aiguofer opened a new issue, #647: URL: https://github.com/apache/arrow-java/issues/647
### Describe the bug, including details regarding any error messages, version, and platform. We're trying to get the latest driver included in Tableau but they found some CVEs with the latest version of the driver. They use Blackduck to check for CVEs in the jar. It's possible Blackduck is wrong, but wanted to raise here just in case. Here's the Blackduck findings: [flight-sql-jdbc-driver-18.2.0.jar_20250228-172736.csv](https://github.com/user-attachments/files/19059422/flight-sql-jdbc-driver-18.2.0.jar_20250228-172736.csv) I dug around a little, and it looks like for version `18.2.0` of the driver, we're using `netty-tcnative:2.0.69`: ``` ❯ git checkout tags/v18.2.0 && mvn dependency:tree | grep tcnative | cut -d: -f5 | sort | uniq HEAD is now at a5b86049 MINOR: Specify --repo explicitly (#591) 2.0.69.Final compile runtime ``` Based on https://github.com/netty/netty-tcnative/blob/ee7c8610ce8b8ad1c277a7644f9bc77c3e407f97/docker/Dockerfile.cross_compile_aarch64#L5, this version should already be using APR 1.7.5 so I find this kind of odd. Maybe someone else has a better understanding of these transitive dependencies and can chime in! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@arrow.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
