Bump net.snowflake:snowflake-jdbc from 4.2.0 to 4.3.0

[dependabot]

Bumps net.snowflake:snowflake-jdbc from 4.2.0 to 4.3.0.

Release notes

Sourced from net.snowflake:snowflake-jdbc's releases.

v4.3.0

• Please Refer to Release Notes at https://docs.snowflake.com/en/release-notes/clients-drivers/jdbc

Changelog

Sourced from net.snowflake:snowflake-jdbc's changelog.

For all official JDBC Release Notes please refer to https://docs.snowflake.com/en/release-notes/clients-drivers/jdbc

Changelog

• v4.3.1-SNAPSHOT

  • Fixed Azure PUT memory leak where each PUT instantiated a fresh BlobServiceClient whose underlying reactor-netty stack the SDK exposes no API to release; the Azure SDK HttpClient and its ConnectionProvidersnowflakedb/snowflake-jdbc#2658
  • Fixed SFResultJsonParser2Failed: invalid escaped unicode character when a chunked JSON result contained UTF-16 surrogate-pair \u escapes (e.g. emoji) and the read buffer happened to split exactly 9 bytes after \u; the off-by-one boundary guard in ResultJsonParserV2snowflakedb/snowflake-jdbc#2660
  • snowflakedb/snowflake-jdbc#2663

• v4.3.0

  • Bumped AWS SDK from 2.37.5 to 2.45.1, which transitively brings netty up to 4.1.133.Final and resolves a cluster of High/Medium netty CVEs (HTTP request smuggling, CRLF injection, data amplification, resource allocation) flagged by Snyk against netty-nio-client in thin_public_pom.xmlsnowflakedb/snowflake-jdbc#2654
  • Bumped jackson to 2.18.7 to address two High-severity resource-exhaustion CVEs in jackson-core 2.18.4.1, and added a .snyk policy file with justified ignores for the dual-licensed javax.servlet-api / javax.annotation-api findings and the tika-core XXE (SNYK-JAVA-ORGAPACHETIKA-14188255snowflakedb/snowflake-jdbc#2654
  • Fixed OAuth token requests sending scope=session:role:null when no scope is configured (or scope is empty/blank); the scopesnowflakedb/snowflake-jdbc#2646
  • Fixed Okta native SSO federated login sending malformed JSON to /api/v1/authn (HTTP 400 from Okta) when the username or password contained JSON-special characters such as double quotes or backslashes; the request body is now serialized with Jackson instead of string concatenation.
  • Added one in-band telemetry record per successful login describing which connection-identifier fields the user supplied (account_provided, account_with_region, account_org_provided, region_provided, host_provided). No hostname or account value is included. This is gated by the existing server-side CLIENT_TELEMETRY_ENABLED parameter and can additionally be disabled locally by setting SF_TELEMETRY_DISABLE_CONNECTION_SHAPE=true. The telemetry collection is time-boxed and will be removed in a future release.
  • Fixed Connection.isValid() silently swallowing thread interruption: when the underlying heartbeat is interrupted, the connection's interrupt flag is now restored via Thread.currentThread().interrupt()snowflakedb/snowflake-jdbc#2314
  • Fixed non-retryable HTTP 400 response bodies always being logged as "Failed to read content due to exception: Attempted read from closed stream". The response entity is now buffered before RestRequest#checkForDPoPNonceError and SnowflakeUtil#logResponseDetailssnowflakedb/snowflake-jdbc#2631
  • snowflakedb/snowflake-jdbc#2623
  • Fixed path traversal via server-controlled filenames in SnowflakeFileTransferAgentsnowflakedb/snowflake-jdbc#2622
  • Further changes regarding auto-configuration (jdbc:snowflake:autosnowflakedb/snowflake-jdbc#2625
    • Fixed bug leading to 'Connection property specified more than once: DB' error, when both connections.toml (database) and JDBC URL (db) defined database
    • Enhancement: now parameters passed as Properties() are also considered when building connection. For conflicting items defined in multiple places, priority is: Properties > JDBC URL > connections.toml
    • Enhancement (supportability): added provenance tracking for config keys and log them once per connection on debug level
  • snowflakedb/snowflake-jdbc#2617
  • Fixed auto-config debug log messages (provenance, TOML parsing) not appearing in client_config_filesnowflakedb/snowflake-jdbc#2632
  • The AWS S3 client now reuses a per-session shared Netty SdkEventLoopGroup, torn down once at session close, eliminating Netty's 2 s shutdownGracefullysnowflakedb/snowflake-jdbc#2620
  • snowflakedb/snowflake-jdbc#2655
  • Fixed inverted null check in CredentialManager.updateInputWithTokenAndPublicKeysnowflakedb/snowflake-jdbc#2650
  • Fixed Connection.setCatalog and Connection.setSchema producing malformed SQL (or switching to an unintended database/schema) when the supplied name contained an embedded " character; the name is now escaped per the SQL-standard quoted-identifier rule before being interpolated into the USEsnowflakedb/snowflake-jdbc#2651
  • Switched AWS Workload Identity Federation attestation from a SigV4-presigned GetCallerIdentity request to STS GetWebIdentityTokensnowflakedb/snowflake-jdbc#2653

