cancel
Showing results for 
Search instead for 
Did you mean: 
Get Started Discussions
Start your journey with Databricks by joining discussions on getting started guides, tutorials, and introductory topics. Connect with beginners and experts alike to kickstart your Databricks experience.
cancel
Showing results for 
Search instead for 
Did you mean: 

Vulnerabilities for com.databricks:databricks-jdbc:3.4.1 jar

psjava31955
Visitor
We are reporting two groups of Snyk-identified security vulnerabilities in com.databricks:databricks-jdbc:3.4.1 caused by shaded/embedded dependencies that cannot be remediated by consumers through standard dependency management overrides.

Why We Cannot Remediate This on Our Side

The Databricks JDBC driver is a shaded JAR — the vulnerable artifacts (jackson-databind, httpcore5-h2) are bundled inside the driver under relocated package namespaces. Standard Gradle/Maven remediation techniques are ineffective:

ext['jackson-bom.version'] and ext['httpcore5.version'] BOM overrides only affect unshaded transitive dependencies on the classpath — they do not reach bytecode already embedded in the driver JAR.
resolutionStrategy.eachDependency and dependencyManagement constraints similarly have no effect on shaded artifacts.
Snyk continues to flag the vulnerabilities against the shaded copies even after all available overrides are applied.
Please upgrade the following in an upcoming patch release of databricks-jdbc:

com.fasterxml.jackson.core:jackson-databind → 2.21.5+
org.apache.httpcomponents.core5:httpcore5-h2 → 5.4.2+
This will allow enterprise teams operating under strict security scanning policies (Snyk) to remain compliant without being blocked on driver upgrades.

We are currently running Spring Boot 3.5.15 with aggressive Snyk remediation in place for all other transitive dependencies. The JDBC driver is the sole remaining source of these vulnerability flags. We would also welcome any workaround guidance if a patch release is not immediately feasible.

Thank you for your attention to this.
0 REPLIES 0