apache 的替代方案 hive-jdbc jar

Question

I am using apache hive-jdbc ( https://mvnrepository.com/artifact/org.apache.hive/hive-jdbc ) jar in my application.

And I am seeing many vulnerabilities in this when run a Snyk tool scan.

I am already using the latest version of hive-jdbc (3.1.2) and so no option upgrade it to get rid of vulnerabilities.

This version 3.1.2 was released in 2019 Aug so it has many internal dependencies which are quite old and have vulnerabilities.

So I am looking for any alternative jar in maven repo so I can get rid of these vulnerabilities.

Any suggestion would be appreciated.

Thanks Mahendra

Answer 1

Requests to find resources are off-topic, so I'm not addressing that.

^{(Though I suspect that if your searches in Maven Central didn't find a better published version of the JAR then one won't exist... yet.)}

Any suggestion would be appreciated.

My suggestions are:

1. Raise an issue in the Apache Hive project's issue tracker to release a new version with the insecure dependencies updated.

2. Download the relevant component(s) from the source repo, update the dependencies in the POM(s), and build locally. Then use your build of the components in your project.

3. Add explicit dependencies to your POM for the secure versions of the transitive dependencies. If I understand things correctly, this will override the transitively discovered versions with the versions that you specified.

   You should be able to confirm that this has worked by checking which JAR file versions are packaged into your WAR file by the Maven build.

#1 should result in a long term solution. #2 and #3 are short-term workarounds... until the Apache Hive team publish the a version with updated dependencies.