chore(deps): Bump net.snowflake:snowflake-jdbc from 4.3.0 to 4.3.1

[dependabot]

Bumps net.snowflake:snowflake-jdbc from 4.3.0 to 4.3.1.

Release notes

Sourced from net.snowflake:snowflake-jdbc's releases.

v4.3.1

• Please Refer to Release Notes at https://docs.snowflake.com/en/release-notes/clients-drivers/jdbc

Changelog

Sourced from net.snowflake:snowflake-jdbc's changelog.

For all official JDBC Release Notes please refer to https://docs.snowflake.com/en/release-notes/clients-drivers/jdbc

Changelog

• v4.3.2-SNAPSHOT

  • snowflakedb/snowflake-jdbc#2669
  • Fixed snowflake-jdbc writing a snowflake-minicore-* temp directory and loading the native library at driver class-load time even when the driver was never used (e.g. when present on the classpath only as a transitive dependency). Minicore now loads lazily when the first Snowflake connection is created (ConnectionFactory.createConnection) instead of during DriverInitializer.initialize()snowflakedb/snowflake-jdbc#2670
  • Restored GetCallerIdentity as the default AWS Workload Identity Federation attestation method to avoid breaking existing users who have not configured the ISSUER in their Snowflake WIF setup. The GetWebIdentityToken (outbound JWT) flow introduced in v4.3.0 is now opt-in via the new workloadIdentityAwsUseOutboundToken connection property.

• v4.3.1

  • Fixed GCS-backed internal stage PUT failing with opaque invalid_gcs_credentials in SPCS pods on GCP: the GCS SDK's Application Default Credentials (ADC) probe was reaching out to metadata.google.internal which is unreachable inside SPCS; explicit credentials are now always set when a GCS_ACCESS_TOKEN is present, suppressing the ADC probe entirely. Also fixed GCSAccessStrategyAwsSdk rejecting custom GCS endpoints that lack an https:// scheme prefix (e.g. bare storage.me-central2.rep.googleapis.com), mirroring the existing handling in GCSDefaultAccessStrategy. The catch-all in setupGCSClientsnowflakedb/snowflake-jdbc#2664
  • Fixed Azure PUT memory leak where each PUT instantiated a fresh BlobServiceClient whose underlying reactor-netty stack the SDK exposes no API to release; the Azure SDK HttpClient and its ConnectionProvidersnowflakedb/snowflake-jdbc#2658
  • Fixed SFResultJsonParser2Failed: invalid escaped unicode character when a chunked JSON result contained UTF-16 surrogate-pair \u escapes (e.g. emoji) and the read buffer happened to split exactly 9 bytes after \u; the off-by-one boundary guard in ResultJsonParserV2snowflakedb/snowflake-jdbc#2660
  • Fixed (by removing) stale com.amazonaws.util.Base16/Base64 bytecode references from the shaded JAR by excluding dead SFBinary and SFBinaryFormat classes from the bundled snowflake-common artifact. Security scanners shold no longer flag snowflake-jdbc-thinsnowflakedb/snowflake-jdbc#2665
  • snowflakedb/snowflake-jdbc#2663

• v4.3.0

  • Bumped AWS SDK from 2.37.5 to 2.45.1, which transitively brings netty up to 4.1.133.Final and resolves a cluster of High/Medium netty CVEs (HTTP request smuggling, CRLF injection, data amplification, resource allocation) flagged by Snyk against netty-nio-client in thin_public_pom.xmlsnowflakedb/snowflake-jdbc#2654
  • Bumped jackson to 2.18.7 to address two High-severity resource-exhaustion CVEs in jackson-core 2.18.4.1, and added a .snyk policy file with justified ignores for the dual-licensed javax.servlet-api / javax.annotation-api findings and the tika-core XXE (SNYK-JAVA-ORGAPACHETIKA-14188255snowflakedb/snowflake-jdbc#2654
  • Fixed OAuth token requests sending scope=session:role:null when no scope is configured (or scope is empty/blank); the scopesnowflakedb/snowflake-jdbc#2646
  • Fixed Okta native SSO federated login sending malformed JSON to /api/v1/authn (HTTP 400 from Okta) when the username or password contained JSON-special characters such as double quotes or backslashes; the request body is now serialized with Jackson instead of string concatenation.
  • Added one in-band telemetry record per successful login describing which connection-identifier fields the user supplied (account_provided, account_with_region, account_org_provided, region_provided, host_provided). No hostname or account value is included. This is gated by the existing server-side CLIENT_TELEMETRY_ENABLED parameter and can additionally be disabled locally by setting SF_TELEMETRY_DISABLE_CONNECTION_SHAPE=true. The telemetry collection is time-boxed and will be removed in a future release.
  • Fixed Connection.isValid() silently swallowing thread interruption: when the underlying heartbeat is interrupted, the connection's interrupt flag is now restored via Thread.currentThread().interrupt()snowflakedb/snowflake-jdbc#2314
  • Fixed non-retryable HTTP 400 response bodies always being logged as "Failed to read content due to exception: Attempted read from closed stream". The response entity is now buffered before RestRequest#checkForDPoPNonceError and SnowflakeUtil#logResponseDetailssnowflakedb/snowflake-jdbc#2631
  • snowflakedb/snowflake-jdbc#2623
  • Fixed path traversal via server-controlled filenames in SnowflakeFileTransferAgentsnowflakedb/snowflake-jdbc#2622
  • Further changes regarding auto-configuration (jdbc:snowflake:autosnowflakedb/snowflake-jdbc#2625
    • Fixed bug leading to 'Connection property specified more than once: DB' error, when both connections.toml (database) and JDBC URL (db) defined database
    • Enhancement: now parameters passed as Properties() are also considered when building connection. For conflicting items defined in multiple places, priority is: Properties > JDBC URL > connections.toml
    • Enhancement (supportability): added provenance tracking for config keys and log them once per connection on debug level
  • snowflakedb/snowflake-jdbc#2617
  • Fixed auto-config debug log messages (provenance, TOML parsing) not appearing in client_config_filesnowflakedb/snowflake-jdbc#2632
  • The AWS S3 client now reuses a per-session shared Netty SdkEventLoopGroup, torn down once at session close, eliminating Netty's 2 s shutdownGracefullysnowflakedb/snowflake-jdbc#2620
  • snowflakedb/snowflake-jdbc#2655
  • Fixed inverted null check in CredentialManager.updateInputWithTokenAndPublicKeysnowflakedb/snowflake-jdbc#2650
  • Fixed Connection.setCatalog and Connection.setSchema producing malformed SQL (or switching to an unintended database/schema) when the supplied name contained an embedded " character; the name is now escaped per the SQL-standard quoted-identifier rule before being interpolated into the USEsnowflakedb/snowflake-jdbc#2651
  • Switched AWS Workload Identity Federation attestation from a SigV4-presigned GetCallerIdentity request to STS GetWebIdentityTokensnowflakedb/snowflake-jdbc#2653