• v4.2.0

  • Extended the SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION environment variable to also bypass permission verification on the connections.toml config file and on the credential cache file (credential_cache_v1.jsonsnowflakedb/snowflake-jdbc#2614
  • Fixed NPE in RestRequest.sendIBHttpErrorEvent when SFSession.getTelemetryClient() returns null because the session URL is not yet set; a NoOpTelemetryClientsnowflakedb/snowflake-jdbc#2610
  • Added support for attaching the SPCS service-identifier token (SPCS_TOKEN) to login requests when the driver is running inside an SPCS container (gated on the SNOWFLAKE_RUNNING_INSIDE_SPCS environment variable; token read from /snowflake/session/spcs_tokensnowflakedb/snowflake-jdbc#2603
  • Added libc family and version detection (LIBC_FAMILY, LIBC_VERSION) to the CLIENT_ENVIRONMENTsnowflakedb/snowflake-jdbc#2596
  • Fixed NPE in SFTrustManager.validateRevocationStatusMain when the OCSP cache contains a non-SUCCESSFUL response (e.g. unauthorized(6)); the response is now surfaced as an SFOCSPExceptionsnowflakedb/snowflake-jdbc#2597
  • snowflakedb/snowflake-jdbc#2586
    • GCP WIF attestation now uses hostname metadata.google.internal instead of the IPv4 link-local address.
    • EC2 instance detection probes the IPv4 and IPv6 IMDS endpoints ([fd00:ec2::254]) in parallel so detection succeeds on IPv6-only instances without doubling the detection budget on dual-stack hosts.
  • Added enableCopyResultSet connection property (default false): when true, Statement.execute() exposes the COPY INTO per-file metadata result set via getResultSet()snowflakedb/snowflake-jdbc#2592
  • snowflakedb/snowflake-jdbc#2578
  • snowflakedb/snowflake-jdbc#2572
  • snowflakedb/snowflake-jdbc#2591
    • now defaulting to port 443 instead of 80 when neither port nor protocol is specified
    • config coming from the JDBC connection string are no longer ignored when auto-configuration sourced items also present (when both present, direct connection config takes precedence)
  • snowflakedb/snowflake-jdbc#2585
  • snowflakedb/snowflake-jdbc#2600
  • snowflakedb/snowflake-jdbc#2600
  • snowflakedb/snowflake-jdbc#2602
  • snowflakedb/snowflake-jdbc#2593

... (truncated)

Commits

• 222e67c SNOW-3488052: Prepare release 4.3.0 (#2656)
• 763d1c3 SNOW-3411970: AWS WIF outbound JWT token via STS GetWebIdentityToken (#2653)
• e306106 SNOW-3423458: Escape embedded double quotes in setCatalog/setSchema identifie...
• c27559c SNOW-3437358: Fix inverted null check in CredentialManager.updateInputWithTok...
• bb39025 NO-SNOW: bump netty to 4.1.135.Final (#2655)
• 68f8a3d NO-SNOW: Snyk dep bumps and suppressions (jackson, AWS SDK, netty, .snyk) (#2...
• 331d632 SNOW-3580924: Don't send scope parameter when scope is empty/blank (#2647)
• dc44743 SNOW-3351450: emit client_connection_identifier_shape in-band telemetry (#2641)
• 63ab1f7 SNOW-1677211: Escape special characters in password for Okta authentication ...
• 925780a SNOW-3420102: drop stage object on prober cleanup (#2639)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.79%. Comparing base (413a8ba) to head (c08dff8).

Additional details and impacted files

@@            Coverage Diff            @@
##             master    #6684   +/-   ##
=========================================
  Coverage     97.79%   97.79%           
  Complexity     7325     7325           
=========================================
  Files          1015     1015           
  Lines         21508    21508           
  Branches       1416     1416           
=========================================
  Hits          21033    21033           
  Misses          359      359           
  Partials        116      116           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[dependabot]

Superseded by #6704.