Dependency upgrade process

[kaklakariada]

Goal

Speedup process for fixing vulnerabilities in third party dependencies.

Implementation

When the dependencies_check.yml workflow finds new vulnerabilities in dependencies it will trigger another GitHub workflow. This new workflow will upgrade all dependencies to their latest versions.

Input

We add a new update-dependencies mode to PK that gets an optional parameter. This parameter describes:

• Issue that fixes the vulnerability
• Details about the vulnerability

Process

1. Create new branch if main branch is checked out currently
2. Read version from pom, increment patch version and set version in pom using maven version plugin.
3. Update project-keeper version in pom
4. Update dependencies via mvn versions:use-latest-releases && mvn versions:update-properties, see update-properties & use-latest-releases
5. Run PK fix
6. Update changelog if vulnerability details are available:
   • release date = today
   • Code name: Fix vulnerabilities CVE-.... in dependency ...
   • Summary: This release fixes the following vulnerabilities: ...
   • Changes: # Security * #... Fixed CVE-... in dependency ...
7. Commit to new branch & push it
8. Create a pull request with "Closes #..." comment

### Tasks
- [x] Add requirements & design
- [x] Document `upgrade-dependencies` mode
- [x] Document how to exclude dependencies from upgrading using `versions-maven-plugin`'s [excludesList](https://www.mojohaus.org/versions/versions-maven-plugin/use-latest-releases-mojo.html#excludesList)
- [x] Add `upgrade-dependencies.yml` GH workflow (manually triggered) that launches PK `upgrade-dependencies`.

Open questions

• Implement Git/GitHub operations (create branch, create PR, ...) in GH workflow or in PK Java code?

Delimitations / out-of-scope

• No support for non-Maven projects (i.e. no pom.xml in project root folder)
• Non-Maven modules (e.g. JS extensions) are not updated (potential improvement)
• Non-Maven modules (e.g. JS extensions) are not scanned for vulnerabilities (out-of-scope)
• Customize build artifacts in release.yml and ci-build.yml wokflows: https://github.com/exasol/project-keeper/issues/517
• Customize build steps in release.yml and ci-build.yml: https://github.com/exasol/project-keeper/issues/519
• Automatic release process: https://github.com/exasol/project-keeper/issues/516
• Updating Maven plugins is not required, this is managed by the normal pk fix

[pj-spoelders]

I don't know if you kept this in mind, but another nice thing would be to manually be able to batch update projects' multiple dependencies when we release something, eg in case of virtual-schema-common-jdbc being updated .. I'm not sure if that's out of scope or not.

[ckunki]

Review effort .2

[kaklakariada]

Effort: ~8pd