apache · abhishekagarwal87 · Jun 24, 2023 · Jun 16, 2023 · Jun 16, 2023 · Jun 19, 2023
diff --git a/...re/avro-extensions/src/main/java/org/apache/druid/data/input/avro/AvroFlattenerMaker.java b/...re/avro-extensions/src/main/java/org/apache/druid/data/input/avro/AvroFlattenerMaker.java
@@ -141,7 +141,11 @@ public Set<String> discoverRootFields(final GenericRecord obj)
   @Override
   public Object getRootField(final GenericRecord record, final String key)
   {
-    return transformValue(record.get(key));
+    if (record.getSchema().getField(key) != null) {
+      return transformValue(record.get(key));
+    } else {
+      return null;
+    }
   }
 
   @Override

diff --git a/...vro-extensions/src/test/java/org/apache/druid/data/input/avro/AvroFlattenerMakerTest.java b/...vro-extensions/src/test/java/org/apache/druid/data/input/avro/AvroFlattenerMakerTest.java
@@ -349,6 +349,10 @@ private void getRootField_common(final SomeAvroDatum record, final AvroFlattener
         list,
         flattener.getRootField(record, "someRecordArray")
     );
+    Assert.assertEquals(
+        null,
+        flattener.getRootField(record, "invalidField")
+    );
   }
 
   private void makeJsonPathExtractor_common(final SomeAvroDatum record, final AvroFlattenerMaker flattener)

diff --git a/licenses.yaml b/licenses.yaml
@@ -3634,7 +3634,7 @@ libraries:
 ---
 
 name: Apache Velocity Engine
-version: 2.2
+version: 2.3
 license_category: binary
 module: extensions/druid-avro-extensions
 license_name: Apache License version 2.0
@@ -3652,7 +3652,7 @@ name: Apache Avro
 license_category: binary
 module: extensions/druid-avro-extensions
 license_name: Apache License version 2.0
-version: 1.9.2
+version: 1.11.1
 libraries:
   - org.apache.avro: avro
   - org.apache.avro: avro-mapred

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
@@ -472,14 +472,6 @@
     <cve>CVE-2020-13949</cve>
   </suppress>
 
-  <suppress>
-    <!-- (avro, parquet, integration-tests) we don't allow velocity templates to be uploaded by untrusted users -->
-    <notes><![CDATA[
-     file name: velocity-engine-core-2.2.jar:
-     ]]></notes>
-    <cve>CVE-2020-13936</cve>
-  </suppress>
-
   <suppress>
      <!-- (ranger, ambari, and aliyun-oss) these vulnerabilities are legit, but their latest releases still use the vulnerable jackson version -->
      <notes><![CDATA[

diff --git a/pom.xml b/pom.xml
@@ -81,7 +81,7 @@
         <apache.ranger.gson.version>2.2.4</apache.ranger.gson.version>
         <scala.library.version>2.13.9</scala.library.version>
         <avatica.version>1.17.0</avatica.version>
-        <avro.version>1.9.2</avro.version>
+        <avro.version>1.11.1</avro.version>
         <!-- sql/src/main/codegen/config.fmpp is based on a file from calcite-core, and needs to be
           updated when upgrading Calcite. Refer to the top-level comments in that file for details.
           Also, CalcitePlanner is a clone of Calcite's PlannerImpl and may require updates when