Skip to content

Keep Derby test dependency on a Java 11-compatible release (10.15.2.0)#96

Open
dependabot[bot] wants to merge 2 commits into
masterfrom
dependabot/maven/OpenICF-databasetable-connector/org.apache.derby-derby-10.17.1.0
Open

Keep Derby test dependency on a Java 11-compatible release (10.15.2.0)#96
dependabot[bot] wants to merge 2 commits into
masterfrom
dependabot/maven/OpenICF-databasetable-connector/org.apache.derby-derby-10.17.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

Bumps org.apache.derby:derby from 10.14.2.0 to 10.17.1.0.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps org.apache.derby:derby from 10.14.2.0 to 10.17.1.0.

---
updated-dependencies:
- dependency-name: org.apache.derby:derby
  dependency-version: 10.17.1.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jul 7, 2026
@vharseko vharseko changed the title Bump org.apache.derby:derby from 10.14.2.0 to 10.17.1.0 in /OpenICF-databasetable-connector CVE-2022-46337 Apache Derby: LDAP injection vulnerability in authenticator Jul 8, 2026
@vharseko

vharseko commented Jul 8, 2026

Copy link
Copy Markdown
Member

Investigation: why this bump fails CI, and the resolution

CI failure root cause

All build-maven jobs fail in databasetable-connector with:

java.lang.ClassNotFoundException: org.apache.derby.jdbc.EmbeddedDriver
  at ...DatabaseTableDerbyTests.createDatabase(DatabaseTableDerbyTests.java:128)

Two independent problems are introduced by bumping org.apache.derby:derby to 10.17.1.0:

  1. Split jars. Since Derby 10.15 the artifacts were reorganized into JPMS modules. org.apache.derby.jdbc.EmbeddedDriver no longer lives in derby.jar — it moved to derbytools.jar (module org.apache.derby.tools), with shared classes in derbyshared.jar. The pom only depends on derby, so the driver class is missing from the test classpath → ClassNotFoundException. (10.17 API docs confirm the module)
  2. JVM baseline. Derby 10.17.x requires Java 21+. This project's CI matrix builds on Java 11, 17, 21, 25, 26 (.github/workflows/build.yml). Even with the jars fixed, the Java-21 bytecode cannot load on the Java 11 and 17 rows.

Derby minimum-JVM by branch (downloads page):

Derby Min. Java Runs on Java 11?
10.14.2.0 (current) 8+
10.15.2.0 9+ ✅ ← newest that still supports Java 11
10.16.1.1 17+
10.17.1.0 (this PR) 21+

Security assessment (CVE-2022-46337)

derby here is a test-scoped dependency (GitHub classifies the Dependabot alert as development scope). It is used only as an embedded SQL database for the connector's unit tests and is not shipped in any product artifact. CVE-2022-46337 is an LDAP-injection flaw in Derby's NATIVE LDAP authenticator, which these tests never configure or invoke — the vulnerable code path is unreachable.

The only release that fixes the CVE is 10.17.1.0, which requires Java 21 and would drop the project's Java 11 support. Given the vulnerability is not reachable, the Dependabot alert (#124) has been dismissed as not_used rather than forcing a Java-baseline change.

Resolution

Instead of 10.17.1.0, the test dependency is bumped to Derby 10.15.2.0 — the newest release still supporting Java 9+ (hence Java 11) — and the split modules are added to the test classpath:

  • org.apache.derby:derby:10.15.2.0 (test)
  • org.apache.derby:derbytools:10.15.2.0 (test) — provides EmbeddedDriver
  • org.apache.derby:derbyshared:10.15.2.0 (test)

Verification

Ran the databasetable-connector Derby tests locally at both ends of the CI matrix:

  • Java 11: Tests run: 43, Failures: 0, Errors: 0BUILD SUCCESS
  • Java 26: Tests run: 43, Failures: 0, Errors: 0BUILD SUCCESS

Since this PR proposes 10.17.1.0 (incompatible with the Java 11/17 matrix rows), it will be superseded by the 10.15.2.0 change and can be closed.

Derby 10.17.1.0 requires Java 21 and splits EmbeddedDriver into derbytools,
breaking the Java 11/17 rows of the CI matrix. Derby is a test-only embedded
database here and the CVE-2022-46337 LDAP authenticator is never used, so bump
to 10.15.2.0 (newest release supporting Java 9+) and add the derbytools and
derbyshared modules to the test classpath instead.
@vharseko vharseko requested a review from maximthomas July 8, 2026 08:41
@vharseko vharseko changed the title CVE-2022-46337 Apache Derby: LDAP injection vulnerability in authenticator Keep Derby test dependency on a Java 11-compatible release (10.15.2.0) Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants