chore(java): arrow 18.3.0 #2421
Conversation
arrow 15.0.0 is marked as vulnerable to CVE-2024-52338 Despite this CVE only affecting the R implementation, the CPE is not scoped to R so Java checkers will report as vulnerable: ``` 13:25:42 [ERROR] One or more dependencies were identified with vulnerabilities: 13:25:42 [ERROR] arrow-memory-core-15.0.0.jar (pkg:maven/org.apache.arrow/[email protected], cpe:2.3:a:apache:arrow:15.0.0:*:*:*:*:*:*:*): CVE-2024-52338(9.8) ``` while this is really a problem with the CPE, not fory, the easiest fix by far is to simply update arrow
stevenschlansker
added
the
dependencies
|
Well, this did not work as well as I had hoped, it seems Arrow has ended support for Java 8: |
|
I guess we cannot upgrade Arrow anymore. No new bugfixes and no new features, to stay on ancient and unsupported Java 8 😞 |
|
we could make |
|
That would be nice, but I worry it would complicated the build and release process and ci pipelines a fair bit... |
|
Maven support use different java version for different module:: <build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.10.1</version>
<configuration>
<release>${maven.compiler.release}</release>
</configuration>
</plugin>
</plugins>
</build>
but it needs an extra toolchains.xml file to specify different jdk install location. I can configure all modules to java 11 to skip this, but when running on ci and making release, we use a scipt to automatically switched to use this "polyglot" Maven builds. This won't introduce too much burden to users and contributors I think we can do it after #2406 is merged |
|
Sounds good to me, thank you for considering this. |
arrow 15.0.0 is marked as vulnerable to CVE-2024-52338 Despite this CVE only affecting the R implementation, the CPE is not scoped to R so Java checkers will report as vulnerable:
while this is really a problem with the CPE, the easiest fix by far is to simply update arrow