Releases: exasol/exasol-virtual-schema-lua
Release list
0.5.6 Fixes for vulnerabilities CVE-2024-55551 and CVE-2025-48924
This release fixes the following vulnerabilities:
CVE-2025-48924 (CWE-674) in dependency org.apache.commons:commons-lang3:jar:3.16.0:test
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
CVE: CVE-2025-48924
CWE: CWE-674
References
- https://ossindex.sonatype.org/vulnerability/CVE-2025-48924?component-type=maven&component-name=org.apache.commons%2Fcommons-lang3&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-48924
- GHSA-j288-q9x7-2f5v
CVE-2024-55551 (CWE-94) in dependency com.exasol:exasol-jdbc:jar:25.2.2:test
An issue was discovered in Exasol jdbc driver 24.2.0. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the database. This can further lead to remote code execution vulnerability.
CVE: CVE-2024-55551
CWE: CWE-94
References
- https://ossindex.sonatype.org/vulnerability/CVE-2024-55551?component-type=maven&component-name=com.exasol%2Fexasol-jdbc&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-55551
- https://gist.github.com/azraelxuemo/9565ec9219e0c3e9afd5474904c39d0f
Security
- #64: Fixed vulnerability CVE-2025-48924 in dependency
org.apache.commons:commons-lang3:jar:3.16.0:test - #59: Fixed vulnerability CVE-2024-55551 in dependency
com.exasol:exasol-jdbc:jar:25.2.2:test
Dependency Updates
Test Dependency Updates
- Updated
com.exasol:exasol-testcontainers:7.1.3to7.1.7
Plugin Dependency Updates
- Updated
com.exasol:project-keeper-maven-plugin:5.0.0to5.2.3 - Added
io.github.git-commit-id:git-commit-id-maven-plugin:9.0.1 - Removed
io.github.zlika:reproducible-build-maven-plugin:0.17 - Added
org.apache.maven.plugins:maven-artifact-plugin:3.6.0 - Updated
org.apache.maven.plugins:maven-failsafe-plugin:3.5.2to3.5.3 - Updated
org.apache.maven.plugins:maven-surefire-plugin:3.5.2to3.5.3 - Updated
org.jacoco:jacoco-maven-plugin:0.8.12to0.8.13 - Updated
org.sonarsource.scanner.maven:sonar-maven-plugin:5.0.0.4389to5.1.0.4751
0.5.5 Vulnerability Reporting Policy
In this release we added a security policy that describes how to report vulnerabilities. We also updated dependencies.
We switched the installation method of Luarocks from the GitHub action leafo/gh-actions-luarocks to using apt-get.
Documentation
- Added security policy (PR #58)
Dependency Updates
Test Dependency Updates
- Updated
com.exasol:exasol-jdbc:7.1.20to25.2.2 - Updated
com.exasol:exasol-testcontainers:7.0.1to7.1.3 - Updated
com.exasol:hamcrest-resultset-matcher:1.6.5to1.7.0 - Updated
com.exasol:maven-project-version-getter:1.2.0to1.2.1 - Updated
com.exasol:test-db-builder-java:3.5.4to3.6.0 - Updated
org.hamcrest:hamcrest:2.2to3.0 - Updated
org.junit.jupiter:junit-jupiter-api:5.10.2to5.12.0 - Updated
org.junit.jupiter:junit-jupiter-params:5.10.2to5.12.0 - Updated
org.slf4j:slf4j-jdk14:2.0.12to2.0.17 - Updated
org.testcontainers:junit-jupiter:1.19.7to1.20.6
Plugin Dependency Updates
- Updated
com.exasol:project-keeper-maven-plugin:4.1.0to5.0.0 - Added
com.exasol:quality-summarizer-maven-plugin:0.2.0 - Updated
io.github.zlika:reproducible-build-maven-plugin:0.16to0.17 - Updated
org.apache.maven.plugins:maven-clean-plugin:3.2.0to3.4.1 - Updated
org.apache.maven.plugins:maven-compiler-plugin:3.12.1to3.14.0 - Updated
org.apache.maven.plugins:maven-enforcer-plugin:3.4.1to3.5.0 - Updated
org.apache.maven.plugins:maven-failsafe-plugin:3.2.5to3.5.2 - Updated
org.apache.maven.plugins:maven-install-plugin:3.1.2to3.1.4 - Updated
org.apache.maven.plugins:maven-site-plugin:3.12.1to3.21.0 - Updated
org.apache.maven.plugins:maven-surefire-plugin:3.2.5to3.5.2 - Updated
org.apache.maven.plugins:maven-toolchains-plugin:3.1.0to3.2.0 - Updated
org.codehaus.mojo:flatten-maven-plugin:1.6.0to1.7.0 - Updated
org.codehaus.mojo:versions-maven-plugin:2.16.2to2.18.0 - Updated
org.itsallcode:openfasttrace-maven-plugin:1.8.0to2.3.0 - Updated
org.jacoco:jacoco-maven-plugin:0.8.11to0.8.12 - Updated
org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594to5.0.0.4389
0.5.4: Fix CVE-2024-25710, CVE-2024-26308 in test dependencies
Summary
In this security release we fixed CVE-2024-25710 and CVE-2024-26308 by updating test dependencies that contained the vulnerable org.apache.commons:commons-compress 1.24.0.
Features
- 50: Fixed CVE-2024-25710 in test dependency
- 51: Fixed CVE-2024-26308 in test dependency
Dependency Updates
Test Dependency Updates
- Updated
com.exasol:exasol-testcontainers:6.6.3to7.0.1 - Updated
com.exasol:hamcrest-resultset-matcher:1.6.2to1.6.5 - Updated
com.exasol:test-db-builder-java:3.5.2to3.5.4 - Updated
org.junit.jupiter:junit-jupiter-api:5.10.1to5.10.2 - Updated
org.junit.jupiter:junit-jupiter-params:5.10.1to5.10.2 - Updated
org.slf4j:slf4j-jdk14:2.0.9to2.0.12 - Updated
org.testcontainers:junit-jupiter:1.19.2to1.19.7
Plugin Dependency Updates
- Updated
com.exasol:project-keeper-maven-plugin:2.9.16to4.1.0 - Updated
org.apache.maven.plugins:maven-compiler-plugin:3.11.0to3.12.1 - Updated
org.apache.maven.plugins:maven-failsafe-plugin:3.2.2to3.2.5 - Updated
org.apache.maven.plugins:maven-surefire-plugin:3.2.2to3.2.5 - Added
org.apache.maven.plugins:maven-toolchains-plugin:3.1.0 - Updated
org.codehaus.mojo:flatten-maven-plugin:1.5.0to1.6.0 - Updated
org.codehaus.mojo:versions-maven-plugin:2.16.1to2.16.2 - Updated
org.itsallcode:openfasttrace-maven-plugin:1.6.2to1.8.0
0.5.3: Fix CVE-2023-4043 in test dependency `org.eclipse.parsson:parsson`
Summary
This release fixes vulnerability CVE-2023-4043 in test dependency org.eclipse.parsson:parsson.
Security
- #48: Fixed CVE-2023-4043 in test dependency
org.eclipse.parsson:parsson
Dependency Updates
Test Dependency Updates
- Updated
com.exasol:exasol-testcontainers:6.6.2to6.6.3 - Updated
com.exasol:hamcrest-resultset-matcher:1.6.1to1.6.2 - Updated
com.exasol:test-db-builder-java:3.5.1to3.5.2 - Updated
org.junit.jupiter:junit-jupiter-api:5.10.0to5.10.1 - Updated
org.junit.jupiter:junit-jupiter-params:5.10.0to5.10.1 - Updated
org.testcontainers:junit-jupiter:1.19.1to1.19.2
Plugin Dependency Updates
- Updated
com.exasol:project-keeper-maven-plugin:2.9.12to2.9.16 - Updated
org.apache.maven.plugins:maven-enforcer-plugin:3.4.0to3.4.1 - Updated
org.apache.maven.plugins:maven-failsafe-plugin:3.1.2to3.2.2 - Updated
org.apache.maven.plugins:maven-surefire-plugin:3.1.2to3.2.2 - Updated
org.codehaus.mojo:versions-maven-plugin:2.16.0to2.16.1 - Updated
org.jacoco:jacoco-maven-plugin:0.8.10to0.8.11 - Updated
org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184to3.10.0.2594
0.5.2: Fix CVE-2023-42503 in test dependency
In this release we replaced a testing dependency that was vulnerable to CVE-2023-42503. Production code was not affected.
We also changed the namespace for the virtual schema adapter in the code from exasolvs to exasol.evsl for uniformity across projects. This has no impact on the function of the virtual schema.
