<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Vulnerabilities for com.databricks:databricks-jdbc:3.4.1 jar in Get Started Discussions</title>
    <link>https://community.databricks.com/t5/get-started-discussions/vulnerabilities-for-com-databricks-databricks-jdbc-3-4-1-jar/m-p/162831#M11906</link>
    <description>&lt;DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;We are reporting two groups of Snyk-identified security vulnerabilities in&amp;nbsp;com.databricks:databricks-jdbc:3.4.1&amp;nbsp;caused by&amp;nbsp;shaded/embedded dependencies&amp;nbsp;that cannot be remediated by consumers through standard dependency management overrides.&lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;Why We Cannot Remediate This on Our Side&lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;The Databricks JDBC driver is a&amp;nbsp;shaded JAR&amp;nbsp;— the vulnerable artifacts (jackson-databind,&amp;nbsp;httpcore5-h2) are bundled inside the driver under relocated package namespaces. Standard Gradle/Maven remediation techniques are ineffective:&lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;ext&lt;/SPAN&gt;&lt;SPAN&gt;[&lt;/SPAN&gt;&lt;SPAN&gt;'jackson-bom.version'&lt;/SPAN&gt;&lt;SPAN&gt;]&lt;/SPAN&gt;&lt;SPAN&gt;&amp;nbsp;and&amp;nbsp;ext&lt;/SPAN&gt;&lt;SPAN&gt;[&lt;/SPAN&gt;&lt;SPAN&gt;'httpcore5.version'&lt;/SPAN&gt;&lt;SPAN&gt;]&lt;/SPAN&gt;&lt;SPAN&gt;&amp;nbsp;BOM overrides only affect unshaded transitive dependencies on the classpath — they do not reach bytecode already embedded in the driver JAR.&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;resolutionStrategy.eachDependency&amp;nbsp;and&amp;nbsp;dependencyManagement&amp;nbsp;constraints similarly have no effect on shaded artifacts.&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;Snyk continues to flag the vulnerabilities against the shaded copies even after all available overrides are applied.&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;Please upgrade the following in an upcoming patch release of&amp;nbsp;databricks-jdbc:&lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;com.fasterxml.jackson.core:jackson-databind&amp;nbsp;→&amp;nbsp;2.21.5+&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;org.apache.httpcomponents.core5:httpcore5-h2&amp;nbsp;→&amp;nbsp;5.4.2+&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;This will allow enterprise teams operating under strict security scanning policies (Snyk) to remain compliant without being blocked on driver upgrades.&lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;We are currently running Spring Boot&amp;nbsp;3.5.15&amp;nbsp;with aggressive Snyk remediation in place for all other transitive dependencies. The JDBC driver is the sole remaining source of these vulnerability flags. We would also welcome any workaround guidance if a patch release is not immediately feasible.&lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;Thank you for your attention to this.&lt;/SPAN&gt;&lt;/DIV&gt;&lt;/DIV&gt;</description>
    <pubDate>Mon, 13 Jul 2026 15:03:56 GMT</pubDate>
    <dc:creator>psjava31955</dc:creator>
    <dc:date>2026-07-13T15:03:56Z</dc:date>
    <item>
      <title>Vulnerabilities for com.databricks:databricks-jdbc:3.4.1 jar</title>
      <link>https://community.databricks.com/t5/get-started-discussions/vulnerabilities-for-com-databricks-databricks-jdbc-3-4-1-jar/m-p/162831#M11906</link>
      <description>&lt;DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;We are reporting two groups of Snyk-identified security vulnerabilities in&amp;nbsp;com.databricks:databricks-jdbc:3.4.1&amp;nbsp;caused by&amp;nbsp;shaded/embedded dependencies&amp;nbsp;that cannot be remediated by consumers through standard dependency management overrides.&lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;Why We Cannot Remediate This on Our Side&lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;The Databricks JDBC driver is a&amp;nbsp;shaded JAR&amp;nbsp;— the vulnerable artifacts (jackson-databind,&amp;nbsp;httpcore5-h2) are bundled inside the driver under relocated package namespaces. Standard Gradle/Maven remediation techniques are ineffective:&lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;ext&lt;/SPAN&gt;&lt;SPAN&gt;[&lt;/SPAN&gt;&lt;SPAN&gt;'jackson-bom.version'&lt;/SPAN&gt;&lt;SPAN&gt;]&lt;/SPAN&gt;&lt;SPAN&gt;&amp;nbsp;and&amp;nbsp;ext&lt;/SPAN&gt;&lt;SPAN&gt;[&lt;/SPAN&gt;&lt;SPAN&gt;'httpcore5.version'&lt;/SPAN&gt;&lt;SPAN&gt;]&lt;/SPAN&gt;&lt;SPAN&gt;&amp;nbsp;BOM overrides only affect unshaded transitive dependencies on the classpath — they do not reach bytecode already embedded in the driver JAR.&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;resolutionStrategy.eachDependency&amp;nbsp;and&amp;nbsp;dependencyManagement&amp;nbsp;constraints similarly have no effect on shaded artifacts.&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;Snyk continues to flag the vulnerabilities against the shaded copies even after all available overrides are applied.&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;Please upgrade the following in an upcoming patch release of&amp;nbsp;databricks-jdbc:&lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;com.fasterxml.jackson.core:jackson-databind&amp;nbsp;→&amp;nbsp;2.21.5+&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;org.apache.httpcomponents.core5:httpcore5-h2&amp;nbsp;→&amp;nbsp;5.4.2+&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;This will allow enterprise teams operating under strict security scanning policies (Snyk) to remain compliant without being blocked on driver upgrades.&lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;We are currently running Spring Boot&amp;nbsp;3.5.15&amp;nbsp;with aggressive Snyk remediation in place for all other transitive dependencies. The JDBC driver is the sole remaining source of these vulnerability flags. We would also welcome any workaround guidance if a patch release is not immediately feasible.&lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;Thank you for your attention to this.&lt;/SPAN&gt;&lt;/DIV&gt;&lt;/DIV&gt;</description>
      <pubDate>Mon, 13 Jul 2026 15:03:56 GMT</pubDate>
      <guid>https://community.databricks.com/t5/get-started-discussions/vulnerabilities-for-com-databricks-databricks-jdbc-3-4-1-jar/m-p/162831#M11906</guid>
      <dc:creator>psjava31955</dc:creator>
      <dc:date>2026-07-13T15:03:56Z</dc:date>
    </item>
  </channel>
</rss>

