Skip to content

Commit

Permalink
#50: Upgraded hadoop-client dependency to fix CVE (#61)
Browse files Browse the repository at this point in the history
Fixes #50
  • Loading branch information
morazow authored Jun 28, 2023
1 parent 9dd61ad commit dfc015f
Show file tree
Hide file tree
Showing 7 changed files with 134 additions and 116 deletions.
161 changes: 82 additions & 79 deletions dependencies.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/changes/changelog.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion doc/changes/changes_1.3.3.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ Code name: Fix vulnerabilities in dependencies

## Summary

This release fixes [sonatype-2022-5401](https://ossindex.sonatype.org/vulnerability/sonatype-2022-5401) in reload4j.
This release fixes `sonatype-2022-5401` in reload4j.

## Features

Expand Down
2 changes: 1 addition & 1 deletion doc/changes/changes_2.0.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Code name: Update Dependencies
This release fixes vulnerabilities by updating dependencies:

* `com.fasterxml.woodstox:woodstox-core:jar:5.3.0:compile`: CVE-2022-40152
* `com.fasterxml.jackson.core:jackson-core:jar:2.12.7:compile`: [sonatype-2022-6438](https://ossindex.sonatype.org/vulnerability/sonatype-2022-6438)
* `com.fasterxml.jackson.core:jackson-core:jar:2.12.7:compile`: sonatype-2022-6438
* `commons-net:commons-net:jar:3.6:compile`: CVE-2021-37533

## Features
Expand Down
30 changes: 30 additions & 0 deletions doc/changes/changes_2.0.4.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Parquet for Java 2.0.4, released 2023-06-28

Code name: Updated dependencies to fix CVE vulnerabilities

## Summary

This release updates `Hadoop` dependency to fix CVE vulnerabilities.

## Security

* #50: Upgraded Hadoop dependency to fix CVE vulnerabilities

## Dependency Updates

### Compile Dependency Updates

* Updated `org.apache.hadoop:hadoop-client:3.3.5` to `3.3.6`
* Updated `org.apache.parquet:parquet-hadoop:1.13.0` to `1.13.1`
* Updated `org.scala-lang:scala-library:2.13.10` to `2.13.11`
* Added `org.xerial.snappy:snappy-java:1.1.10.1`

### Test Dependency Updates

* Updated `org.junit.jupiter:junit-jupiter:5.9.2` to `5.9.3`
* Updated `org.mockito:mockito-core:5.3.1` to `5.4.0`
* Updated `org.mockito:mockito-junit-jupiter:5.3.1` to `5.4.0`

### Plugin Dependency Updates

* Updated `org.itsallcode:openfasttrace-maven-plugin:1.6.1` to `1.6.2`
2 changes: 1 addition & 1 deletion pk_generated_parent.pom

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

52 changes: 18 additions & 34 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -3,35 +3,31 @@
<modelVersion>4.0.0</modelVersion>
<groupId>com.exasol</groupId>
<artifactId>parquet-io-java</artifactId>
<version>2.0.3</version>
<version>2.0.4</version>
<name>Parquet for Java</name>
<description>This project provides a library that reads Parquet files into Java objects.</description>
<url>https://github.com/exasol/parquet-io-java/</url>
<parent>
<artifactId>parquet-io-java-generated-parent</artifactId>
<groupId>com.exasol</groupId>
<version>2.0.4</version>
<relativePath>pk_generated_parent.pom</relativePath>
</parent>
<properties>
<scala.version>2.13.10</scala.version>
<scala.version>2.13.11</scala.version>
<scala.compat.version>2.13</scala.compat.version>
<mockito.version>5.3.1</mockito.version>
<mockito.version>5.4.0</mockito.version>
</properties>
<distributionManagement>
<snapshotRepository>
<id>ossrh</id>
<url>https://oss.sonatype.org/content/repositories/snapshots</url>
</snapshotRepository>
<repository>
<id>ossrh</id>
<url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
</repository>
</distributionManagement>
<dependencies>
<dependency>
<groupId>org.apache.parquet</groupId>
<artifactId>parquet-hadoop</artifactId>
<version>1.13.0</version>
<version>1.13.1</version>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-client</artifactId>
<version>3.3.5</version>
<version>3.3.6</version>
<!-- Excluding transitive dependencies with vulnerabilities. -->
<exclusions>
<exclusion>
Expand Down Expand Up @@ -101,6 +97,11 @@
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
<version>1.1.10.1</version>
</dependency>
<dependency>
<groupId>org.scala-lang</groupId>
<artifactId>scala-library</artifactId>
Expand All @@ -115,7 +116,7 @@
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
<version>5.9.2</version>
<version>5.9.3</version>
<scope>test</scope>
</dependency>
<dependency>
Expand Down Expand Up @@ -217,7 +218,7 @@
<plugin>
<groupId>org.itsallcode</groupId>
<artifactId>openfasttrace-maven-plugin</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<executions>
<execution>
<id>trace-requirements</id>
Expand All @@ -244,17 +245,6 @@
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.sonatype.ossindex.maven</groupId>
<artifactId>ossindex-maven-plugin</artifactId>
<configuration>
<excludeVulnerabilityIds>
<!-- org.apache.hadoop:hadoop-hdfs-client:jar:3.3.4: CWE-611: Improper Restriction of XML External Entity Reference ('XXE') (8.6); https://ossindex.sonatype.org/vulnerability/sonatype-2022-5732
No update available -->
<exclude>sonatype-2022-5732</exclude>
</excludeVulnerabilityIds>
</configuration>
</plugin>
<plugin>
<groupId>org.basepom.maven</groupId>
<artifactId>duplicate-finder-maven-plugin</artifactId>
Expand Down Expand Up @@ -283,10 +273,4 @@
</plugin>
</plugins>
</build>
<parent>
<artifactId>parquet-io-java-generated-parent</artifactId>
<groupId>com.exasol</groupId>
<version>2.0.3</version>
<relativePath>pk_generated_parent.pom</relativePath>
</parent>
</project>

0 comments on commit dfc015f

Please sign in to comment.