https://community.databricks.com/t5/get-started-discussions/databricks-jdbc-driver-2-6-36-includes-dependencies-in-pom/m-p/55553#M2031 <P>I didn't find where to open an issue (GitHub or Jira). Please, let me know if I need to report it somewhere else.</P> Wed, 20 Dec 2023 11:45:25 GMT Oleksandr 2023-12-20T11:45:25Z https://community.databricks.com/t5/get-started-discussions/databricks-jdbc-driver-2-6-36-includes-dependencies-in-pom/m-p/55552#M2030 <P>Starting from&nbsp;Databricks JDBC Driver 2.6.36 we've got Trivy security report with vulnerabilities from pom.properties.</P><P><BR />2.6.36 adds org.apache.commons.commons-compress:1.20 and&nbsp;ch.qos.logback.logback-classic:1.2.3.<BR />2.6.34 doesn't include such dependencies.<BR />I'm wondering why we added it. I don't see any transitive dependencies and those jars are not in classpath but&nbsp;META-INF/pom.propetries are still present.</P><P>I don't think it's a vulnerability but such&nbsp;pom.propetries should be cleaned up or updated. Not sure why such changes were added to a path version. Also, I see that&nbsp;2.6.35 is missing, so it might be some problems with the build process</P> Wed, 20 Dec 2023 11:44:10 GMT https://community.databricks.com/t5/get-started-discussions/databricks-jdbc-driver-2-6-36-includes-dependencies-in-pom/m-p/55552#M2030 Oleksandr 2023-12-20T11:44:10Z https://community.databricks.com/t5/get-started-discussions/databricks-jdbc-driver-2-6-36-includes-dependencies-in-pom/m-p/55553#M2031 <P>I didn't find where to open an issue (GitHub or Jira). Please, let me know if I need to report it somewhere else.</P> Wed, 20 Dec 2023 11:45:25 GMT https://community.databricks.com/t5/get-started-discussions/databricks-jdbc-driver-2-6-36-includes-dependencies-in-pom/m-p/55553#M2031 Oleksandr 2023-12-20T11:45:25Z