Features
- #38: Changed namespace
exasolvstoexasol.evsl - #45: Fixed CVE-2023-42503 in test dependency
Dependency Updates
Test Dependency Updates
- Updated
com.exasol:exasol-testcontainers:6.6.1to6.6.2 - Updated
com.exasol:hamcrest-resultset-matcher:1.6.0to1.6.1 - Updated
com.exasol:test-db-builder-java:3.4.2to3.5.1 - Updated
org.junit.jupiter:junit-jupiter-api:5.9.3to5.10.0 - Updated
org.junit.jupiter:junit-jupiter-params:5.9.3to5.10.0 - Updated
org.slf4j:slf4j-jdk14:2.0.7to2.0.9 - Updated
org.testcontainers:junit-jupiter:1.18.3to1.19.1
Plugin Dependency Updates
- Updated
com.exasol:project-keeper-maven-plugin:2.9.9to2.9.12 - Updated
org.apache.maven.plugins:maven-enforcer-plugin:3.3.0to3.4.0
0.5.1: Fix Issue With Integer Constants in `GROUP BY`
Summary
This release fixes an issue with queries using DISTINCT with integer constants. The Exasol SQL processor turns DISTINCT <integer> into GROUP BY <integer> before push-down as an optimization. The adapter must not feed this back as Exasol interprets integers in GROUP BY clauses as column numbers which could lead to invalid results or the following error:
42000:Wrong column number. Too small value 0 as select list column reference in GROUP BY (smallest possible value is 1)
To fix this, Exasol VS now replaces integer constants in GROUP BY clauses with a constant string.
Please that you can still safely use GROUP BY <column-number> in your original query, since Exasol internally converts this to GROUP BY "<column-name>", so that the virtual schema adapter can tell both situations apart.
The release also adds integration tests using Exasol v8 to the CI build.
We also extracted the common parts of EVSL and RLSL to base libraries for a unified code base.
Bugfixes
- #42: Fixed issue with integer constants in
GROUP BY
Refactoring
Dependency Updates
Test Dependency Updates
- Updated
com.exasol:exasol-jdbc:7.1.19to7.1.20 - Updated
com.exasol:exasol-testcontainers:6.5.2to6.6.1 - Updated
org.junit.jupiter:junit-jupiter-api:5.9.2to5.9.3 - Updated
org.junit.jupiter:junit-jupiter-params:5.9.2to5.9.3 - Updated
org.testcontainers:junit-jupiter:1.18.0to1.18.3
Plugin Dependency Updates
- Updated
com.exasol:error-code-crawler-maven-plugin:1.2.2to1.3.0 - Updated
com.exasol:project-keeper-maven-plugin:2.9.7to2.9.9 - Updated
org.apache.maven.plugins:maven-failsafe-plugin:3.0.0to3.1.2 - Updated
org.apache.maven.plugins:maven-surefire-plugin:3.0.0to3.1.2 - Updated
org.basepom.maven:duplicate-finder-maven-plugin:1.5.1to2.0.1 - Updated
org.codehaus.mojo:build-helper-maven-plugin:3.3.0to3.4.0 - Updated
org.codehaus.mojo:flatten-maven-plugin:1.4.1to1.5.0 - Updated
org.codehaus.mojo:versions-maven-plugin:2.15.0to2.16.0 - Updated
org.itsallcode:openfasttrace-maven-plugin:1.6.1to1.6.2 - Updated
org.jacoco:jacoco-maven-plugin:0.8.9to0.8.10
0.5.0: Partial TLS Support (without certificate validation)
Summary
With version 0.5.0 the connection between the Virtual Schema Adapter and the remote Exasol uses TLS for encrypting the communication.
Note however, that this feature is not complete yet. It lacks validation of the peer certificate. The reason is that Lua does not yet have access to the certificate store, so the feature requires a change in the Exasol database. Once certificate validation is available, the EVSL will reach version 1.0.0.
What does this mean for users? They can test connecting the Exasol Virtual Schema to a remote Exasol server with an encrypted connection. The connection cannot be treated as secure though, because validating the peer certificate is a required step in establishing trust between the VS and the remote server. Without this attackers can pretend to be an Exasol server or run a man-in-the-middle attack.
If you need an actually secure connection you will unfortunately have to wait until version 1.0.0.
