Starting from Databricks JDBC Driver 2.6.36 we've got Trivy security report with vulnerabilities from pom.properties.
2.6.36 adds org.apache.commons.commons-compress:1.20 and ch.qos.logback.logback-classic:1.2.3.
2.6.34 doesn't include such dependencies.
I'm wondering why we added it. I don't see any transitive dependencies and those jars are not in classpath but META-INF/pom.propetries are still present.
I don't think it's a vulnerability but such pom.propetries should be cleaned up or updated. Not sure why such changes were added to a path version. Also, I see that 2.6.35 is missing, so it might be some problems with the build process