finos / legend-pure Goto Github PK

Bug Report

Steps to Reproduce:

1. Use legend-pure version 1.36.1, legend-engine version 2.42.0 and current version of legend-studio.

The following model/mapping will fail when executing the mapping test:

Class test::MilestonedData
{
  FROM_Z: StrictDate[0..1];
  THRU_Z: StrictDate[0..1];
}

Class test::MarketListIdentifier extends test::MilestonedData
{
  identifier: String[1];
}

Class test::TopLevelTarget
{
  id: String[*];
}

Class test::TopLevelSource
{
  current: test::MarketListIdentifier[*];
}

function test::f(t: test::TopLevelSource[1]): test::MarketListIdentifier[*]
{
   $t.current->filter(m|$m->test::isNonEmptyDates())
}

function test::isNonEmptyDates(milestonedData: test::MilestonedData[1]): Boolean[1]
{
   $milestonedData.THRU_Z->isNotEmpty() && $milestonedData.FROM_Z->isNotEmpty()
}


###Mapping
Mapping test::M
(
  test::TopLevelTarget: Pure
  {
    ~src test::TopLevelSource
    id: $src->test::f().identifier
  }

  MappingTests
  [
    test_1
    (
      query: |test::TopLevelTarget.all()->graphFetchChecked(#{test::TopLevelTarget{id}}#)->serialize(#{test::TopLevelTarget{id}}#);
      data:
      [
        <Object, JSON, test::TopLevelSource, '{"current":[{"FROM_Z":"2021-10-11","THRU_Z":"2021-11-01","delete":true,"topLevel":{"marketList":[{"FROM_Z":"2021-10-23","THRU_Z":"2021-11-20","delete":true,"identifier":"identifier 51"}],"id":["id 54"]},"identifier":"identifier 67"}],"proposed":{"FROM_Z":"2021-11-13","THRU_Z":"2021-11-19","topLevel":{"marketList":[{"FROM_Z":"2021-11-23","THRU_Z":"2021-11-12","identifier":"identifier 59"}],"id":["id 4"]},"identifier":"identifier 68"}}'>
      ];
      assert: '{}';
    )
  ]
)

Expected Result:

Expected result is successful execution of the mapping test

Actual Result:

Test fails with error: ClassNotFoundException: org.finos.legend.pure.generated.Root_test_MilestonedData

Additional Context:

The bug is due to this line:

Here, the call to subTypeOf should be replaced with _subTypeOf and is fixed here: #322
However, to avoid future issues with subTypeOf, the behaviour should be changed: in the case that the class is not found, we should fall back on searching the graph for the class (as _subTypeOf does).

CVE-2020-15250 - Medium Severity Vulnerability

Vulnerable Library - junit-4.11.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to dependency file: legend-pure/legend-pure-configuration-external/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar,/home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar,/home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar,/home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar,/home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar,/home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar,/home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar,/home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar

Dependency Hierarchy:

• legend-pure-runtime-java-engine-compiled-0.0.1-SNAPSHOT.jar (Root Library)
  • ❌ junit-4.11.jar (Vulnerable Library)

Found in HEAD commit: b59e9e28c092c5e6feaca79385149326039248d5

Found in base branch: master

Vulnerability Details

In JUnit4 before version 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-07-21

URL: CVE-2020-15250

CVSS 3 Score Details (4.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-07-21

Fix Resolution: junit:junit:r4.13.1

Support mod operator for memsql.

Support Question

The light server cannot be accessed from the Light IDE in its current version.

In the current iteration of the Light IDE, starting the IDE locally with a version of the Light server running in the background yields the message that /initialize cannot be found. Browser debug logs show that the IDE is trying to GET localhost:3000/initialize, where instead it should GET localhost:9010/initialize, which is the default port for the light server.

This is due to the following line in EditorStore.tsx:

    this.client = new PureClient(
      new NetworkClient({
        // NOTE: ignore the URL specified in the config so we can use this client for both Pure and Engine
        baseUrl: window.location.origin,
      }),
    );

The following fix works:

    this.client = new PureClient(
      new NetworkClient({
        // NOTE: ignore the URL specified in the config so we can use this client for both Pure and Engine
        baseUrl: this.applicationStore.config.pureUrl,
      }),
    );

I see that there is a NOTE remarking that the use of the window origin is intentional to support both PURE and the engine. So how does one run the Light IDE plus the IDE server locally?

