Fix CVEs and add owasp security check (#789)

* Fix CVEs and add owasp security check

* Add vulnerability scan every week on the repository

* run vulnerability scan during validate phase only

* remove phase

* Address comments

Author: samikshya-db

.github/workflows/vulnerabilityCatcher.yml

@@ -0,0 +1,67 @@
+name: Weekly Security Scan
+
+on:
+  schedule:
+    - cron: '0 0 * * 0'  # Run every Sunday at midnight UTC
+  workflow_dispatch:  # Allow manual triggering
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: main  # Explicitly check out main branch
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v4
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+          cache: maven
+
+      - name: Run OWASP Dependency Check
+        run: mvn org.owasp:dependency-check-maven:check
+
+      - name: Check for vulnerabilities
+        id: check_vulnerabilities
+        run: |
+          if grep -q "CVSS score >= 7" target/dependency-check-report.html; then
+            echo "has_vulnerabilities=true" >> $GITHUB_OUTPUT
+            echo "Critical or high vulnerabilities found (CVSS score >= 7)"
+            # Generate a simple HTML report for email
+            echo "<!DOCTYPE html><html><head><title>JDBC Driver Security Scan Results</title></head><body>" > security-scan-report.html
+            echo "<h1>Security Vulnerabilities Found</h1>" >> security-scan-report.html
+            echo "<p>Critical or high vulnerabilities (CVSS score >= 7) were found in the weekly scan of the JDBC driver.</p>" >> security-scan-report.html
+            echo "<p>Please check the full report in the GitHub Actions artifacts: <a href='https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}'>View Artifacts</a></p>" >> security-scan-report.html
+            echo "</body></html>" >> security-scan-report.html
+            exit 1
+          else
+            echo "has_vulnerabilities=false" >> $GITHUB_OUTPUT
+            echo "No critical or high vulnerabilities found"
+          fi
+
+      - name: Send Email
+        if: steps.check_vulnerabilities.outputs.has_vulnerabilities == 'true'
+        uses: dawidd6/action-send-mail@v3
+        with:
+          server_address: smtp.gmail.com
+          server_port: 465
+          username: ${{ secrets.SMTP_USERNAME }}
+          password: ${{ secrets.SMTP_PASSWORD }}
+          subject: OSS JDBC Driver Security Scan - 🚨 Vulnerabilities Found
+          html_body: file://security-scan-report.html
+          to: ${{ secrets.EMAIL_RECIPIENTS }}
+          from: JDBC Security Scanner
+          content_type: text/html
+
+      - name: Upload Report as Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-scan-reports
+          path: |
+            target/dependency-check-report.html
+            target/dependency-check-report.json
+            security-scan-report.html

pom.xml

@@ -44,7 +44,7 @@
     <maven.compiler.source>11</maven.compiler.source>
     <maven.compiler.target>11</maven.compiler.target>
     <mockito.version>5.2.0</mockito.version>
-    <jackson.version>2.15.1</jackson.version>
+    <jackson.version>2.18.3</jackson.version>
     <log4j.version>2.22.1</log4j.version>
     <slf4j.version>2.0.13</slf4j.version>
     <google.guava.version>33.0.0-jre</google.guava.version>
@@ -54,7 +54,7 @@
     <httpclient.version>4.5.14</httpclient.version>
     <commons-configuration.version>2.10.1</commons-configuration.version>
     <commons-io.version>2.14.0</commons-io.version>
-    <databricks-sdk.version>0.43.0</databricks-sdk.version>
+    <databricks-sdk.version>0.44.0</databricks-sdk.version>
     <maven-surefire-plugin.version>3.1.2</maven-surefire-plugin.version>
     <sql-logic-test.version>0.3</sql-logic-test.version>
     <lz4-compression.version>1.8.0</lz4-compression.version>
@@ -66,6 +66,8 @@
     <nimbusjose.version>9.40</nimbusjose.version>
     <bouncycastle.version>1.78.1</bouncycastle.version>
     <async-httpclient.version>5.3.1</async-httpclient.version>
+    <netty.version>4.2.0.Final</netty.version>
+    <grpc.version>1.71.0</grpc.version>
   </properties>
   <dependencies>
     <dependency>
@@ -211,6 +213,24 @@
       <artifactId>lz4-java</artifactId>
       <version>${lz4-compression.version}</version>
     </dependency>
+    <!-- The following dependency is added as a workaround to CVE-2023-33953-->
+    <dependency>
+      <groupId>io.grpc</groupId>
+      <artifactId>grpc-context</artifactId>
+      <version>${grpc.version}</version>
+    </dependency>
+    <!-- The following dependency is added as a workaround to CVE-2025-25193-->
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-common</artifactId>
+      <version>${netty.version}</version>
+    </dependency>
+    <!-- The following dependency is added as a workaround to CVE-2024-49194-->
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-buffer</artifactId>
+      <version>${netty.version}</version>
+    </dependency>
     <dependency>
       <groupId>jakarta.annotation</groupId>
       <artifactId>jakarta.annotation-api</artifactId>
@@ -337,6 +357,29 @@
           </annotationProcessorPaths>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-maven</artifactId>
+        <version>12.1.1</version>
+        <configuration>
+          <formats>
+            <format>HTML</format>
+            <format>JSON</format>
+          </formats>
+            <!--
+              Setting threshold to 7.0 to catch both Critical (8.0-10.0) and High (7.0-7.9) severity vulnerabilities.
+              This helps us identify and address significant security risks early in the development process.
+           -->
+          <failBuildOnCVSS>7</failBuildOnCVSS>
+        </configuration>
+        <executions>
+          <execution>
+            <goals>
+              <goal>check</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
       <plugin>
         <groupId>com.diffplug.spotless</groupId>
         <artifactId>spotless-maven-plugin</artifactId>