Merge pull request #133 from aws-solutions/feature/v1.9.4

Update to version v1.9.4

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.9.4] - 2024-10-03
+
+### Security
+
+- Patched protobuf-java vulnerability
+
 ## [1.9.3] - 2024-09-19
 
 ### Security

NOTICE.txt

@@ -12,10 +12,10 @@ THIRD PARTY COMPONENTS
 **********************
 This software includes third party software subject to the following copyrights:
 
-@aws-solutions-constructs/aws-apigateway-kinesisstreams under the Apache License 2.0
-@aws-solutions-constructs/aws-apigateway-lambda under the Apache License 2.0
-@aws-solutions-constructs/aws-kinesisfirehose-s3 under the Apache License 2.0
-@aws-solutions-constructs/aws-kinesisstreams-lambda under the Apache License 2.0
+@aws-solutions-constructs/aws-apigateway-kinesisstreams under the Apache-2.0 license.
+@aws-solutions-constructs/aws-apigateway-lambda under the Apache-2.0 license.
+@aws-solutions-constructs/aws-kinesisfirehose-s3 under the Apache-2.0 license.
+@aws-solutions-constructs/aws-kinesisstreams-lambda under the Apache-2.0 license.
 AWS CDK under the Apache License Version 2.0
 AWS Java SDK :: Auth under the Apache License Version 2.0
 AWS Java SDK :: HTTP Clients :: Netty Non Blocking I/O under the Apache License Version 2.0
@@ -48,16 +48,16 @@ SLF4J Simple Binding under the Massachusetts Institute of Technology (MIT) licen
 Source Map Support under the Massachusetts Institute of Technology (MIT) license
 TypeScript under the Apache License Version 2.0
 attrs under the Massachusetts Institute of Technology (MIT) License
-aws-cdk-lib under the Apache License 2.0
+aws-cdk-lib under the Apache-2.0 license.
 aws-sdk under the Apache License Version 2.0
 aws-sdk-mock under the Apache License Version 2.0
 awscli under the Apache License 2.0
-boto3 under the Apache Software License (Apache 2.0)
-botocore under the Apache License 2.0
+boto3 under the Apache-2.0 license.
+botocore under the Apache-2.0 license.
 chai under the Massachusetts Institute of Technology (MIT) license
 colorama under the BSD License
-coverage under the Apache License 2.0
-crhelper under the Apache License Version 2.0
+coverage under the Apache-2.0 license.
+crhelper under the Apache-2.0 license.
 defusedxml under the Apache License 2.0
 docutils under the BSD License
 filelock under the The Unlicense
@@ -68,14 +68,14 @@ py-serializable under the Apache License 2.0
 pyasn1 under the Apache License 2.0
 pytest under the Massachusetts Institute of Technology (MIT) License
 python-dateutil under the Apache Software License, BSD License (Dual License)
-requests under the Apache License Version 2.0
+requests under the Apache-2.0 license.
 rsa under the Apache License 2.0
 s3transfer under the Apache License 2.0
 sinon under the BSD-3-Clause license
-source-map-support under the Apache License 2.0
+source-map-support under the MIT license.
 ts-jest under the Massachusetts Institute of Technology (MIT) license
 ts-node under the Massachusetts Institute of Technology (MIT) license
-cdk-nag under the Apache License 2.0
+cdk-nag under the Apache-2.0 license.
 typing_extensions under Python Software Foundation License
 boolean.py under BSD-2-Clause
 license-expression under Apache License Version 2.0
@@ -90,8 +90,8 @@ com.amazonaws/aws-java-sdk-s3 under the Apache-2.0 license
 com.amazonaws/aws-java-sdk-sts under the Apache-2.0 license
 com.amazonaws/jmespath-java under the Apache-2.0 license
 com.damnhandy/handy-uri-templates under the Apache-2.0 license
-com.demo/aws-kda-flink-ml under the <license missing> license
-com.demo/aws-kpl-demo under the <license missing> license
+com.demo/aws-kda-flink-ml under the Apache-2.0 license
+com.demo/aws-kpl-demo under the Apache-2.0 license
 com.fasterxml.jackson.core/jackson-annotations under the Apache-2.0 license
 com.fasterxml.jackson.core/jackson-core under the Apache-2.0 license
 com.fasterxml.jackson.core/jackson-databind under the Apache-2.0 license
@@ -674,6 +674,30 @@ yaml under the ISC license
 yn under the MIT license
 yocto-queue under the MIT license
 urllib3 under the MIT license
+graceful-fs under the ISC license.
+semver under the ISC license.
+source-map under the BSD-3-Clause license.
+@babel/types under the MIT license.
+expect under the MIT license.
+@jest/types under the MIT license.
+stack-utils under the MIT license.
+prettier under the MIT license.
+@typescript-eslint/parser under the BSD-2-Clause license.
+globals under the MIT license.
+@typescript-eslint/types under the MIT license.
+@typescript-eslint/utils under the MIT license.
+@pkgr/utils under the MIT license.
+jest under the MIT license.
+@jest/core under the MIT license.
+@babel/core under the MIT license.
+istanbul-lib-coverage under the BSD-3-Clause license.
+istanbul-lib-report under the BSD-3-Clause license.
+istanbul-reports under the BSD-3-Clause license.
+@sinonjs/fake-timers under the BSD-3-Clause license.
+yargs under the MIT license.
+yargs-parser under the ISC license.
+@smithy/types under the Apache-2.0 license.
+software.amazon.awssdk/annotations under the Apache-2.0 license.
 
