Skip to content

Releases: exasol/exasol-virtual-schema-lua

0.5.6 Fixes for vulnerabilities CVE-2024-55551 and CVE-2025-48924

Choose a tag to compare

@github-actions github-actions released this 28 Aug 09:56
0afb382

This release fixes the following vulnerabilities:

CVE-2025-48924 (CWE-674) in dependency org.apache.commons:commons-lang3:jar:3.16.0:test

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

CVE: CVE-2025-48924
CWE: CWE-674

References

CVE-2024-55551 (CWE-94) in dependency com.exasol:exasol-jdbc:jar:25.2.2:test

An issue was discovered in Exasol jdbc driver 24.2.0. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the database. This can further lead to remote code execution vulnerability.

CVE: CVE-2024-55551
CWE: CWE-94

References

Security

  • #64: Fixed vulnerability CVE-2025-48924 in dependency org.apache.commons:commons-lang3:jar:3.16.0:test
  • #59: Fixed vulnerability CVE-2024-55551 in dependency com.exasol:exasol-jdbc:jar:25.2.2:test

Dependency Updates

Test Dependency Updates

  • Updated com.exasol:exasol-testcontainers:7.1.3 to 7.1.7

Plugin Dependency Updates

  • Updated com.exasol:project-keeper-maven-plugin:5.0.0 to 5.2.3
  • Added io.github.git-commit-id:git-commit-id-maven-plugin:9.0.1
  • Removed io.github.zlika:reproducible-build-maven-plugin:0.17
  • Added org.apache.maven.plugins:maven-artifact-plugin:3.6.0
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.5.2 to 3.5.3
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.5.2 to 3.5.3
  • Updated org.jacoco:jacoco-maven-plugin:0.8.12 to 0.8.13
  • Updated org.sonarsource.scanner.maven:sonar-maven-plugin:5.0.0.4389 to 5.1.0.4751

0.5.5 Vulnerability Reporting Policy

Choose a tag to compare

@github-actions github-actions released this 27 Mar 12:43
dd2fb3a

In this release we added a security policy that describes how to report vulnerabilities. We also updated dependencies.

We switched the installation method of Luarocks from the GitHub action leafo/gh-actions-luarocks to using apt-get.

Documentation

  • Added security policy (PR #58)

Dependency Updates

Test Dependency Updates

  • Updated com.exasol:exasol-jdbc:7.1.20 to 25.2.2
  • Updated com.exasol:exasol-testcontainers:7.0.1 to 7.1.3
  • Updated com.exasol:hamcrest-resultset-matcher:1.6.5 to 1.7.0
  • Updated com.exasol:maven-project-version-getter:1.2.0 to 1.2.1
  • Updated com.exasol:test-db-builder-java:3.5.4 to 3.6.0
  • Updated org.hamcrest:hamcrest:2.2 to 3.0
  • Updated org.junit.jupiter:junit-jupiter-api:5.10.2 to 5.12.0
  • Updated org.junit.jupiter:junit-jupiter-params:5.10.2 to 5.12.0
  • Updated org.slf4j:slf4j-jdk14:2.0.12 to 2.0.17
  • Updated org.testcontainers:junit-jupiter:1.19.7 to 1.20.6

Plugin Dependency Updates

  • Updated com.exasol:project-keeper-maven-plugin:4.1.0 to 5.0.0
  • Added com.exasol:quality-summarizer-maven-plugin:0.2.0
  • Updated io.github.zlika:reproducible-build-maven-plugin:0.16 to 0.17
  • Updated org.apache.maven.plugins:maven-clean-plugin:3.2.0 to 3.4.1
  • Updated org.apache.maven.plugins:maven-compiler-plugin:3.12.1 to 3.14.0
  • Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.1 to 3.5.0
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.5 to 3.5.2
  • Updated org.apache.maven.plugins:maven-install-plugin:3.1.2 to 3.1.4
  • Updated org.apache.maven.plugins:maven-site-plugin:3.12.1 to 3.21.0
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.5 to 3.5.2
  • Updated org.apache.maven.plugins:maven-toolchains-plugin:3.1.0 to 3.2.0
  • Updated org.codehaus.mojo:flatten-maven-plugin:1.6.0 to 1.7.0
  • Updated org.codehaus.mojo:versions-maven-plugin:2.16.2 to 2.18.0
  • Updated org.itsallcode:openfasttrace-maven-plugin:1.8.0 to 2.3.0
  • Updated org.jacoco:jacoco-maven-plugin:0.8.11 to 0.8.12
  • Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594 to 5.0.0.4389

0.5.4: Fix CVE-2024-25710, CVE-2024-26308 in test dependencies

Choose a tag to compare

@redcatbear redcatbear released this 12 Mar 10:06
08926aa

Summary

In this security release we fixed CVE-2024-25710 and CVE-2024-26308 by updating test dependencies that contained the vulnerable org.apache.commons:commons-compress 1.24.0.

