Describe the enhancement requested
Hello Apache Arrow team,
first of all, thank you for your work on Arrow and the Flight SQL JDBC driver.
We are currently using the Flight SQL JDBC driver version 19.0.0 and, during a routine security scan of our artifacts (Docker image), we identified several vulnerabilities affecting dependencies that appear to be shaded within the driver JAR.
Specifically, the following issues were reported:
Since these libraries are shaded, it is not possible for us to mitigate the vulnerabilities via standard dependency management (e.g., Maven/Gradle overrides).
We have already reached out to the Apache security channel to report and discuss this situation, but we would also like to ask here:
- Are there plans to update these shaded dependencies in an upcoming release?
- In particular, for the Netty HTTP/2 component, can you confirm whether it is actively used by the Flight SQL JDBC driver or if it could be considered non-critical in typical usage?
Thank you in advance for your support and for maintaining the project.
Kind regards
Everin Orlandi
Component(s)
Java
Describe the enhancement requested
Hello Apache Arrow team,
first of all, thank you for your work on Arrow and the Flight SQL JDBC driver.
We are currently using the Flight SQL JDBC driver version 19.0.0 and, during a routine security scan of our artifacts (Docker image), we identified several vulnerabilities affecting dependencies that appear to be shaded within the driver JAR.
Specifically, the following issues were reported:
Since these libraries are shaded, it is not possible for us to mitigate the vulnerabilities via standard dependency management (e.g., Maven/Gradle overrides).
We have already reached out to the Apache security channel to report and discuss this situation, but we would also like to ask here:
Thank you in advance for your support and for maintaining the project.
Kind regards
Everin Orlandi
Component(s)
Java