exasol / bucketfs-document-files-virtual-schema Goto Github PK
View Code? Open in Web Editor NEWVirtual Schemas that allows you to access document files stored in BucketFS like any regular Exasol table.
License: MIT License
Virtual Schemas that allows you to access document files stored in BucketFS like any regular Exasol table.
License: MIT License
We introduce nanosecond precision in virtual-schema-common-document
.
This needs to be propagated to BucketFS Document Virtual Schema by updating the dependency.
Error: Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (default-cli) on project bucketfs-document-files-virtual-schema: Detected 11 vulnerable components:
Error: com.squareup.okhttp:okhttp:jar:2.7.5:compile; https://ossindex.sonatype.org/component/pkg:maven/com.squareup.okhttp/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2021-0341] CWE-295: Improper Certificate Validation (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2021-0341?component-type=maven&component-name=com.squareup.okhttp%2Fokhttp&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * 1 vulnerability found (5.9); https://ossindex.sonatype.org/vulnerability/sonatype-2018-0035
Error: com.fasterxml.jackson.core:jackson-databind:jar:2.13.0:compile; https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2020-36518] CWE-787: Out-of-bounds Write (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2020-36518?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * 1 vulnerability found (7.5); https://ossindex.sonatype.org/vulnerability/sonatype-2021-4682
Error: io.netty:netty-common:jar:4.1.72.Final:runtime; https://ossindex.sonatype.org/component/pkg:maven/io.netty/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2022-24823] CWE-378: Creation of Temporary File With Insecure Permissions (5.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-24823?component-type=maven&component-name=io.netty%2Fnetty-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: org.apache.hadoop:hadoop-common:jar:3.3.1:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.hadoop/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2022-26612] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (9.8); https://ossindex.sonatype.org/vulnerability/CVE-2022-26612?component-type=maven&component-name=org.apache.hadoop%2Fhadoop-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: com.google.guava:guava:jar:31.0.1-jre:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * 1 vulnerability found (6.2); https://ossindex.sonatype.org/vulnerability/sonatype-2020-0926
Error: io.netty:netty-handler:jar:4.1.72.Final:runtime; https://ossindex.sonatype.org/component/pkg:maven/io.netty/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * 1 vulnerability found (6.5); https://ossindex.sonatype.org/vulnerability/sonatype-2020-0026
Error: org.apache.xmlrpc:xmlrpc-common:jar:3.1.3:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.xmlrpc/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2016-5003] CWE-502: Deserialization of Untrusted Data (9.8); https://ossindex.sonatype.org/vulnerability/CVE-2016-5003?component-type=maven&component-name=org.apache.xmlrpc%2Fxmlrpc-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2016-5002] CWE-611: Improper Restriction of XML External Entity Reference ('XXE') (7.8); https://ossindex.sonatype.org/vulnerability/CVE-2016-5002?component-type=maven&component-name=org.apache.xmlrpc%2Fxmlrpc-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: com.google.protobuf:protobuf-java:jar:2.5.0:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.protobuf/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2021-22569] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (5.5); https://ossindex.sonatype.org/vulnerability/CVE-2021-22569?component-type=maven&component-name=com.google.protobuf%2Fprotobuf-java&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: commons-codec:commons-codec:jar:1.11:compile; https://ossindex.sonatype.org/component/pkg:maven/commons-codec/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * 1 vulnerability found (5.3); https://ossindex.sonatype.org/vulnerability/sonatype-2012-0050
Error: org.apache.xmlrpc:xmlrpc-client:jar:3.1.3:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.xmlrpc/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2016-5004] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2016-5004?component-type=maven&component-name=org.apache.xmlrpc%2Fxmlrpc-client&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: com.google.code.gson:gson:jar:2.2.4:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.code.gson/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * 1 vulnerability found (7.5); https://ossindex.sonatype.org/vulnerability/sonatype-2021-1694
See exasol/virtual-schema-common-document#155 for details
Upgrade dependencies to fix CVE-2022-21724 in the PostgreSQL JDBC driver.
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.
Users are recommended to upgrade to version 2.10.1, which fixes the issue.
CVE: CVE-2024-29131
CWE: CWE-787
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The HttpPostRequestDecoder
can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData
list. The decoder cumulates bytes in the undecodedChunk
buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.
CVE: CVE-2024-29025
CWE: CWE-770
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
CVE: CVE-2023-52428
CWE: CWE-400
Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (default-cli) on project bucketfs-document-files-virtual-schema: Detected 3 vulnerable components:
Additionally check, if currently the following vulnerability still needs to remain excluded:
- 1 vulnerability found (6.2); https://ossindex.sonatype.org/vulnerability/sonatype-2020-0926
Auto inference for CSV files was implemented in exasol/virtual-schema-common-document-files#131 and exasol/virtual-schema-common-document-files#130 / virtual-schema-common-document-files 7.3.0.
The property is no longer required.
So lets remove it from the documentation.
Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.
Users are recommended to upgrade to version 1.26, which fixes the issue.
CVE: CVE-2024-26308
CWE: CWE-770
Bucketfs-document-files hasn't had a major document-files version bump yet. It seems the architectural design of common-document-files changed quite a bit since then and this 'dialect' version needs a rework/refactoring as well.
Rename error codes from BFSVS to VSBFS
Error: Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (default-cli) on project bucketfs-document-files-virtual-schema: Detected 3 vulnerable components:
Error: org.apache.commons:commons-compress:jar:1.22:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2023-42503] CWE-20: Improper Input Validation (5.5); https://ossindex.sonatype.org/vulnerability/CVE-2023-42503?component-type=maven&component-name=org.apache.commons%2Fcommons-compress&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: io.netty:netty-handler:jar:4.1.94.Final:test; https://ossindex.sonatype.org/component/pkg:maven/io.netty/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2023-4586] CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2023-4586?component-type=maven&component-name=io.netty%2Fnetty-handler&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: org.xerial.snappy:snappy-java:jar:1.1.10.1:compile; https://ossindex.sonatype.org/component/pkg:maven/org.xerial.snappy/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2023-43642] CWE-770: Allocation of Resources Without Limits or Throttling (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2023-43642?component-type=maven&component-name=org.xerial.snappy%2Fsnappy-java&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.
Users are recommended to upgrade to version 2.10.1, which fixes the issue.
CVE: CVE-2024-29133
CWE: CWE-787
Add tests with Exasol v8
Replace references to discontinued repo maven.exasol.com by maven central.
See log messages from build job Dependency Check:
Excluded vulnerabilities:
Error: Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (default-cli) on project bucketfs-document-files-virtual-schema: Detected 1 vulnerable components:
Error: org.apache.avro:avro:jar:1.7.7:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.avro/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2023-39410] CWE-502: Deserialization of Untrusted Data (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2023-39410?component-type=maven&component-name=org.apache.avro%2Favro&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.
CVE: CVE-2024-25638
CWE: CWE-345
In versions before 1.0.0 you could specify a base path in the connection:
CREATE CONNECTION BUCKETFS_CONNECTION
TO '/bfsdefault/default/'
USER ''
IDENTIFIED BY '';
This configuration was lost in version 1.0.0, see #24. That's why we should allow configuring the base path again using the new connection parameter specification, e.g.
CREATE CONNECTION BUCKETFS_CONNECTION
TO '/bfsdefault/default/'
USER ''
IDENTIFIED BY '{"basePath": "/bfsdefault/default/"}';
See old description from the user guide:
The path you define in the
CONNECTION
is the base path for the file names you define in the mapping definition. The adapter will concatenate the base path and the path defined in the mapping definition. For security reasons you can however not navigate to directories outside of the base path (using../
).
Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information). When decompressing certain data, the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe
to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. Users should update to Aircompressor 0.27 or newer where these issues have been fixed. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process. There are no known workarounds for this issue.
CVE: CVE-2024-36114
CWE: CWE-125
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.
Users are recommended to upgrade to version 1.26.0 which fixes the issue.
CVE: CVE-2024-25710
CWE: CWE-835
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.