-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Distribute "slim" version of the connector #792
Comments
I just realized that this repo depends on the shaded snowflake-ingest, which means that there are several dependencies that are being duplicated version of https://github.com/snowflakedb/snowflake-ingest-java/tree/master?tab=readme-ov-file#jar-versions |
Another finding: the JDBC driver is also distributed as a fat jar. Furthermore, both the JDBC driver and the Ingest SDK require different distributions for to be FIPS compliant, which are not used in this connector. Which make me assume that this connector is not FIPS compliant, and can not be as long as the uber/shadowed JARs are used. |
@enzo-cappa I'm very sorry for late reply. I'll add internal ticket to track this issue and discuss it. We shall se if we have some space for improvements here. |
Kudos to this, at the moment the Connector v2.3.0 supports Kafka 3.7 and Confluent 7.6. Do not know if it is an overkill, but in order to make this version to run with Kafka 3.5 and Confluent 7.5 we had to re-build the Jar from the source code, otherwise 'NoSuchMethodError' will pop around. It would be great to have the possibility to include just the stripped down JAR version as a dependency and include in the classpath a different version of its Kafka and Confluent dependencies for broader compatibility. |
com.snowflake:snowflake-kafka-connector:2.4.1 uses org.apache.avro:1.11.3 with CRITICAL CVE-2024-47561, having a slim version would surely help into not having to rebuild the whole fat jar to fix the issue. |
The current distribution of the connector is an uber jar that has all the dependencies. However, some of those dependencies are not needed in all cases, specially in production systems. For example:
Would it be possible to distribute a slim version of the connector besides the current one? Just a JAR with fundamental dependencies. Furthermore, it would be better to distribute it as a zip/tar.gz with jar files inside, like Debezium does (see the different types and classifiers at https://repo1.maven.org/maven2/io/debezium/debezium-connector-postgres/2.5.1.Final/). This last part would make it easier to exclude those JARs in case is needed (for example, to force a version bump in case a 0-day vuln is discovered in a dependency).
The text was updated successfully, but these errors were encountered: