Skip to content

Upgrade Hudi connector version to 0.14.0 #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tdcmeehan wants to merge 22 commits into
base: master
Choose a base branch
from
Open

Upgrade Hudi connector version to 0.14.0 #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
9b03dc9
Add dependency review workflow for pull requests
tdcmeehan Sep 18, 2025
affc3f5
Update dependency-review.yml
tdcmeehan Sep 18, 2025
ec0f1e0
Modify dependency review to limit failure scopes
tdcmeehan Sep 18, 2025
f64a298
Update dependency review workflow to check all scopes
tdcmeehan Sep 18, 2025
1dc52ac
Add Trivy PR security check workflow
tdcmeehan Sep 18, 2025
3f42f67
Add OWASP Dependency Check workflow for Maven
tdcmeehan Sep 18, 2025
6ecbe64
Refactor OWASP database caching in workflow
tdcmeehan Sep 18, 2025
abe9f52
Update data directory for OWASP dependency check
tdcmeehan Sep 18, 2025
ec0eed0
Refactor OWASP check workflow for better caching and reporting
tdcmeehan Sep 19, 2025
175de19
Upgrade OWASP dependency-check-maven version
tdcmeehan Sep 19, 2025
d51d1ca
Modify OWASP cache key to use date
tdcmeehan Sep 19, 2025
137c200
Update OWASP cache path and report paths
tdcmeehan Sep 19, 2025
16f43e4
Enhance OWASP check workflow with debug information
tdcmeehan Sep 19, 2025
2879553
Refactor debug messages and fix cache paths
tdcmeehan Sep 19, 2025
1f29a27
Refactor OWASP database caching in workflow
tdcmeehan Sep 19, 2025
4934420
Refactor OWASP check workflow and optimize caching
tdcmeehan Sep 19, 2025
41e4d20
Update CVE comparison to focus on high/critical CVEs
tdcmeehan Sep 19, 2025
b909b2c
Update Java version and improve CVE checks
tdcmeehan Sep 19, 2025
77eccef
Change dependency review action to fail on high severity
tdcmeehan Sep 22, 2025
bf63942
Update maven-owasp-check.yml
tdcmeehan Sep 22, 2025
581210d
Revert hudi
tdcmeehan Sep 18, 2025
4f8ebdb
df
tdcmeehan Sep 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: 'Dependency Review'
on: [pull_request]

permissions:
contents: read
pull-requests: write

jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4

- name: 'Dependency Review'
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
fail-on-scopes: runtime, unknown, development
comment-summary-in-pr: always
show-openssf-scorecard: true
retry-on-snapshot-warnings: true
warn-only: false
138 changes: 138 additions & 0 deletions .github/workflows/maven-owasp-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
name: Maven OWASP Dependency Check
on:
pull_request:
workflow_dispatch:
inputs:
cvss-threshold:
description: 'CVSS score threshold for failing (7.0 = high/critical)'
required: false
default: '7.0'
type: string

jobs:
dependency-check:
runs-on: ubuntu-latest
env:
CVSS_THRESHOLD: ${{ github.event.inputs.cvss-threshold || '7.0' }}
OWASP_VERSION: '12.1.3'
steps:
- name: Checkout PR branch
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
path: pr

- name: Checkout base branch
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.base.sha }}
path: base

- name: Set up Java
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 17
cache: 'maven'

- name: Get date for cache key
id: get-date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT

- name: Restore OWASP database cache
uses: actions/cache/restore@v4
id: cache-owasp-restore
with:
path: ~/.owasp/dependency-check-data
key: owasp-cache-${{ runner.os }}-${{ env.OWASP_VERSION }}-${{ steps.get-date.outputs.date }}
restore-keys: |
owasp-cache-${{ runner.os }}-${{ env.OWASP_VERSION }}-
owasp-cache-${{ runner.os }}-

- name: Run OWASP check on base branch
working-directory: base
run: |
mvn org.owasp:dependency-check-maven:${{ env.OWASP_VERSION }}:aggregate \
-DskipTests \
-Dformat=JSON \
-DprettyPrint=true \
-DfailOnError=false \
-DossindexAnalyzerEnabled=true \
-DnvdApiAnalyzerEnabled=false \
-DnodeAnalyzerEnabled=false \
-DassemblyAnalyzerEnabled=false \
-DcentralAnalyzerEnabled=false \
-DnuspecAnalyzerEnabled=false \
-DnvdValidForHours=168 \
-DdataDirectory=$HOME/.owasp/dependency-check-data

- name: Save OWASP cache after base scan
if: steps.cache-owasp-restore.outputs.cache-hit != 'true'
uses: actions/cache/save@v4
with:
path: ~/.owasp/dependency-check-data
key: owasp-cache-${{ runner.os }}-${{ env.OWASP_VERSION }}-${{ steps.get-date.outputs.date }}-partial

- name: Run OWASP check on PR branch
working-directory: pr
run: |
mvn org.owasp:dependency-check-maven:${{ env.OWASP_VERSION }}:aggregate \
-DskipTests \
-Dformat=JSON \
-DprettyPrint=true \
-DfailOnError=false \
-DossindexAnalyzerEnabled=true \
-DnvdApiAnalyzerEnabled=false \
-DnodeAnalyzerEnabled=false \
-DassemblyAnalyzerEnabled=false \
-DcentralAnalyzerEnabled=false \
-DnuspecAnalyzerEnabled=false \
-DnvdValidForHours=168 \
-DdataDirectory=$HOME/.owasp/dependency-check-data

- name: Compare and fail on new CVEs above threshold
run: |
# Extract CVEs above threshold from both branches (CVSS >= $CVSS_THRESHOLD)
threshold="${{ env.CVSS_THRESHOLD }}"
base_cves=$(cat base/target/dependency-check-report.json 2>/dev/null | jq -r ".dependencies[].vulnerabilities[]? | select((.cvssv2.score // 0) >= $threshold or (.cvssv3.baseScore // 0) >= $threshold) | .name" | grep -E '^CVE-[0-9]{4}-[0-9]+$' | sort -u)
pr_cves=$(cat pr/target/dependency-check-report.json 2>/dev/null | jq -r ".dependencies[].vulnerabilities[]? | select((.cvssv2.score // 0) >= $threshold or (.cvssv3.baseScore // 0) >= $threshold) | .name" | grep -E '^CVE-[0-9]{4}-[0-9]+$' | sort -u)

# Find new CVEs introduced in PR
new_cves=$(comm -13 <(echo "$base_cves") <(echo "$pr_cves"))

if [ -n "$new_cves" ]; then
echo "❌ New vulnerabilities introduced in PR:"
echo "$new_cves"
echo ""

for cve in $new_cves; do
echo "=================================================="
echo "CVE: $cve"
echo "=================================================="

# Find which dependencies have this CVE (with safe access to packages)
cat pr/target/dependency-check-report.json | jq -r ".dependencies[] | select(.vulnerabilities[]?.name == \"$cve\") | \"Module: \" + (.projectReferences // [\"root\"])[0] + \"\nDependency: \" + .fileName + \"\nPackage: \" + (if .packages and .packages[0] then .packages[0].id else \"N/A\" end) + \"\nDescription: \" + (.vulnerabilities[] | select(.name == \"$cve\") | .description)"

echo ""
done

exit 1
else
echo "✅ No new vulnerabilities introduced"
fi

- name: Save OWASP database cache
if: always()
uses: actions/cache/save@v4
with:
path: ~/.owasp/dependency-check-data
key: owasp-cache-${{ runner.os }}-${{ env.OWASP_VERSION }}-${{ steps.get-date.outputs.date }}

- name: Upload reports
if: always()
uses: actions/upload-artifact@v4
with:
name: owasp-reports
path: |
base/target/dependency-check-report.json
pr/target/dependency-check-report.json
54 changes: 54 additions & 0 deletions .github/workflows/trivy-pr-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Trivy PR Security Check
on: [pull_request]

jobs:
trivy-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout PR branch
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
path: pr

- name: Checkout base branch
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.base.sha }}
path: base

- name: Scan base branch
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: 'base'
format: 'json'
output: 'base-results.json'
exit-code: '0' # Don't fail on base branch issues

- name: Scan PR branch
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: 'pr'
format: 'json'
output: 'pr-results.json'
exit-code: '0'

- name: Compare and fail on new CVEs
run: |
# Extract CVE IDs from both scans
base_cves=$(cat base-results.json | jq -r '.Results[]?.Vulnerabilities[]?.VulnerabilityID' | sort -u)
pr_cves=$(cat pr-results.json | jq -r '.Results[]?.Vulnerabilities[]?.VulnerabilityID' | sort -u)

# Find new CVEs in PR
new_cves=$(comm -13 <(echo "$base_cves") <(echo "$pr_cves"))

if [ ! -z "$new_cves" ]; then
echo "New vulnerabilities introduced in PR:"
echo "$new_cves"
cat pr-results.json | jq '.Results[]?.Vulnerabilities[]? | select(.VulnerabilityID | IN($new_cves))'
exit 1
else
echo "No new vulnerabilities introduced"
fi
14 changes: 13 additions & 1 deletion presto-hudi/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,18 @@
<scope>compile</scope>
</dependency>

<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>

<dependency>
<groupId>com.google.inject</groupId>
<artifactId>guice</artifactId>
Expand Down Expand Up @@ -149,7 +161,7 @@
<groupId>org.apache.hudi</groupId>
<artifactId>hudi-presto-bundle</artifactId>
<!-- This version upgrade should apply only to the Hudi connector, so the Hudi dependency is updated here (and not in root pom). -->
<version>1.0.2</version>
<version>0.14.0</version>
</dependency>

<!-- Tests -->
Expand Down
Loading