search

databricks / databricks-sdk-java

Databricks SDK for Java
https://docs.databricks.com/dev-tools/sdk-java.html
Apache License 2.0
34 stars 23 forks source link

[ISSUE] Security vulnerabilities in databricks-jdbc (multiple) #240

Closed jfurmankiewiczpros closed 8 months ago

jfurmankiewiczpros commented 8 months ago

Description databricks-jdbc is failing OWASP scan due to multiple CVEs, here is the latest one

commons-compress-1.22.jar (pkg:maven/org.apache.commons/commons-compress@1.22, cpe:2.3:a:apache:commons_compress:1.22:::::::) : CVE-2023-42503, CVE-2024-25710, CVE-2024-26308 databricks-jdbc-2.6.36.jar/META-INF/maven/Spark/SparkJDBC42/pom.xml (pkg:maven/Spark/SparkJDBC42@2.6.36.1062, cpe:2.3:a:apache:spark:2.6.36.1062:::::::) : CVE-2023-22946, CVE-2018-17190, CVE-2022-33891, CVE-2023-32007, CVE-2018-11804, CVE-2021-38296, CVE-2022-31777, CVE-2018-11770 databricks-jdbc-2.6.36.jar/META-INF/maven/ch.qos.logback/logback-classic/pom.xml (pkg:maven/ch.qos.logback/logback-classic@1.2.3, cpe:2.3:a:qos:logback:1.2.3:::::::) : CVE-2023-6378, CVE-2021-42550 databricks-jdbc-2.6.36.jar/META-INF/maven/ch.qos.logback/logback-core/pom.xml (pkg:maven/ch.qos.logback/logback-core@1.2.3, cpe:2.3:a:qos:logback:1.2.3:::::::) : CVE-2023-6378, CVE-2021-42550 databricks-jdbc-2.6.36.jar/META-INF/maven/com.google.guava/guava/pom.xml (pkg:maven/com.google.guava/guava@30.1.1-jre, cpe:2.3:a:google:guava:30.1.1:::::::) : CVE-2023-2976, CVE-2020-8908 databricks-jdbc-2.6.36.jar/META-INF/maven/io.netty/netty-buffer/pom.xml (pkg:maven/io.netty/netty-buffer@4.1.86.Final, cpe:2.3:a:netty:netty:4.1.86:::::::) : CVE-2023-44487, CVE-2023-34462 databricks-jdbc-2.6.36.jar/META-INF/maven/io.netty/netty-common/pom.xml (pkg:maven/io.netty/netty-common@4.1.86.Final, cpe:2.3:a:netty:netty:4.1.86:::::::) : CVE-2023-44487, CVE-2023-34462 databricks-jdbc-2.6.36.jar/META-INF/maven/org.apache.commons/commons-compress/pom.xml (pkg:maven/org.apache.commons/commons-compress@1.20, cpe:2.3:a:apache:commons_compress:1.20:::::::) : CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090, CVE-2024-25710

See the dependency-check report for more details.

Reproduction

Run OWASP scan plugin (Gradle or Maven) against dependencies in the shaded JAR

Expected behavior

There should be no CVEs. Please release a new SDK version with all CVEs addressed.

jfurmankiewiczpros commented 8 months ago

dependency-check-report.zip

mgyucht commented 8 months ago

@jfurmankiewiczpros Thank you for reporting this. Note that the JDBC driver and the SDK are two different projects. These dependencies belong to the JBDC driver, not this SDK. The only dependency in common is Google Guava, where the SDK uses version 32 which includes the fix for this issue.

I will forward this to my colleagues who work on the JDBC driver.

samikshya-db commented 8 months ago

FYI : This is on Simba JDBC

mgyucht commented 8 months ago

@jfurmankiewiczpros As this doesn't pertain to the Java SDK, I will close this ticket here.

jfurmankiewiczpros commented 8 months ago

can you tell me which project that is, so I can create the issue there? It's been unhandled for months as of now, thanks.

gopalldb commented 8 months ago

Created a bug (PECO-1487) and assigned to PECO team.

jfurmankiewiczpros commented 8 months ago

thank you