WS-2019-0379 - Medium Severity Vulnerability

Vulnerable Library - commons-codec-1.10.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: legend-pure/legend-pure-m4/pom.xml

Path to vulnerable library: canner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,canner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,canner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,canner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,canner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar

Dependency Hierarchy:

• ❌ commons-codec-1.10.jar (Vulnerable Library)

Found in HEAD commit: 03d9649e7cc4bc5afd2bcf813b6ffea681a17ab8

Found in base branch: master

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: apache/commons-codec@48b6157

Release Date: 2019-05-12

Fix Resolution: 1.13-RC1

• Check this box to open an automated fix PR

Feature Request

Description of Problem:

Provide Legend users with a way to persist the results of a service invocation to a target datastore.

This capability would enable users to ingest data onto the platform.

It would also serve as a building block for other platform components, e.g. moving data in service of caching.

Potential Solutions:

Allow users to provide a persistence specification that takes a Legend service as input and covers key facets of persistence:

• Shape of data to persist
• Transactionality of data
• Milestoning approach (non-temporal, unitemporal, bitemporal)
• Behavior over multiple runs (snapshot, delta)

The specification would be executable against different runtimes which a user could choose depending on feature set, environment, or non-functional requirements.

Currently the method checks that the business date is a constant or a VariableExpression, expecting use cases of

MyClass.all(%2015-01-01)

or

let businessDate = today(); 
MyClass.all($businessDate );

However it gives compiler usage like

let businessDate = today(); 
MyClass.all($businessDate )
     ->concatenate(MyClass.all($businessDate->adjust(-1, DurationUnit.DAYS));

due to the parameter being a FunctionExpression.

Although people can still create an equivalent query via:

let businessDate = today(); 
MyClass.all($businessDate )
     ->concatenate({d:Date[1]|MyClass.all($d)}->eval($businessDate->adjust(-1, DurationUnit.DAYS));

and the compiler won't complain (but it's more complicated to write / less clear)

Current builds fail on WhiteSource security checks due to CVE-2020-7774 affecting y18n. (Example build)

This dependency is brought in via webpack-dev-server, but seems that the change needs to be backported to y18n v4 and to allow webpack-dev-server to be updated.

Rather than waiting we could force the dependency update on y18n to version 5.0.5, since webpack-dev-server cannot update to that version due to their dependency on node >= 6.11.5 and we use a later version.

What do you think @akphi?

Bug Report

In Java 11.0.9 the use of timezone "CST" no longer works causing the test on line 55 of TestPureDate.java to fail:

Tests run: 13, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.388 sec <<< FAILURE! - in org.finos.legend.pure.m4.coreinstance.primitive.date.TestPureDate
testFormatWithTimeZoneShift(org.finos.legend.pure.m4.coreinstance.primitive.date.TestPureDate)  Time elapsed: 0.029 sec  <<< FAILURE!

This should instead be

Assert.assertEquals("2013-12-31 19:01:01.070 GMT-06:00", date.format("[CST]yyyy-MM-dd HH:mm:ss.SSS z"));

Steps to Reproduce:

1. Using Java 11.0.9
2. run mvn -Dtest=TestPureDate test
3. The test on line 55 fails
4. Using Java 11.0.7
5. run mvn -Dtest=TestPureDate test
6. The test on line 55 passes

Expected Result:

The test should pass consistently on 11.0.7 and 11.0.9

Actual Result:

-------------------------------------------------------
 T E S T S
-------------------------------------------------------
Running org.finos.legend.pure.m4.coreinstance.primitive.date.TestPureDate
Tests run: 13, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.388 sec <<< FAILURE! - in org.finos.legend.pure.m4.coreinstance.primitive.date.TestPureDate
testFormatWithTimeZoneShift(org.finos.legend.pure.m4.coreinstance.primitive.date.TestPureDate)  Time elapsed: 0.029 sec  <<< FAILURE!
org.junit.ComparisonFailure: expected:<...-12-31 19:01:01.070 [CST]> but was:<...-12-31 19:01:01.070 [GMT-06:00]>
        at org.junit.Assert.assertEquals(Assert.java:117)
        at org.junit.Assert.assertEquals(Assert.java:146)
        at org.finos.legend.pure.m4.coreinstance.primitive.date.TestPureDate.testFormatWithTimeZoneShift(TestPureDate.java:55)

Results :

Failed tests:
  TestPureDate.testFormatWithTimeZoneShift:55 expected:<...-12-31 19:01:01.070 [CST]> but was:<...-12-31 19:01:01.070 [GMT-06:00]>

Environment:

Version: master after commit f98651e
OS: Ubuntu 18.04.5 LTS and Windows 10 (baremetal)
Java: 11.0.7 and 11.0.9

Additional Context:

As this issue is version specific I believe it needs a deeper dive into the use of java.util.TimeZone across the project. In this case used on line 255 of DateFormat.java

I am happy to open a PR to resolve across the board; let me know if you would like me to proceed

Ref: https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/TimeZone.html

Feature Request

Expand relational grammar to allow dashes in schema names.

