🔐 Update dependencies to fix vulnerabilities (#64)

Co-authored-by: Automatic Dependency Updater <[email protected]>
Co-authored-by: Christoph Pirkl <[email protected]>

.gitignore

@@ -6,6 +6,7 @@
 # .settings : we need Eclipse settings for code formatter and clean-up rules
 .settings/org.eclipse.jdt.apt.core.prefs
 .settings/org.eclipse.core.resources.prefs
+.settings/org.eclipse.m2e.core.prefs
 target
 .cache
 dependency-reduced-pom.xml

.project-keeper.yml

@@ -10,8 +10,8 @@ build:
   runnerOs: ubuntu-20.04
   freeDiskSpace: true
   exasolDbVersions:
-    - "8.27.0" # 8.29.1 not yet supported by exasol-testcontainers, see https://github.com/exasol/exasol-testcontainers/issues/258
-    - "7.1.26" # Upgrade to 7.1.29 once https://github.com/exasol/virtual-schema-common-document-files/issues/169 is fixed
+    - "8.31.0"
+    - "7.1.29"
   workflows:
     - name: ci-build.yml
       stepCustomizations:
@@ -23,5 +23,3 @@ build:
             run: echo "$GC_KEY" > google-key.json
             env:
               GC_KEY: ${{ secrets.GC_KEY }}
-excludes:
-  - "E-PK-CORE-17: Missing required file: 'release_config.yml'"

.vscode/settings.json

@@ -13,7 +13,7 @@
         "vmArgs": [
             "-Djava.util.logging.config.file=src/test/resources/logging.properties",
             "-Djavax.xml.parsers.DocumentBuilderFactory=com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl",
-            "-Dcom.exasol.dockerdb.image=8.27.0"
+            "-Dcom.exasol.dockerdb.image=8.31.0"
         ]
     },
     "sonarlint.connectedMode.project": {

doc/changes/changes_2.1.2.md

@@ -0,0 +1,44 @@
+# Virtual Schema for Document Data in Files on Google Cloud Storage 2.1.2, released 2024-09-24
+
+Code name: Fixed vulnerability CVE-2024-7254 in com.google.protobuf:protobuf-java:jar:3.25.3:compile
+
+## Summary
+
+This release fixes the following vulnerability:
+
+### CVE-2024-7254 (CWE-20) in dependency `com.google.protobuf:protobuf-java:jar:3.25.3:compile`
+Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
+#### References
+* https://ossindex.sonatype.org/vulnerability/CVE-2024-7254?component-type=maven&component-name=com.google.protobuf%2Fprotobuf-java&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
+* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-7254
+* https://github.com/advisories/GHSA-735f-pc8j-v9w8
+
+## Security
+
+* #63: Fixed vulnerability CVE-2024-7254 in dependency `com.google.protobuf:protobuf-java:jar:3.25.3:compile`
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Updated `com.exasol:virtual-schema-common-document-files:8.1.2` to `8.1.3`
+* Updated `com.google.cloud:google-cloud-storage:2.40.1` to `2.43.0`
+
+### Runtime Dependency Updates
+
+* Added `com.google.protobuf:protobuf-java:3.25.5`
+
+### Test Dependency Updates
+
+* Added `com.exasol:bucketfs-java:3.2.0`
+* Added `com.exasol:exasol-testcontainers:7.1.1`
+* Updated `com.exasol:hamcrest-resultset-matcher:1.6.5` to `1.7.0`
+* Updated `com.exasol:virtual-schema-common-document-files:8.1.2` to `8.1.3`
+* Added `io.aiven:testcontainers-fake-gcs-server:0.2.0`
+* Updated `nl.jqno.equalsverifier:equalsverifier:3.16.1` to `3.16.2`
+* Updated `org.hamcrest:hamcrest:2.2` to `3.0`
+* Updated `org.junit.jupiter:junit-jupiter-params:5.10.3` to `5.11.0`
+* Updated `org.mockito:mockito-core:5.12.0` to `5.13.0`
+* Updated `org.slf4j:slf4j-jdk14:2.0.13` to `2.0.16`
+* Updated `org.testcontainers:junit-jupiter:1.20.0` to `1.20.1`
+* Updated `org.testcontainers:localstack:1.20.0` to `1.20.1`

doc/user_guide/user_guide.md

@@ -17,7 +17,7 @@ Next create the Adapter Script:
  ```sql
 CREATE OR REPLACE JAVA ADAPTER SCRIPT ADAPTER.GOOGLE_CLOUD_STORAGE_FILES_ADAPTER AS
     %scriptclass com.exasol.adapter.RequestDispatcher;
-    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-8.1.2-google-cloud-storage-2.1.1.jar;
+    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-8.1.3-google-cloud-storage-2.1.2.jar;
 /
 ```
 
@@ -30,7 +30,7 @@ CREATE OR REPLACE JAVA SET SCRIPT ADAPTER.IMPORT_FROM_GOOGLE_CLOUD_STORAGE_DOCUM
   CONNECTION_NAME VARCHAR(500))
   EMITS(...) AS
     %scriptclass com.exasol.adapter.document.UdfEntryPoint;
-    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-8.1.2-google-cloud-storage-2.1.1.jar;
+    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-8.1.3-google-cloud-storage-2.1.2.jar;
 /
 ```