• v4.2.0

  • Extended the SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION environment variable to also bypass permission verification on the connections.toml config file and on the credential cache file (credential_cache_v1.jsonsnowflakedb/snowflake-jdbc#2614
  • Fixed NPE in RestRequest.sendIBHttpErrorEvent when SFSession.getTelemetryClient() returns null because the session URL is not yet set; a NoOpTelemetryClientsnowflakedb/snowflake-jdbc#2610
  • Added support for attaching the SPCS service-identifier token (SPCS_TOKEN) to login requests when the driver is running inside an SPCS container (gated on the SNOWFLAKE_RUNNING_INSIDE_SPCS environment variable; token read from /snowflake/session/spcs_tokensnowflakedb/snowflake-jdbc#2603
  • Added libc family and version detection (LIBC_FAMILY, LIBC_VERSION) to the CLIENT_ENVIRONMENTsnowflakedb/snowflake-jdbc#2596
  • Fixed NPE in SFTrustManager.validateRevocationStatusMain when the OCSP cache contains a non-SUCCESSFUL response (e.g. unauthorized(6)); the response is now surfaced as an SFOCSPExceptionsnowflakedb/snowflake-jdbc#2597
  • snowflakedb/snowflake-jdbc#2586
    • GCP WIF attestation now uses hostname metadata.google.internal instead of the IPv4 link-local address.
    • EC2 instance detection probes the IPv4 and IPv6 IMDS endpoints ([fd00:ec2::254]) in parallel so detection succeeds on IPv6-only instances without doubling the detection budget on dual-stack hosts.
  • Added enableCopyResultSet connection property (default false): when true, Statement.execute() exposes the COPY INTO per-file metadata result set via getResultSet()snowflakedb/snowflake-jdbc#2592
  • snowflakedb/snowflake-jdbc#2578
  • snowflakedb/snowflake-jdbc#2572

... (truncated)

Commits

• bc576f7 NO-SNOW: Bump version to 4.3.1 (#2667)
• f108dbd SNOW-3643369: Always set explicit GCS credentials to prevent ADC probe in SPC...
• dd2181a SNOW-3643336: Exclude stale SFBinary from snowflake-common shade to remove AW...
• 62e328f NO-SNOW: bump grpc-java to 1.82.0 (#2663)
• 4993be9 SNOW-3619741: Fix Azure memory leak on PUT requests by caching underlying Net...
• 08fe7c9 NO-SNOW: loosen NONEXISTENTTABLE async error assertion to a prefix match (#2661)
• bfb1c86 SNOW-3630146: Fix ResultJsonParserV2 off-by-one for \u surrogate pairs (#2660)
• 992ec61 NO_SNOW: Probers cleanup (#2649)
• b2e026d NO-SNOW: Bump to new 4.3.1-SNAPSHOT version (#2659)
• See full diff in compare view

[ferenc-csaky]

@dependabot rebase

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 14.84%. Comparing base (5c88c46) to head (d11b090).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff            @@
##               main    #2155   +/-   ##
=========================================
  Coverage     14.84%   14.84%           
  Complexity      921      921           
=========================================
  Files           614      614           
  Lines         17595    17595           
  Branches       2132     2132           
=========================================
  Hits           2612     2612           
  Misses        14740    14740           
  Partials        243      243           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.