Description of Problem:

In some databases/dataservices (e.g BigQuery), the schema name does not allow "_" (underscore) but does allow "-" (dash).

Using "-" in a schema name results in a compilation error.

Potential Solutions:

The grammar defines "schema" to be an "identifier" [1]. "identifier" does not include dash (-). The grammar should be change to include "-" (dash) for schema names.

[1] https://github.com/finos/legend-pure/blob/master/legend-pure-m2-store-relational/src/main/antlr4/org/finos/legend/pure/m2/relational/serialization/grammar/v1/antlr/RelationalParser.g4#L21

Provide a facility for testing persistence specifications. In particular, allow users to:

• Verify that the data shape output by the service aligns with the persistence specification
• Understand the impact of different ingest modes on sink data over multiple runs

Generate a Persistence specification that can be used to run on Aws. Builds on top of #425

Starting from an already-crafted Persistence, this capability will enable users to File Generate an Aws-specific persistence specification that contains all necessary information to run on Aws.

Feature Request / Question

Description of Problem:

I am currently trying to implement a Database via my own class. Hence, I define my database via the use of local variables rather than global ones, as, naturally, there is no dedicated syntax for this database type yet (such as in the case of Relational Databases). However, the router component heavily invokes the function elementToPath on store objects that are present in the mapping object handed over to the execute function. The function elementToPath, however, errors when invoked on objects that do not exist globally but are rather bound via local variables.

Potential Solutions:

This is the problematic code segment of elementToPath:

function meta::pure::functions::meta::elementToPath(element:PackageableElement[1], separator:String[1]):String[1]
{
    let path = $element->elementPath();
    if($path->size() == 1,
       | let first = $path->at(0);
         if(is(::, $first),
            | '',
            | $first.name->toOne());,
       | $path->tail()->map(e | $e.name)->joinStrings($separator));
}

If $first does not have a name attribute, the call to toOne() errors. My current workaround is to provide a name attribute to my custom Store. However, I guess this is rather a hack, as in reality, my local object does not have a package path.

One solution would be to provide a wrapper type that lets me expose my custom store as a packagable element so that calls to that functions do not error. Does such a type/solution exist?

CVE-2019-17359 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.60.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: legend-pure/legend-pure-runtime-java-extension-external-json/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,canner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar

Dependency Hierarchy:

• ❌ bcprov-jdk15on-1.60.jar (Vulnerable Library)

Found in HEAD commit: 03d9649e7cc4bc5afd2bcf813b6ffea681a17ab8

Found in base branch: master

Vulnerability Details

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

Publish Date: 2019-10-08

URL: CVE-2019-17359

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359

Release Date: 2019-10-08

Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.64

• Check this box to open an automated fix PR

Feature Request

Description of Problem:

When defining a lambda function without typing its arguments, the error message is cryptic:
{x|fooBarFunction($x)} // fails with "Function type is not fully defined in {NULL[NULL], NULL[NULL]->NULL[NULL]}".
The fooBarFunction has already been defined with appropriate signature, like: fooBarFunction (Argument: Type[n]):ReturnType[m]

Potential Solutions:

Either infer that x is of type Type, or (much simpler) return an error message such as "argument types not defined".

WS-2016-7057 - Medium Severity Vulnerability

Vulnerable Library - plexus-utils-3.0.22.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: legend-pure/legend-pure-maven-java-compiled/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar,/home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar

Dependency Hierarchy:

• maven-plugin-api-3.3.9.jar (Root Library)
  • maven-model-3.3.9.jar
    • ❌ plexus-utils-3.0.22.jar (Vulnerable Library)

Found in HEAD commit: 03d9649e7cc4bc5afd2bcf813b6ffea681a17ab8

Found in base branch: master

Vulnerability Details

Plexus-utils before 3.0.24 are vulnerable to Directory Traversal

Publish Date: 2016-05-07

URL: WS-2016-7057

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: codehaus-plexus/plexus-utils@33a2853

Release Date: 2019-05-30

Fix Resolution: 3.0.24

Test issue - please ignore

@maoo I thought it's better to create a separate thread to the conversation about sonar. I can set quality gate now, for all projects except for legend-pure, which is actually the one I need right now 😄 If you could add me to that one, it would be great!