Features

Dependency Updates

Test Dependency Updates

  • Updated com.exasol:exasol-testcontainers:6.6.3 to 7.0.1
  • Updated com.exasol:hamcrest-resultset-matcher:1.6.2 to 1.6.5
  • Updated com.exasol:test-db-builder-java:3.5.2 to 3.5.4
  • Updated org.junit.jupiter:junit-jupiter-api:5.10.1 to 5.10.2
  • Updated org.junit.jupiter:junit-jupiter-params:5.10.1 to 5.10.2
  • Updated org.slf4j:slf4j-jdk14:2.0.9 to 2.0.12
  • Updated org.testcontainers:junit-jupiter:1.19.2 to 1.19.7

Plugin Dependency Updates

  • Updated com.exasol:project-keeper-maven-plugin:2.9.16 to 4.1.0
  • Updated org.apache.maven.plugins:maven-compiler-plugin:3.11.0 to 3.12.1
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.2 to 3.2.5
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.2 to 3.2.5
  • Added org.apache.maven.plugins:maven-toolchains-plugin:3.1.0
  • Updated org.codehaus.mojo:flatten-maven-plugin:1.5.0 to 1.6.0
  • Updated org.codehaus.mojo:versions-maven-plugin:2.16.1 to 2.16.2
  • Updated org.itsallcode:openfasttrace-maven-plugin:1.6.2 to 1.8.0

0.5.3: Fix CVE-2023-4043 in test dependency `org.eclipse.parsson:parsson`

Choose a tag to compare

@kaklakariada kaklakariada released this 20 Nov 15:33
1d3e5fe

Summary

This release fixes vulnerability CVE-2023-4043 in test dependency org.eclipse.parsson:parsson.

Security

Dependency Updates

Test Dependency Updates

  • Updated com.exasol:exasol-testcontainers:6.6.2 to 6.6.3
  • Updated com.exasol:hamcrest-resultset-matcher:1.6.1 to 1.6.2
  • Updated com.exasol:test-db-builder-java:3.5.1 to 3.5.2
  • Updated org.junit.jupiter:junit-jupiter-api:5.10.0 to 5.10.1
  • Updated org.junit.jupiter:junit-jupiter-params:5.10.0 to 5.10.1
  • Updated org.testcontainers:junit-jupiter:1.19.1 to 1.19.2

Plugin Dependency Updates

  • Updated com.exasol:project-keeper-maven-plugin:2.9.12 to 2.9.16
  • Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.0 to 3.4.1
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.1.2 to 3.2.2
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.1.2 to 3.2.2
  • Updated org.codehaus.mojo:versions-maven-plugin:2.16.0 to 2.16.1
  • Updated org.jacoco:jacoco-maven-plugin:0.8.10 to 0.8.11
  • Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184 to 3.10.0.2594

0.5.2: Fix CVE-2023-42503 in test dependency

Choose a tag to compare

@redcatbear redcatbear released this 23 Oct 13:59
71b496b

In this release we replaced a testing dependency that was vulnerable to CVE-2023-42503. Production code was not affected.

We also changed the namespace for the virtual schema adapter in the code from exasolvs to exasol.evsl for uniformity across projects. This has no impact on the function of the virtual schema.

Features

Dependency Updates

Test Dependency Updates

  • Updated com.exasol:exasol-testcontainers:6.6.1 to 6.6.2
  • Updated com.exasol:hamcrest-resultset-matcher:1.6.0 to 1.6.1
  • Updated com.exasol:test-db-builder-java:3.4.2 to 3.5.1
  • Updated org.junit.jupiter:junit-jupiter-api:5.9.3 to 5.10.0
  • Updated org.junit.jupiter:junit-jupiter-params:5.9.3 to 5.10.0
  • Updated org.slf4j:slf4j-jdk14:2.0.7 to 2.0.9
  • Updated org.testcontainers:junit-jupiter:1.18.3 to 1.19.1

Plugin Dependency Updates

  • Updated com.exasol:project-keeper-maven-plugin:2.9.9 to 2.9.12
  • Updated org.apache.maven.plugins:maven-enforcer-plugin:3.3.0 to 3.4.0

