SNOW-985458: Netty Vulnerability in Snowflake JDBC dependency.

[pradeeptchakraborty]

Please answer these questions before submitting your issue.
In order to accurately debug the issue this information is required. Thanks!

1. What version of JDBC driver are you using?
   3.14.3

2. What operating system and processor architecture are you using?
   linux

3. What version of Java are you using?
   1.8

4. What did you do?

vulnerability detected for netty verion 4.1.97 which is internally coming with jdbc dependency

7. What did you expect to see?

   to upgrade to vulnerability less netty version and publish the new snowflake jdbc maven dependency.

8. Can you set logging to DEBUG and collect the logs?

   N/A

9. What is your Snowflake account identifier, if any? (Optional)

[sfc-gh-dszmolka]

hi and thank you for submitting this issue. I see that in 3.14.3 of the driver, we use 4.1.100.Final from netty

     <dependency>
        <groupId>io.netty</groupId>
        <artifactId>netty-bom</artifactId>
        <version>4.1.100.Final</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>

and also this version 4.1.100.Final seems to be picked up by mvn:

snowflake-jdbc# mvn dependency:tree 2>&1 | grep io.netty
[INFO] +- io.netty:netty-common:jar:4.1.100.Final:runtime
[INFO] +- io.netty:netty-buffer:jar:4.1.100.Final:runtime

so not really sure where the 4.1.97.Final is coming from in your environment. Can you please add more details on how you see this older version of the dependency in Snowflake JDBC driver 3.14.3 ? Thank you in advance !

[sfc-gh-dszmolka]

closing this issue for now due to lack of response.

If there's any evidence on the vulnerability and if 4.1.97.Final netty is really coming from snowflake-jdbc-3.14.3, please share it and we can pick this up again.