[Flight SQL] Derby dependency (test scope) flagged as vulnerable to CVE-2022-46337 with no available Maven patch #1102
Description
Describe the bug, including details regarding any error messages, version, and platform.
flight-sql uses org.apache.derby:derby:10.15.2.0 in test scope, which is flagged
as vulnerable to CVE-2022-46337: a critical (CVSS 9.8) LDAP authentication bypass.
There is no fix available for this dependency and there never will be.
The NVD advisory lists 10.15.2.1 as the fix for the Java 11 branch, but that
version was never published to Maven Central. The same is true for 10.14.3.0 and
10.16.1.2. The only fixed release that exists on Maven Central is 10.17.1.0
(Java 21+), which was also the last release ever made.
On 2025-10-10, the Derby PMC voted to retire the project into a read-only state.
Development and bug-fixing have ended and no further releases will be published. This
means the 10.15.x branch will remain vulnerable indefinitely with no upstream
resolution path.
Context on why the patch versions were never released:
- DERBY-7147 — fix committed to branches, but no releases were cut for 10.14/10.15/10.16
- DERBY-7178 — closed as "Not A Problem" by the Derby team
Since Derby is test scope only in flight-sql, there is no runtime exposure.
However, this causes persistent scanner noise for downstream consumers and the
situation will not improve on its own.
Possible paths forward:
- Upgrade to
10.17.1.0(requires Java 21 as test baseline forflight-sql) - Replace Derby with another embedded DB (e.g. H2) in
flight-sqltests — likely
the cleanest long-term option given Derby's retirement