0.5.1: Fix Issue With Integer Constants in `GROUP BY`

Choose a tag to compare

@kaklakariada kaklakariada released this 14 Jul 08:57
ddd2760

Summary

This release fixes an issue with queries using DISTINCT with integer constants. The Exasol SQL processor turns DISTINCT <integer> into GROUP BY <integer> before push-down as an optimization. The adapter must not feed this back as Exasol interprets integers in GROUP BY clauses as column numbers which could lead to invalid results or the following error:

42000:Wrong column number. Too small value 0 as select list column reference in GROUP BY (smallest possible value is 1)

To fix this, Exasol VS now replaces integer constants in GROUP BY clauses with a constant string.

Please that you can still safely use GROUP BY <column-number> in your original query, since Exasol internally converts this to GROUP BY "<column-name>", so that the virtual schema adapter can tell both situations apart.

The release also adds integration tests using Exasol v8 to the CI build.

We also extracted the common parts of EVSL and RLSL to base libraries for a unified code base.

Bugfixes

  • #42: Fixed issue with integer constants in GROUP BY

Refactoring

  • #31: Added integration tests using Exasol v8 to CI build
  • #38: Based on EVSCL

Dependency Updates

Test Dependency Updates

  • Updated com.exasol:exasol-jdbc:7.1.19 to 7.1.20
  • Updated com.exasol:exasol-testcontainers:6.5.2 to 6.6.1
  • Updated org.junit.jupiter:junit-jupiter-api:5.9.2 to 5.9.3
  • Updated org.junit.jupiter:junit-jupiter-params:5.9.2 to 5.9.3
  • Updated org.testcontainers:junit-jupiter:1.18.0 to 1.18.3

Plugin Dependency Updates

  • Updated com.exasol:error-code-crawler-maven-plugin:1.2.2 to 1.3.0
  • Updated com.exasol:project-keeper-maven-plugin:2.9.7 to 2.9.9
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.0.0 to 3.1.2
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.0.0 to 3.1.2
  • Updated org.basepom.maven:duplicate-finder-maven-plugin:1.5.1 to 2.0.1
  • Updated org.codehaus.mojo:build-helper-maven-plugin:3.3.0 to 3.4.0
  • Updated org.codehaus.mojo:flatten-maven-plugin:1.4.1 to 1.5.0
  • Updated org.codehaus.mojo:versions-maven-plugin:2.15.0 to 2.16.0
  • Updated org.itsallcode:openfasttrace-maven-plugin:1.6.1 to 1.6.2
  • Updated org.jacoco:jacoco-maven-plugin:0.8.9 to 0.8.10

0.5.0: Partial TLS Support (without certificate validation)

Choose a tag to compare

@redcatbear redcatbear released this 21 Apr 07:15
9c6f9c1

Summary

With version 0.5.0 the connection between the Virtual Schema Adapter and the remote Exasol uses TLS for encrypting the communication.

Note however, that this feature is not complete yet. It lacks validation of the peer certificate. The reason is that Lua does not yet have access to the certificate store, so the feature requires a change in the Exasol database. Once certificate validation is available, the EVSL will reach version 1.0.0.

What does this mean for users? They can test connecting the Exasol Virtual Schema to a remote Exasol server with an encrypted connection. The connection cannot be treated as secure though, because validating the peer certificate is a required step in establishing trust between the VS and the remote server. Without this attackers can pretend to be an Exasol server or run a man-in-the-middle attack.

If you need an actually secure connection you will unfortunately have to wait until version 1.0.0.

Features

  • #23: Added TLS Support

Dependency Updates

Test Dependency Updates

  • Updated com.exasol:exasol-jdbc:7.1.17 to 7.1.19
  • Updated com.exasol:exasol-testcontainers:6.5.1 to 6.5.2
  • Updated com.exasol:hamcrest-resultset-matcher:1.5.2 to 1.6.0
  • Updated org.slf4j:slf4j-jdk14:2.0.6 to 2.0.7
  • Updated org.testcontainers:junit-jupiter:1.17.6 to 1.18.0

Plugin Dependency Updates

  • Updated com.exasol:project-keeper-maven-plugin:2.9.3 to 2.9.7
  • Updated org.apache.maven.plugins:maven-compiler-plugin:3.10.1 to 3.11.0
  • Updated org.apache.maven.plugins:maven-enforcer-plugin:3.1.0 to 3.3.0
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.0.0-M8 to 3.0.0
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M8 to 3.0.0
  • Added org.basepom.maven:duplicate-finder-maven-plugin:1.5.1
  • Updated org.codehaus.mojo:flatten-maven-plugin:1.3.0 to 1.4.1
  • Updated org.codehaus.mojo:versions-maven-plugin:2.14.2 to 2.15.0
  • Updated org.jacoco:jacoco-maven-plugin:0.8.8 to 0.8.9

