OlgaGorlova opened a new issue, #26403: URL: https://github.com/apache/beam/issues/26403
### What would you like to happen? Hi team, The beam-vendor-calcite-1_28_0 contains a bunch of shaded dependencies with major security vulnerabilities. For example, [log4j:1.2.17](https://mvnrepository.com/artifact/log4j/log4j/1.2.17) and [protobuf-java:3.19.2](https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java/3.19.2). Are there any plans to upgrade the vendored calcite? We are using [beam-sdks-java-extensions-sql:2.46.0](https://mvnrepository.com/artifact/org.apache.beam/beam-sdks-java-extensions-sql/2.46.0) and [beam-sdks-java-extensions-sql—zetasql:2.46.0](https://mvnrepository.com/artifact/org.apache.beam/beam-sdks-java-extensions-sql-zetasql/2.46.0) dependencies in our code. We use [SqlTransform](https://github.com/apache/beam/blob/db8db0b6ed0fe1e4891f207f0f7f811798e54db1/sdks/java/extensions/sql/src/main/java/org/apache/beam/sdk/extensions/sql/SqlTransform.java) class which internally references classes from beam-vendor-calcite-1_28_0. Looks like beam-vendor-calcite is created as fat-jar, and the log4j:1.2.17 is shaded into this beam-vendor-calcite-1_28_0:0.2. So, we cannot exclude log4j:1.2.17 from this vendor jar and we cannot even override it with the latest versions either. We cannot use any other beam-vendor-calcite version as beam-vendor-calcite-1_28_0:0.2 is the latest version. We cannot exclude beam-vendor-calcite because internally SqlTransform class references classes from beam-vendor-calcite-1_28_0 such as [org.apache.beam.vendor.calcite.v1_28_0.com.google.common.collect.ImmutableList](https://github.com/apache/beam/blob/db8db0b6ed0fe1e4891f207f0f7f811798e54db1/sdks/java/extensions/sql/src/main/java/org/apache/beam/sdk/extensions/sql/SqlTransform.java#L48). And, if we include this vendor jar, it gets flagged vulnerable by our security scan due to shaded log4j:1.2.17. Hence, it would be really helpful if the log4j:1.2.17 was excluded or replaced with its latest version in beam-vendor-calcite-1_28_0. Please note that there are more vulnerable dependencies shaded in beam-vendor-calcite-1_28_0, but log4j:1.2.17 is currently the most critical one: - [com.google.protobuf:protobuf-java:3.19.2](https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java/3.19.2) - [com.google.protobuf:protobuf-java-util:3.19.2](https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java-util/3.19.2) - [net.minidev:json-smart:2.3](https://mvnrepository.com/artifact/net.minidev/json-smart/2.3) - [org.yaml:snakeyaml:1.24](https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.24) - [commons-io:commons-io:2.4](https://mvnrepository.com/artifact/commons-io/commons-io/2.4) - [com.fasterxml.jackson.core:jackson-databind:2.10.0](https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.10.0) - [com.google.code.gson:gson:2.8.6](https://mvnrepository.com/artifact/com.google.code.gson/gson/2.8.6) ### Issue Priority Priority: 3 (nice-to-have improvement) ### Issue Components - [ ] Component: Python SDK - [X] Component: Java SDK - [ ] Component: Go SDK - [ ] Component: Typescript SDK - [ ] Component: IO connector - [ ] Component: Beam examples - [ ] Component: Beam playground - [ ] Component: Beam katas - [ ] Component: Website - [ ] Component: Spark Runner - [ ] Component: Flink Runner - [ ] Component: Samza Runner - [ ] Component: Twister2 Runner - [ ] Component: Hazelcast Jet Runner - [ ] Component: Google Cloud Dataflow Runner -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