Features
- #23: Added TLS Support
Dependency Updates
Test Dependency Updates
- Updated
com.exasol:exasol-jdbc:7.1.17to7.1.19 - Updated
com.exasol:exasol-testcontainers:6.5.1to6.5.2 - Updated
com.exasol:hamcrest-resultset-matcher:1.5.2to1.6.0 - Updated
org.slf4j:slf4j-jdk14:2.0.6to2.0.7 - Updated
org.testcontainers:junit-jupiter:1.17.6to1.18.0
Plugin Dependency Updates
- Updated
com.exasol:project-keeper-maven-plugin:2.9.3to2.9.7 - Updated
org.apache.maven.plugins:maven-compiler-plugin:3.10.1to3.11.0 - Updated
org.apache.maven.plugins:maven-enforcer-plugin:3.1.0to3.3.0 - Updated
org.apache.maven.plugins:maven-failsafe-plugin:3.0.0-M8to3.0.0 - Updated
org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M8to3.0.0 - Added
org.basepom.maven:duplicate-finder-maven-plugin:1.5.1 - Updated
org.codehaus.mojo:flatten-maven-plugin:1.3.0to1.4.1 - Updated
org.codehaus.mojo:versions-maven-plugin:2.14.2to2.15.0 - Updated
org.jacoco:jacoco-maven-plugin:0.8.8to0.8.9
0.4.0: Remote EVSL (without TLS)
Summary
In this release we added support for connecting to a remote Exasol database. Note that you cannot use remote Exasol VS yet, since the libraries required are not yet available in production release of the Exasol database. That means while the feature is generally available, it only works with very recent development builds of Exasol. We will update the EVSL release once an Exasol version with the required libraries becomes available.
Features
- #20: Added remote metadata reading
Dependency Updates
Plugin Dependency Updates
- Updated
com.exasol:error-code-crawler-maven-plugin:1.2.0to1.2.2
0.3.0: `IS [NOT] JSON` and `LISTAGG` support
Summary
We added support for the IS [NOT] JSON predicate and the LISTAGG aggregate function.
We also added a test that evaluates the performance overhead of running queries directly against Exasol and via the Virtual Schema.
Additionally, we improved tests that ensure the package, module and rockspec all have the correct version numbers.
Bufixes
- #8: Added missing test for performance overhead
- #18: Added
IS [NOT] JSONpredicate - #24: Added
LISTAGGaggregate function
Dependency Updates
Test Dependency Updates
- Updated
com.exasol:exasol-jdbc:7.1.11to7.1.17 - Updated
com.exasol:exasol-testcontainers:6.2.0to6.5.1 - Updated
com.exasol:test-db-builder-java:3.3.4to3.4.2 - Updated
org.junit.jupiter:junit-jupiter-api:5.9.1to5.9.2 - Updated
org.junit.jupiter:junit-jupiter-params:5.9.1to5.9.2 - Updated
org.slf4j:slf4j-jdk14:2.0.3to2.0.6 - Updated
org.testcontainers:junit-jupiter:1.17.3to1.17.6
Plugin Dependency Updates
- Updated
com.exasol:project-keeper-maven-plugin:2.8.0to2.9.3 - Updated
io.github.zlika:reproducible-build-maven-plugin:0.15to0.16 - Updated
org.apache.maven.plugins:maven-failsafe-plugin:3.0.0-M5to3.0.0-M8 - Updated
org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M5to3.0.0-M8 - Updated
org.codehaus.mojo:flatten-maven-plugin:1.2.7to1.3.0 - Updated
org.codehaus.mojo:versions-maven-plugin:2.10.0to2.14.2
0.2.0: Join support
Summary
In version 0.2.0 of the Exasol Virtual Schema for Lua we activated support for JOINs.
We also updated the dependencies.
Features
Dependency Updates
Test Dependency Updates
- Updated
com.exasol:exasol-testcontainers:6.1.2to6.2.0 - Updated
com.exasol:hamcrest-resultset-matcher:1.5.1to1.5.2 - Updated
com.exasol:maven-project-version-getter:1.1.0to1.2.0 - Updated
com.exasol:test-db-builder-java:3.3.3to3.3.4 - Added
org.junit.jupiter:junit-jupiter-api:5.9.1 - Removed
org.junit.jupiter:junit-jupiter-engine:5.8.2 - Updated
org.junit.jupiter:junit-jupiter-params:5.8.2to5.9.1 - Updated
org.slf4j:slf4j-jdk14:1.7.36to2.0.3
Plugin Dependency Updates
- Updated
com.exasol:error-code-crawler-maven-plugin:1.1.1to1.2.0 - Updated
com.exasol:project-keeper-maven-plugin:2.4.6to2.8.0 - Updated
org.apache.maven.plugins:maven-enforcer-plugin:3.0.0to3.1.0 - Updated
org.apache.maven.plugins:maven-jar-plugin:3.2.2to3.3.0 - Updated
org.codehaus.mojo:exec-maven-plugin:3.0.0to3.1.0 - Updated
org.itsallcode:openfasttrace-maven-plugin:1.5.0to1.6.1