0.4.0: Remote EVSL (without TLS)

Choose a tag to compare

@redcatbear redcatbear released this 24 Mar 09:01
175f264

Summary

In this release we added support for connecting to a remote Exasol database. Note that you cannot use remote Exasol VS yet, since the libraries required are not yet available in production release of the Exasol database. That means while the feature is generally available, it only works with very recent development builds of Exasol. We will update the EVSL release once an Exasol version with the required libraries becomes available.

Features

  • #20: Added remote metadata reading

Dependency Updates

Plugin Dependency Updates

  • Updated com.exasol:error-code-crawler-maven-plugin:1.2.0 to 1.2.2

0.3.0: `IS [NOT] JSON` and `LISTAGG` support

Choose a tag to compare

@redcatbear redcatbear released this 01 Feb 13:07
73656f5

Summary

We added support for the IS [NOT] JSON predicate and the LISTAGG aggregate function.

We also added a test that evaluates the performance overhead of running queries directly against Exasol and via the Virtual Schema.

Additionally, we improved tests that ensure the package, module and rockspec all have the correct version numbers.

Bufixes

  • #8: Added missing test for performance overhead
  • #18: Added IS [NOT] JSON predicate
  • #24: Added LISTAGG aggregate function

Dependency Updates

Test Dependency Updates

  • Updated com.exasol:exasol-jdbc:7.1.11 to 7.1.17
  • Updated com.exasol:exasol-testcontainers:6.2.0 to 6.5.1
  • Updated com.exasol:test-db-builder-java:3.3.4 to 3.4.2
  • Updated org.junit.jupiter:junit-jupiter-api:5.9.1 to 5.9.2
  • Updated org.junit.jupiter:junit-jupiter-params:5.9.1 to 5.9.2
  • Updated org.slf4j:slf4j-jdk14:2.0.3 to 2.0.6
  • Updated org.testcontainers:junit-jupiter:1.17.3 to 1.17.6

Plugin Dependency Updates

  • Updated com.exasol:project-keeper-maven-plugin:2.8.0 to 2.9.3
  • Updated io.github.zlika:reproducible-build-maven-plugin:0.15 to 0.16
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.0.0-M5 to 3.0.0-M8
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M5 to 3.0.0-M8
  • Updated org.codehaus.mojo:flatten-maven-plugin:1.2.7 to 1.3.0
  • Updated org.codehaus.mojo:versions-maven-plugin:2.10.0 to 2.14.2

0.2.0: Join support

Choose a tag to compare

@redcatbear redcatbear released this 28 Sep 13:39
bfb7bb0

Summary

In version 0.2.0 of the Exasol Virtual Schema for Lua we activated support for JOINs.

We also updated the dependencies.

Features

  • #13: Join support
  • #16: Support of all predicates (except JSON predicates)

Dependency Updates

Test Dependency Updates

  • Updated com.exasol:exasol-testcontainers:6.1.2 to 6.2.0
  • Updated com.exasol:hamcrest-resultset-matcher:1.5.1 to 1.5.2
  • Updated com.exasol:maven-project-version-getter:1.1.0 to 1.2.0
  • Updated com.exasol:test-db-builder-java:3.3.3 to 3.3.4
  • Added org.junit.jupiter:junit-jupiter-api:5.9.1
  • Removed org.junit.jupiter:junit-jupiter-engine:5.8.2
  • Updated org.junit.jupiter:junit-jupiter-params:5.8.2 to 5.9.1
  • Updated org.slf4j:slf4j-jdk14:1.7.36 to 2.0.3

Plugin Dependency Updates

  • Updated com.exasol:error-code-crawler-maven-plugin:1.1.1 to 1.2.0
  • Updated com.exasol:project-keeper-maven-plugin:2.4.6 to 2.8.0
  • Updated org.apache.maven.plugins:maven-enforcer-plugin:3.0.0 to 3.1.0
  • Updated org.apache.maven.plugins:maven-jar-plugin:3.2.2 to 3.3.0
  • Updated org.codehaus.mojo:exec-maven-plugin:3.0.0 to 3.1.0
  • Updated org.itsallcode:openfasttrace-maven-plugin:1.5.0 to 1.6.1