 ********************
 OPEN SOURCE LICENSES
@@ -689,4 +713,5 @@ ISC - https://opensource.org/licenses/ISC
 MIT - https://opensource.org/licenses/MIT
 MIT-0 - https://github.com/aws/mit-0
 Public Domain - https://github.com/stleary/JSON-java/blob/master/LICENSE
-Unlicense - https://opensource.org/licenses/Unlicense
+Unlicense - https://opensource.org/licenses/Unlicense
+Python-2.0 - https://spdx.org/licenses/Python-2.0.html

SECURITY.md

@@ -1,6 +1,9 @@
-Reporting Security Issues
-----------------------------------------------------------------------------------------------------------
-We take all security reports seriously. When we receive such reports, we will investigate and 
-subsequently address any potential vulnerabilities as quickly as possible. If you discover a potential 
-security issue in this project, please notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or 
-directly via email to [AWS Security](mailto:[email protected]). Please do not create a public GitHub issue in this project.
+## Reporting Security Issues
+
+We take all security reports seriously. When we receive such reports,
+we will investigate and subsequently address any potential vulnerabilities as 
+quickly as possible. If you discover a potential security issue in this project,
+please notify AWS/Amazon Security via our [vulnerability reporting page]
+(http://aws.amazon.com/security/vulnerability-reporting/) or directly via email 
+to [AWS Security](mailto:[email protected]).
+Please do *not* create a public GitHub issue in this project.

deployment/build-s3-dist.sh

@@ -42,6 +42,7 @@ staging_dist_dir="$template_dir/staging"
 template_dist_dir="$template_dir/global-s3-assets"
 build_dist_dir="$template_dir/regional-s3-assets"
 source_dir="$template_dir/../source"
+solution_root_dir="$template_dir/.."
 
 echo "------------------------------------------------------------------------------"
 echo "[Init] Remove any old dist files from previous runs"
@@ -55,6 +56,19 @@ mkdir -p $build_dist_dir
 rm -rf $staging_dist_dir
 mkdir -p $staging_dist_dir
 
+echo "------------------------------------------------------------------------------"
+echo "[Create Solution Manifest] Create solution manifest file"
+echo "------------------------------------------------------------------------------"
+if [ ${SOLUTION_NAME} == "streaming-data-solution-for-amazon-kinesis" ]; then
+    echo "Creating Kinesis Solution Manifest"
+    cp ${solution_root_dir}/solution-manifest-kinesis.yaml ${solution_root_dir}/solution-manifest.yaml
+elif [ ${SOLUTION_NAME} == "streaming-data-solution-for-amazon-msk" ]; then
+    echo "Creating MSK Solution Manifest"
+    cp ${solution_root_dir}/solution-manifest-msk.yaml ${solution_root_dir}/solution-manifest.yaml
+else
+    echo "WARN: Cannot create solution-manifest.yaml."
+fi
+
 echo "------------------------------------------------------------------------------"
 echo "[Init] Get version of the AWS CDK"
 echo "------------------------------------------------------------------------------"

source/kinesis/kda-flink-ml/pom.xml

@@ -21,6 +21,13 @@
         <shade-plugin.version>3.2.4</shade-plugin.version>
     </properties>
 
+    <licenses>
+        <license>
+            <name>Apache License, Version 2.0</name>
+            <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+        </license>
+    </licenses>    
+
     <dependencies>
         <!-- Apache Flink dependencies -->
         <!-- These dependencies are provided, because they should not be packaged into the JAR file. -->

source/kinesis/kpl-demo/pom.xml

@@ -9,6 +9,13 @@
     <version>1.6.0</version>
     <packaging>jar</packaging>
 
+    <licenses>
+        <license>
+            <name>Apache License, Version 2.0</name>
+            <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+        </license>
+    </licenses>
+
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <java.version>1.11</java.version>
@@ -24,6 +31,11 @@
             <artifactId>amazon-kinesis-producer</artifactId>
             <version>0.15.10</version>
         </dependency>
+        <dependency>
+            <groupId>com.google.protobuf</groupId>
+            <artifactId>protobuf-java</artifactId>
+            <version>3.25.5</version>
+        </dependency>
         <!-- https://mvnrepository.com/artifact/com.google.guava/guava -->
         <dependency>
             <groupId>com.google.guava</groupId>

source/lambda/kds-lambda-consumer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kds-lambda-consumer",
-  "version": "1.9.3",
+  "version": "1.9.4",
   "description": "sample lambda consumer for KDS",
   "main": "index.js",
   "scripts": {

source/lambda/msk-lambda-consumer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "msk-lambda-consumer",
-  "version": "1.9.3",
+  "version": "1.9.4",
   "description": "sample lambda consumer for MSK",
   "main": "index.js",
   "scripts": {

source/lambda/msk-lambda-kdf/package.json

@@ -1,6 +1,6 @@
 {
   "name": "msk-lambda-kdf",
-  "version": "1.9.3",
+  "version": "1.9.4",
   "description": "lambda consumer that publishes MSK events to KDF",
   "main": "index.js",
   "scripts": {
@@ -19,7 +19,7 @@
     "jest": "^29.7.0",
     "sinon": "^18.0.1"
   },
-  
+
   "jest": {
     "testEnvironment": "node",
     "collectCoverage": true,

source/lambda/taxi-fare-endpoint/package.json

@@ -1,6 +1,6 @@
 {
   "name": "taxi-fare-endpoint",
-  "version": "1.9.3",
+  "version": "1.9.4",
   "description": "sample endpoint for taxi fare prediction",
   "main": "index.js",
   "scripts": {

source/package.json

@@ -1,6 +1,6 @@
 {
   "name": "streaming-data-solution",
-  "version": "1.9.3",
+  "version": "1.9.4",
   "bin": {
     "streaming-data-solution": "bin/streaming-data-solution.js"
   },