Thomas Cooper created FLINK-36830:
-------------------------------------
Summary: Overried json-path version used by Calcite Bridge
Key: FLINK-36830
URL: https://issues.apache.org/jira/browse/FLINK-36830
Project: Flink
Issue Type: Improvement
Components: Table SQL / Runtime
Affects Versions: 2.0-preview
Reporter: Thomas Cooper
There is a high severity vulnerability
([CVE-2023-1370|https://nvd.nist.gov/vuln/detail/CVE-2023-1370]) in the
{{json-path}} version used by the Calcite library (currently version 1.34) used
in the {{flink-table-calcite-bridge}} module.
Newer versions of Calcite update to newer versions of {{json-path}} that patch
this vulnerability. However, updating Calcite to the latest 1.38 version
([FLINK-36602|https://issues.apache.org/jira/browse/FLINK-36602]) is not
straightforward and involves changes to the SQL parsing logic. Following
[discussion|https://lists.apache.org/thread/7ogwvj5z3o176dw95145dzvlolrkyps4]
on the dev mailing list, an incremental Calcite upgrade process is preferred.
Therefore, we need to override the vulnerable version of {{json-path}} used by
the {{flink-table-calcite-bridge}} module. Once
[FLINK-36602|https://issues.apache.org/jira/browse/FLINK-36602] is implemented,
this override can be removed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
