updated com.exasol:extension-manager-integration-test-java:0.5.1 to 0.5.4

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.3.0 to 1.3.1
• Updated com.exasol:project-keeper-maven-plugin:2.9.12 to 2.9.14
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.0 to 3.4.1
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.0 to 2.16.1
• Updated org.jacoco:jacoco-maven-plugin:0.8.10 to 0.8.11
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184 to 3.10.0.2594

2.7.5: Improved log messages

Summary

This release adds log messages to allow debugging issues during import.

Features

• #280: Improved log messages for import

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Updated com.google.protobuf:protobuf-java:3.24.3 to 3.24.4

Test Dependency Updates

• Updated org.mockito:mockito-core:5.5.0 to 5.6.0
• Updated org.testcontainers:localstack:1.19.0 to 1.19.1

Plugin Dependency Updates

• Updated com.diffplug.spotless:spotless-maven-plugin:2.39.0 to 2.40.0