mateusaubin opened a new issue, #1102: URL: https://github.com/apache/arrow-java/issues/1102
### Describe the bug, including details regarding any error messages, version, and platform. `flight-sql` uses `org.apache.derby:derby:10.15.2.0` in test scope, which is flagged as vulnerable to [CVE-2022-46337](https://nvd.nist.gov/vuln/detail/CVE-2022-46337) — a critical (CVSS 9.8) LDAP authentication bypass. There is no fix available for this dependency and there never will be. The NVD advisory lists `10.15.2.1` as the fix for the Java 11 branch, but that version was never published to Maven Central. The same is true for `10.14.3.0` and `10.16.1.2`. The only fixed release that exists on Maven Central is `10.17.1.0` (Java 21+), which was also the last release ever made. On 2025-10-10, the Derby PMC voted to retire the project into a read-only state. Development and bug-fixing have ended and no further releases will be published. This means the 10.15.x branch will remain vulnerable indefinitely with no upstream resolution path. Context on why the patch versions were never released: - [DERBY-7147](https://issues.apache.org/jira/browse/DERBY-7147) — fix committed to branches, but no releases were cut for 10.14/10.15/10.16 - [DERBY-7178](https://issues.apache.org/jira/browse/DERBY-7178) — closed as "Not A Problem" by the Derby team Since Derby is test scope only in `flight-sql`, there is no runtime exposure. However, this causes persistent scanner noise for downstream consumers and the situation will not improve on its own. Possible paths forward: - Upgrade to `10.17.1.0` (requires Java 21 as test baseline for `flight-sql`) - Replace Derby with another embedded DB (e.g. H2) in `flight-sql` tests — likely the cleanest long-term option given Derby's retirement -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
