Update vendored calcite to eliminate vulnerability from shaded log4j:1.2.17 and protobuf-java:3.19.2 #26403
Description
Hi team,
The beam-vendor-calcite-1_28_0 contains a bunch of shaded dependencies with major security vulnerabilities. For example,
log4j:1.2.17 and protobuf-java:3.19.2.
Are there any plans to upgrade the vendored calcite?
We are using beam-sdks-java-extensions-sql:2.46.0 and beam-sdks-java-extensions-sql—zetasql:2.46.0 dependencies in our code. We use SqlTransform class which internally references classes from beam-vendor-calcite-1_28_0.
Looks like beam-vendor-calcite is created as fat-jar, and the log4j:1.2.17 is shaded into this beam-vendor-calcite-1_28_0:0.2. So, we cannot exclude log4j:1.2.17 from this vendor jar and we cannot even override it with the latest versions either.
We cannot use any other beam-vendor-calcite version as beam-vendor-calcite-1_28_0:0.2 is the latest version.
We cannot exclude beam-vendor-calcite because internally SqlTransform class references classes from beam-vendor-calcite-1_28_0 such as org.apache.beam.vendor.calcite.v1_28_0.com.google.common.collect.ImmutableList.
And, if we include this vendor jar, it gets flagged vulnerable by our security scan due to shaded log4j:1.2.17.
Hence, it would be really helpful if the log4j:1.2.17 was excluded or replaced with its latest version in beam-vendor-calcite-1_28_0.
Please note that there are more vulnerable dependencies shaded in beam-vendor-calcite-1_28_0, but log4j:1.2.17 is currently the most critical one: