Update org.postgresql to resolve CVE's?

[ybits]

Hello all,

Any chance there is a plan (or could be a plan) to update the postgres jdbc driver to get past a critical and a few high CVE's with version 42.1.4?

[enebo]

@ybits I think we are good on this? https://rubygems.org/gems/jdbc-postgres/versions/42.7.8.

[ybits]

Hmm, I'm getting a trivy scan flag on the main pom file:

<dependency> <groupId>org.postgresql</groupId> <artifactId>postgresql</artifactId> <version>42.1.4</version> </dependency>

[enebo]

@ybits This is pretty odd. We don't use Maven at all for releasing gems. In fact, so far as I know we don't use it for anything. arjdbc as a project has a very old history and perhaps it exists for some feature outside of satisfying gems for Rails?

I can say that if you install the gems you should get the version shown.

I opened #1205 to make sure we remove the file. @kares if there is a reason for this you know about then perhaps I have been missing something in releases?

[enebo]

Looking at blame I think this was used to manually install the version we want to the devs local repository which I suppose was then copied into jdbc-postgresql at some point. We/I don't do it this way. Unless I get more details I will delete the pom file.

[kares]

The pom.xml was there to be able to setup the project in IDEA.

Not sure how it's relevant today, it's a bit of a pain setting up (Ruby) projects with JRuby extensions.

[enebo]

#1205

[ybits]

Excellent. Just checked in my gems dir and you're correct, it pulled in jdbc-postgres-42.7.8. I will look for that update and grab it as soon as it's available; we're new to using this particular scanner and I guess it recursively looks for every pom file and blindly flags what it finds in them. Nevertheless it will be good to not have to explain it :) Thanks for looking into this so quickly!