From ed7883c3a0cffccb961e337768dd697dda4664ca Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Wed, 11 Dec 2024 20:33:22 -0500
Subject: [PATCH] debezium-connector-spanner-3.0/3.0.4-r0: cve remediation
 (#36050)

GHSA-5mg8-w23w-74h3 relates to guava, which comes from a transitive
dependnecy:

```
[INFO] --- dependency:3.1.1:tree (default-cli) @ debezium-connector-spanner ---
[INFO] io.debezium:debezium-connector-spanner:jar:3.0.4.Final
[INFO] \- com.google.cloud:google-cloud-spanner:jar:6.30.1:compile
[INFO]    \- com.google.guava:guava:jar:32.0.0-jre:import
```

Remediating this involved bumping `google-cloud-spanner`, as opposed to
attempting to bump guava as a top-level dependency in this application.
It seems to have remediated the CVE. I also expanded the tests to try
and cover a functional test from melange.

--------------

debezium-connector-spanner-3.0/3.0.4-r0: fix GHSA-5mg8-w23w-74h3

Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/debezium-connector-spanner-3.0.advisories.yaml

---------

Signed-off-by: Mark McCormick <mark.mccormick@chainguard.dev>
Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
Co-authored-by: Mark McCormick <mark.mccormick@chainguard.dev>
---
 debezium-connector-spanner-3.0.yaml           | 10 +++++---
 .../SimpleTest.java                           | 16 +++++++++++++
 .../pombump-deps.yaml                         | 23 +++++++------------
 .../pombump-properties.yaml                   |  4 ++++
 4 files changed, 35 insertions(+), 18 deletions(-)
 create mode 100644 debezium-connector-spanner-3.0/SimpleTest.java
 create mode 100644 debezium-connector-spanner-3.0/pombump-properties.yaml

diff --git a/debezium-connector-spanner-3.0.yaml b/debezium-connector-spanner-3.0.yaml
index 189830609d6..0c71fadae6a 100644
--- a/debezium-connector-spanner-3.0.yaml
+++ b/debezium-connector-spanner-3.0.yaml
@@ -1,7 +1,7 @@
 package:
   name: debezium-connector-spanner-3.0
   version: 3.0.4
-  epoch: 1
+  epoch: 2
   description: An incubating Debezium CDC connector for Google Spanner
   copyright:
     - license: Apache-2.0
@@ -77,6 +77,10 @@ test:
     - name: Verify JAR presence
       runs: |
         test -f /usr/share/java/debezium/debezium-connector-spanner/debezium-connector-spanner-${{package.version}}.Final.jar
-    - name: Validate JAR metadata
+    - name: Simple functional initialization test
       runs: |
-        jar tf /usr/share/java/debezium/debezium-connector-spanner/debezium-connector-spanner-${{package.version}}.Final.jar | grep -q "META-INF/MANIFEST.MF"
+        # SimpleTest.java is located in melange, under the folder associated with this package.
+        cp SimpleTest.java /usr/share/java/debezium/debezium-connector-spanner
+        cd /usr/share/java/debezium/debezium-connector-spanner
+        javac SimpleTest.java
+        java -cp ".:/usr/share/java/debezium/debezium-connector-spanner/*" SimpleTest
diff --git a/debezium-connector-spanner-3.0/SimpleTest.java b/debezium-connector-spanner-3.0/SimpleTest.java
new file mode 100644
index 00000000000..c0df225b5ae
--- /dev/null
+++ b/debezium-connector-spanner-3.0/SimpleTest.java
@@ -0,0 +1,16 @@
+/**
+* Simple test to verify the Debezium Spanner Connector is properly installed and loadable.
+* Tests class loading functionality by attempting to load a core connector class.
+*/
+public class SimpleTest {
+    public static void main(String[] args) {
+        try {
+            Class<?> cls = Class.forName("io.debezium.connector.spanner.SpannerStreamingChangeEventSource");
+            System.out.println("Successfully loaded class");
+            System.exit(0);
+        } catch (Exception e) {
+            e.printStackTrace();
+            System.exit(1);
+        }
+    }
+ }
\ No newline at end of file
diff --git a/debezium-connector-spanner-3.0/pombump-deps.yaml b/debezium-connector-spanner-3.0/pombump-deps.yaml
index 4be48b20372..42332bccc9a 100644
--- a/debezium-connector-spanner-3.0/pombump-deps.yaml
+++ b/debezium-connector-spanner-3.0/pombump-deps.yaml
@@ -1,16 +1,9 @@
 patches:
-  # Mitigates CVE-2023-1428, CVE-2023-32732 and CVE-2023-32731
-  - groupId: io.grpc
-    artifactId: grpc-protobuf
-    version: 1.53.0
-    scope: import
-    type: jar
-  # Mitigates CVE-2024-7254
-  - groupId: com.google.protobuf
-    artifactId: protobuf-java
-    version: 3.25.5
-  # Mitigates CVE-2020-8908 and CVE-2023-2976
-  # FIXME: Resulting build faiure after major version bump to 32.1.2-jre.
-  # - groupId: com.google.guava
-  #   artifactId: guava
-  #   version: 32.1.2-jre
+    - groupId: io.grpc
+      artifactId: grpc-protobuf
+      version: 1.53.0
+      scope: import
+      type: jar
+    - groupId: com.google.protobuf
+      artifactId: protobuf-java
+      version: 3.25.5
diff --git a/debezium-connector-spanner-3.0/pombump-properties.yaml b/debezium-connector-spanner-3.0/pombump-properties.yaml
new file mode 100644
index 00000000000..208877f3716
--- /dev/null
+++ b/debezium-connector-spanner-3.0/pombump-properties.yaml
@@ -0,0 +1,4 @@
+
+properties:
+  - property: google.cloud.spanner.version
+    value: "6.82.0"