Greetings, apologies upfront, when my concern is not too fancy. I am new to Parquet and only got in touch when trying Column-based OLAP databases like DuckDB or Clickhouse.
Since I need to transport data from Oracle into DuckDB first and found nothing good available, I wrote https://github.com/manticore-projects/JDBCParquetWriter for writing JDBC Result Sets into Parquet files. It uses latest Hadoop and Parquet Versions based on the recommended dependencies: dependencies { implementation 'org.apache.parquet:parquet-common:+' implementation 'org.apache.parquet:parquet-encoding:+' implementation 'org.apache.parquet:parquet-column:+' implementation 'org.apache.parquet:parquet-hadoop:+' implementation 'org.apache.hadoop:hadoop-common:+' implementation 'org.apache.hadoop:hadoop-mapreduce-client-core:+' implementation 'org.lz4:lz4-java:+' testImplementation 'org.junit.jupiter:junit-jupiter:5.+' testImplementation 'com.h2database:h2:2.+' } I have enforced already the use of the latest Logging Frameworks: // avoid using old Logging APIs with security issues resolutionStrategy { force 'org.apache.logging.log4j:log4j-api:2.+' force 'org.apache.logging.log4j:log4j-core:2.+' force 'org.apache.logging.log4j:log4j-slf4j-impl:2.+' force 'org.apache.logging.log4j:log4j-jul:2.+' force 'org.slf4j:slf4j-log4j12:2.+' } However, when deploying to SonaType I got a long Dependency Vulnerability Report: https://sbom.lift.sonatype.com/report/T1-118f0f57da8c6b3097cc-104267004641fe-1681710055-75fd312f57a548e3be6025749cca537d 32 threats found. Critical: 0% High: 75% Medium: 25% Low: 0% Now I wonder about the reason, e. g. why is still Log4J-1.2.17 pulled in? And what exactly can I do about? I really don't like to publish a library which shows 32 threats from dependencies. Where is my mistake please? Thank you a lot in advance for time and patience, cheers! Andreas