That aside, I think the current quality gate profile Sonar default is good enough. My concern is how should we set the new code definition, do you have any experience or advice for us about this? As of now I thought the most sensible option is previous version (see screenshot), what do you think?

Thanks!

Bug Report

Steps to Reproduce:

The following code compiles in Pure, but yields a Java compilation error in compiled mode.

import test::*;

function test::inspect<T|m>(values:T[m], fn:Function<{T[m]->Any[*]}>[1]):T[m]
{
    $fn->eval($values);
    $values;
}

function test::test():Any[*]
{
    inspect([1, 2, 3, 4], v | $v->map(i | $i->toString())->joinStrings('[', ', ', ']\\n'))
}

An ignored failing test was added for this in this commit.

Expected Result:

The Java code that is generated for the Pure code should compile (and behave correctly).

Actual Result:

What actually happens is a Java compilation error which complains that the generated Java code is not a statement.

Environment:

This was reproduced with legend-pure 3.7.0 and JDK 11.0.16.

Feature Request

Legend should support generating Morphir IR enriched with Pure source information.

Description of Problem:

Legend currently supports generating simple Pure functions into Morphir IR, and the next milestone would be to include Pure code source information in the generated IR in order for Bosque to provide theorem proving feedback with useful source info.

Potential Solutions:

Currently, (unmerged) changes have been made to support including source information in Morphir transform process. Here we provide example input function with an explicit zero division, which looks like:

function meta::external::language::morphir::transform::tests::zeroDivisionFunction(v1:Number[1]):Number[1]
{
   $v1 / 0.0;
}

… which would be located on line 23-26 of file “\core\external\language\morphir\tests\transformAndSerializeTests.pure”.

And the generated output from it would be:
{ "formatVersion": 1, "distribution": [ "library", [ [ "system" ], [ "morphir" ] ], [], { "modules": [ { "name": [ [ "transform" ] ], "def": [ "public", { "types": [], "values": [ [ [ "zero", "division", "function" ], [ "public", { "inputTypes": [ [ [ "v", "1" ], [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [ "sourceInformation", [ "source", "\/core\/external\/language\/morphir\/tests\/transformAndSerializeTests.pure" ], [ "startLine", 23 ], [ "startColumn", 1 ], [ "endLine", 26 ], [ "endColumn", 1 ] ] ], [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [ "sourceInformation", [ "source", "\/core\/external\/language\/morphir\/tests\/transformAndSerializeTests.pure" ], [ "startLine", 23 ], [ "startColumn", 1 ], [ "endLine", 26 ], [ "endColumn", 1 ] ] ] ] ], "outputType": [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [ "sourceInformation", [ "source", "\/core\/external\/language\/morphir\/tests\/transformAndSerializeTests.pure" ], [ "startLine", 23 ], [ "startColumn", 1 ], [ "endLine", 26 ], [ "endColumn", 1 ] ] ], "body": [ "apply", [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [ "sourceInformation", [ "source", "\/core\/external\/language\/morphir\/tests\/transformAndSerializeTests.pure" ], [ "startLine", 25 ], [ "startColumn", 8 ], [ "endLine", 25 ], [ "endColumn", 8 ] ] ], [ "apply", [ "function", {}, [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [] ], [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [] ], [] ], [ "reference", [ "function", {}, [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [] ], [ "function", {}, [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [] ], [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [] ], [] ], [] ], [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "divide" ] ] ], [ "variable", [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [ "sourceInformation", [ "source", "\/core\/external\/language\/morphir\/tests\/transformAndSerializeTests.pure" ], [ "startLine", 25 ], [ "startColumn", 5 ], [ "endLine", 25 ], [ "endColumn", 6 ] ] ], [ "v", "1" ] ] ], [ "literal", [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [ "sourceInformation", [ "source", "\/core\/external\/language\/morphir\/tests\/transformAndSerializeTests.pure" ], [ "startLine", 25 ], [ "startColumn", 10 ], [ "endLine", 25 ], [ "endColumn", 12 ] ] ], [ "float_literal", 0.0 ] ] ] } ] ] ] } ] } ] } ] }

It would be good to have Snowflake support for convertVarchar128().

