[FlightSQL JDBC] The driver jar version 18.2.0 includes CVEs related to APR 1.6.5 according to Blackduck

[aiguofer]

Describe the bug, including details regarding any error messages, version, and platform.

We're trying to get the latest driver included in Tableau but they found some CVEs with the latest version of the driver. They use Blackduck to check for CVEs in the jar. It's possible Blackduck is wrong, but wanted to raise here just in case.

Here's the Blackduck findings:

flight-sql-jdbc-driver-18.2.0.jar_20250228-172736.csv

I dug around a little, and it looks like for version 18.2.0 of the driver, we're using netty-tcnative:2.0.69:

❯ git checkout tags/v18.2.0 && mvn dependency:tree | grep tcnative | cut -d: -f5 | sort | uniq
HEAD is now at a5b86049 MINOR: Specify --repo explicitly (#591)
2.0.69.Final
compile
runtime

Based on https://github.com/netty/netty-tcnative/blob/netty-tcnative-parent-2.0.69.Final/docker/Dockerfile.cross_compile_aarch64#L5, this version should already be using APR 1.7.5 so I find this kind of odd.

Maybe someone else has a better understanding of these transitive dependencies and can chime in!

[lidavidm]

This should have bumped it to 2.0.70: #616

So it should be fixed for 18.3.0

[aiguofer]

Thanks! Should I just build off latest main and send them the latest jar to test?

[lidavidm]

Hopefully that should work, yes (though, would they be ok with an in-development build?)

[aiguofer]

Well, I tried that but apparently their tool still gave the same output. Wonder if the issue actually stems from the Windows build for netty-tcnative? looking through that repo I didn't see anything related to Windows builds specifically. Either that, or Blackduck is just picking up some false positive.

Either way, since the CVE is only for the dll and they're running on RHEL, I think we're just going to do:

❯ zip -d flight-sql-jdbc-driver-[version].jar META-INF/native/org_apache_arrow_driver_jdbc_shaded_netty_tcnative_windows_x86_64.dll

Thanks!