Skip to content

Add release notes for 0.295 #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

Add release notes for 0.295 #43

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0325368
Add a check for CVEs present in new transitive dependencies
tdcmeehan Sep 19, 2025
309e6a4
[maven-release-plugin] prepare release 0.295
prestodb-ci Sep 24, 2025
202e6ab
[maven-release-plugin] prepare for next development iteration
prestodb-ci Sep 24, 2025
e170e87
Add release notes for 0.295
prestodb-ci Sep 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions .github/actions/maven-owasp-scan/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: 'Maven OWASP Dependency Check Scan'
description: 'Runs OWASP dependency check Maven scan with consistent settings'
inputs:
working-directory:
description: 'Working directory for Maven command'
required: false
default: '.'
owasp-version:
description: 'OWASP dependency check plugin version'
required: false
default: '12.1.3'
data-directory:
description: 'OWASP data directory path'
required: false
default: '$HOME/.owasp/dependency-check-data'
runs:
using: 'composite'
steps:
- name: Run OWASP dependency check
working-directory: ${{ inputs.working-directory }}
shell: bash
run: |
mvn org.owasp:dependency-check-maven:${{ inputs.owasp-version }}:aggregate \
-DskipTests \
-Dformat=JSON \
-DprettyPrint=true \
-DfailOnError=false \
-DossindexAnalyzerEnabled=true \
-DnvdApiAnalyzerEnabled=false \
-DnodeAnalyzerEnabled=false \
-DassemblyAnalyzerEnabled=false \
-DcentralAnalyzerEnabled=false \
-DnuspecAnalyzerEnabled=false \
-DnvdValidForHours=168 \
-DdataDirectory=${{ inputs.data-directory }}
152 changes: 152 additions & 0 deletions .github/workflows/owasp-dependency-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
name: Maven OWASP Dependency Check
permissions:
contents: read
on:
pull_request:
workflow_dispatch:
inputs:
cvss-threshold:
description: 'CVSS score threshold for failing (7.0 = high/critical)'
required: false
default: '7.0'
type: string

jobs:
dependency-check:
runs-on: ubuntu-latest
env:
CVSS_THRESHOLD: ${{ github.event.inputs.cvss-threshold || '7.0' }}
OWASP_VERSION: '12.1.3'
steps:
# Checkout PR branch first to get access to the composite action
- name: Checkout PR branch
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

- name: Checkout base branch
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.base.sha }}
path: base

- name: Set up Java
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 17
cache: 'maven'

- name: Get date for cache key
id: get-date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT

- name: Restore OWASP database cache
uses: actions/cache/restore@v4
id: cache-owasp-restore
with:
path: ~/.owasp/dependency-check-data
key: owasp-cache-${{ runner.os }}-v${{ env.OWASP_VERSION }}-${{ steps.get-date.outputs.date }}
restore-keys: |
owasp-cache-${{ runner.os }}-v${{ env.OWASP_VERSION }}-
owasp-cache-${{ runner.os }}-

- name: Run OWASP check on base branch
uses: ./.github/actions/maven-owasp-scan
with:
working-directory: base
owasp-version: ${{ env.OWASP_VERSION }}
data-directory: $HOME/.owasp/dependency-check-data

- name: Save OWASP cache after base scan
if: steps.cache-owasp-restore.outputs.cache-hit != 'true'
uses: actions/cache/save@v4
with:
path: ~/.owasp/dependency-check-data
key: owasp-cache-${{ runner.os }}-v${{ env.OWASP_VERSION }}-${{ steps.get-date.outputs.date }}-partial

- name: Run OWASP check on PR branch
uses: ./.github/actions/maven-owasp-scan
with:
working-directory: .
owasp-version: ${{ env.OWASP_VERSION }}
data-directory: $HOME/.owasp/dependency-check-data

- name: Compare and fail on new CVEs above threshold
run: |
# Extract CVEs above threshold from both branches (CVSS >= $CVSS_THRESHOLD)
threshold="${{ env.CVSS_THRESHOLD }}"

# Validate report files exist
if [ ! -f base/target/dependency-check-report.json ]; then
echo "❌ Missing base report: base/target/dependency-check-report.json"
exit 1
fi
if [ ! -f target/dependency-check-report.json ]; then
echo "❌ Missing PR report: target/dependency-check-report.json"
exit 1
fi

# Validate report files are valid JSON
if ! jq empty base/target/dependency-check-report.json >/dev/null 2>&1; then
echo "❌ Malformed JSON in base/target/dependency-check-report.json"
exit 1
fi
if ! jq empty target/dependency-check-report.json >/dev/null 2>&1; then
echo "❌ Malformed JSON in target/dependency-check-report.json"
exit 1
fi

base_cves=$(jq -r ".dependencies[].vulnerabilities[]? | select((.cvssv2.score // 0) >= $threshold or (.cvssv3.baseScore // 0) >= $threshold) | .name" base/target/dependency-check-report.json | grep -E '^CVE-[0-9]{4}-[0-9]+$' | sort -u)
pr_cves=$(jq -r ".dependencies[].vulnerabilities[]? | select((.cvssv2.score // 0) >= $threshold or (.cvssv3.baseScore // 0) >= $threshold) | .name" target/dependency-check-report.json | grep -E '^CVE-[0-9]{4}-[0-9]+$' | sort -u)

# Find new CVEs introduced in PR
new_cves=$(comm -13 <(echo "$base_cves") <(echo "$pr_cves"))

if [ -n "$new_cves" ]; then
echo "❌ New vulnerabilities with CVSS >= $threshold introduced in PR:"
echo "$new_cves"
echo ""

for cve in $new_cves; do
echo "=================================================="
echo "CVE: $cve"
echo "=================================================="

# Find which dependencies have this CVE
jq -r '
.dependencies[]
| select(.vulnerabilities[]?.name == "'"$cve"'")
| "Module: " + (.projectReferences // ["root"])[0]
+ "\nDependency: " + .fileName
+ "\nPackage: " + (if .packages and .packages[0] then .packages[0].id else "N/A" end)
+ "\nDescription: " + (
[.vulnerabilities[] | select(.name == "'"$cve"'") | .description]
| unique
| join("\nDescription: ")
)
' target/dependency-check-report.json

echo ""
done

exit 1
else
echo "✅ No new vulnerabilities introduced"
fi

- name: Save OWASP database cache
if: always()
uses: actions/cache/save@v4
with:
path: ~/.owasp/dependency-check-data
key: owasp-cache-${{ runner.os }}-v${{ env.OWASP_VERSION }}-${{ steps.get-date.outputs.date }}

- name: Upload reports
if: always()
uses: actions/upload-artifact@v4
with:
name: owasp-reports
path: |
base/target/dependency-check-report.json
target/dependency-check-report.json
2 changes: 1 addition & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@

<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
<packaging>pom</packaging>

<name>presto-root</name>
Expand Down
2 changes: 1 addition & 1 deletion presto-accumulo/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-accumulo</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-analyzer/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-analyzer</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-atop/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-atop</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-base-arrow-flight/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-base-arrow-flight</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-base-jdbc/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-base-jdbc</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-benchmark-driver/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-benchmark-driver</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-benchmark-runner/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<artifactId>presto-root</artifactId>
<groupId>com.facebook.presto</groupId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-benchmark-runner</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-benchmark/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<artifactId>presto-root</artifactId>
<groupId>com.facebook.presto</groupId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-benchmark</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-benchto-benchmarks/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-benchto-benchmarks</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-bigquery/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-bigquery</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-blackhole/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-blackhole</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-built-in-worker-function-tools/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<parent>
<artifactId>presto-root</artifactId>
<groupId>com.facebook.presto</groupId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>

Expand Down
2 changes: 1 addition & 1 deletion presto-bytecode/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-bytecode</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-cache/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-cache</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-cassandra/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-cassandra</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-cli/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-cli</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-clickhouse/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<parent>
<artifactId>presto-root</artifactId>
<groupId>com.facebook.presto</groupId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-clickhouse</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-client/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-client</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-cluster-ttl-providers/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<parent>
<artifactId>presto-root</artifactId>
<groupId>com.facebook.presto</groupId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>

Expand Down
2 changes: 1 addition & 1 deletion presto-common/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-common</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-db-session-property-manager/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-db-session-property-manager</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion presto-delta/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<parent>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-root</artifactId>
<version>0.295-SNAPSHOT</version>
<version>0.296-SNAPSHOT</version>
</parent>

<artifactId>presto-delta</artifactId>
Expand Down
Loading
Loading