cancel
Showing results for 
Search instead for 
Did you mean: 
Get Started Discussions
Start your journey with Databricks by joining discussions on getting started guides, tutorials, and introductory topics. Connect with beginners and experts alike to kickstart your Databricks experience.
cancel
Showing results for 
Search instead for 
Did you mean: 

Databricks JDBC Driver 2.6.36 includes dependencies in pom.properties with vulnerabilities

Oleksandr
New Contributor II

Starting from Databricks JDBC Driver 2.6.36 we've got Trivy security report with vulnerabilities from pom.properties.


2.6.36 adds org.apache.commons.commons-compress:1.20 and ch.qos.logback.logback-classic:1.2.3.
2.6.34 doesn't include such dependencies.
I'm wondering why we added it. I don't see any transitive dependencies and those jars are not in classpath but META-INF/pom.propetries are still present.

I don't think it's a vulnerability but such pom.propetries should be cleaned up or updated. Not sure why such changes were added to a path version. Also, I see that 2.6.35 is missing, so it might be some problems with the build process

1 REPLY 1

Oleksandr
New Contributor II

I didn't find where to open an issue (GitHub or Jira). Please, let me know if I need to report it somewhere else.

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group