The soon-to-be-added PR for this will achieve using Snowflake's to_char (see https://docs.snowflake.com/en/sql-reference/functions/to_char.html). Note that unlike with other DBs, the result will not be padded.

CVE-2018-10237 - Medium Severity Vulnerability

Vulnerable Library - guava-18.0.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>

Library home page: http://code.google.com/p/guava-libraries

Path to dependency file: legend-pure/legend-pure-runtime-java-engine-compiled/pom.xml

Path to vulnerable library: canner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar

Dependency Hierarchy:

• ❌ guava-18.0.jar (Vulnerable Library)

Found in HEAD commit: 03d9649e7cc4bc5afd2bcf813b6ffea681a17ab8

Found in base branch: master

Vulnerability Details

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Publish Date: 2018-04-26

URL: CVE-2018-10237

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237

Release Date: 2018-04-26

Fix Resolution: 24.1.1-jre, 24.1.1-android

• Check this box to open an automated fix PR

WS-2016-7062 - Medium Severity Vulnerability

Vulnerable Library - plexus-utils-3.0.22.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: legend-pure/legend-pure-maven-java-compiled/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar,/home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar

Dependency Hierarchy:

• maven-plugin-api-3.3.9.jar (Root Library)
  • maven-model-3.3.9.jar
    • ❌ plexus-utils-3.0.22.jar (Vulnerable Library)

Found in HEAD commit: 03d9649e7cc4bc5afd2bcf813b6ffea681a17ab8

Found in base branch: master

Vulnerability Details

Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.

Publish Date: 2016-05-07

URL: WS-2016-7062

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: codehaus-plexus/plexus-utils@f933e5e

Release Date: 2019-09-26

Fix Resolution: 3.0.24

Feature Request

Description of Problem:

Suppose I want to define a type that models a bijective Map like so:

Class BiMap<K, V> {
  to: Map<K, V>[1];
  from: Map<V, K>[1];
}

Now I want to provide to users a convenient constructor method that just yields an empty instance of BiMap:

function empty<K, V>(): BiMap<K, V>[1] {
  ^BiMap<K,V>(to=^Map<K,V>(), from=^Map<K,V>());
}

Such a function definition does not work for two reasons: First, PURE tries to find existing types named K and V. Second, there is no way to invoke the empty function by explicitly specifying type parameters at invocation (type parameters are always implicit via supplied function arguments).

Bug Report

Steps to Reproduce:

1. Clone the repo.
2. Edit the main pom.xml to remove <module>legend-pure-ide-light</module> -- this is my attempt to operationalize the comment in the readme:

Pure IDE has a web application component which requires Node 14.17.1+ and Yarn 1.22.10. Make sure you have these set up in your development environment, otherwise, you would need to exclude the build step for this web application in legend-pure-ide-light module.

(I looked for what I could exclude in legend-pure-ide-light/pom.xml, couldn't find anything. Is this particular comment out of date?)
3. Run mvn install

Expected Result:

successful build

Actual Result:

failure. See attached log.

Environment:

mvn](url) --version:

Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)
Maven home: /Users/vijaysaraswat/Downloads/apache-maven-3.6.3
Java version: 11.0.14, vendor: Oracle Corporation, runtime: /Library/Java/JavaVirtualMachines/jdk-11.0.14.jdk/Contents/Home
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "11.4", arch: "x86_64", family: "mac"

Additional Context:

...add any other context about the problem here. If applicable, add screenshots to help explain...
build-fail-log.txt

git log:

 git log
WARNING: terminal is not fully functional
-  (press RETURN) 
commit ca62687264a4e45807aa7084edf56aaacd5b8eac (HEAD -> master, origin/master, origin/HEAD)
Author: pierredebelen <[email protected]>
Date:   Wed Mar 23 11:24:00 2022 -0400

    [maven-release-plugin] prepare for next development iteration

commit 2d18b24d608469e2ff975efb4bf77655d6d9c2bc (tag: legend-pure-1.52.0)
Author: pierredebelen <[email protected]>
Date:   Wed Mar 23 11:23:58 2022 -0400

    [maven-release-plugin] prepare release legend-pure-1.52.0
...

git status is:

On branch master
Your branch is up to date with 'origin/master'.