Merge branch 'databricks:main' into main

Author: gopalldb

.github/workflows/release-thin.yml

@@ -20,20 +20,102 @@ permissions:
   contents: write
 
 jobs:
+  # Gate: Vulnerability scan must pass before publishing.
+  # Runs OWASP Dependency Check against NVD and fails on CVSS >= 7.
+  vulnerability-scan:
+    if: false
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.event.workflow_run.head_sha }}
+          fetch-tags: true
+          fetch-depth: 0
+
+      - name: Set up JDK
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
+        with:
+          java-version: 21
+          distribution: 'adopt'
+
+      - name: Get JFrog OIDC token
+        run: |
+          set -euo pipefail
+
+          ID_TOKEN=$(curl -sLS \
+            -H "User-Agent: actions/oidc-client" \
+            -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
+          echo "::add-mask::${ID_TOKEN}"
+
+          ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
+            "https://databricks.jfrog.io/access/api/v1/oidc/token" \
+            -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
+          echo "::add-mask::${ACCESS_TOKEN}"
+
+          if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+            echo "FAIL: Could not extract JFrog access token"
+            exit 1
+          fi
+
+          echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
+
+      - name: Configure maven
+        run: |
+          set -euo pipefail
+
+          mkdir -p ~/.m2
+          cat > ~/.m2/settings.xml << EOF
+          <settings>
+            <mirrors>
+              <mirror>
+                <id>jfrog-central</id>
+                <mirrorOf>*</mirrorOf>
+                <url>https://databricks.jfrog.io/artifactory/db-maven/</url>
+              </mirror>
+            </mirrors>
+            <servers>
+              <server>
+                <id>jfrog-central</id>
+                <username>gha-service-account</username>
+                <password>${JFROG_ACCESS_TOKEN}</password>
+              </server>
+            </servers>
+          </settings>
+          EOF
+
+      - name: Run OWASP Dependency Check
+        run: |
+          mvn -pl jdbc-core org.owasp:dependency-check-maven:check \
+            -Dnvd.api.key=${{ secrets.NVD_API_KEY }} \
+            -DfailBuildOnCVSS=7
+
+      - name: Upload scan reports
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6db9b8a1f7b0951caef032b8f2f72 # v4
+        with:
+          name: release-thin-vulnerability-scan
+          path: |
+            jdbc-core/target/dependency-check-report.html
+            jdbc-core/target/dependency-check-report.json
+
   publish-thin:
     # DISABLED: Third-party package publishing frozen per company-wide policy.
     # To re-enable, replace 'false' below with the original condition:
     #   github.event_name == 'workflow_dispatch' ||
     #   (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success')
     if: false
+    needs: vulnerability-scan
     runs-on:
       group: databricks-protected-runner-group
       labels: linux-ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
-          # If manual trigger: use input tag, else use the SHA from the completed workflow run
           ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.event.workflow_run.head_sha }}
           fetch-tags: true
           fetch-depth: 0
@@ -55,14 +137,12 @@ jobs:
         run: |
           set -euo pipefail
 
-          # Get GitHub OIDC ID token
           ID_TOKEN=$(curl -sLS \
             -H "User-Agent: actions/oidc-client" \
             -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
             "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
           echo "::add-mask::${ID_TOKEN}"
 
-          # Exchange for JFrog access token
           ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
             "https://databricks.jfrog.io/access/api/v1/oidc/token" \
             -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
@@ -103,23 +183,13 @@ jobs:
 
           echo "Maven configured to use JFrog registry"
 
-      # Step 1: Build and install dependencies to local Maven repository
-      # This builds jdbc-core (and parent) without publishing them.
-      # The -am flag builds all dependencies needed by assembly-thin.
-      # We use -Prelease here to generate sources/javadoc JARs for jdbc-core,
-      # which assembly-thin needs for its own sources/javadoc artifacts.
-      # GPG signing is skipped since we're only installing locally, not publishing.
       - name: Build dependencies
         run: |
           mvn -Prelease clean install --batch-mode -pl jdbc-core -am -Dgpg.skip=true \
             -Dnvd.api.key=${{ secrets.NVD_API_KEY }} \
             -Dossindex.username=${{ secrets.OSSINDEX_USERNAME }} \
             -Dossindex.password=${{ secrets.OSSINDEX_PASSWORD }}
 
-      # Step 2: Deploy only the thin JAR module to Maven Central
-      # We don't use -am here to avoid the central-publishing-maven-plugin
-      # from collecting parent/jdbc-core artifacts into the deployment bundle.
-      # The jdbc-core dependency is already available from Step 1.
       - name: Publish thin JAR to Maven Central
         run: |
           mvn -Prelease deploy --batch-mode -pl assembly-thin \
@@ -135,10 +205,8 @@ jobs:
         id: get_tag
         run: |
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            # For manual trigger, use the input tag directly
             TAG="${{ inputs.tag }}"
           else
-            # For workflow_run, find the tag pointing to the current commit
             TAG=$(git tag --points-at HEAD | grep "^v" | head -1)
             if [ -z "$TAG" ]; then
               echo "Error: No tag found for current commit"
@@ -171,4 +239,4 @@ jobs:
         with:
           tag_name: ${{ steps.get_tag.outputs.tag }}
           files: |
-            assembly-thin/target/databricks-jdbc-thin-*.jar
+            assembly-thin/target/databricks-jdbc-thin-*.jar

.github/workflows/release.yml

@@ -14,10 +14,89 @@ permissions:
   contents: write
 
 jobs:
+  # Gate: Vulnerability scan must pass before publishing.
+  # Runs OWASP Dependency Check against NVD and fails on CVSS >= 7.
+  vulnerability-scan:
+    if: false
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Set up JDK
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
+        with:
+          java-version: 21
+          distribution: 'adopt'
+
+      - name: Get JFrog OIDC token
+        run: |
+          set -euo pipefail
+
+          ID_TOKEN=$(curl -sLS \
+            -H "User-Agent: actions/oidc-client" \
+            -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
+          echo "::add-mask::${ID_TOKEN}"
+
+          ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
+            "https://databricks.jfrog.io/access/api/v1/oidc/token" \
+            -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
+          echo "::add-mask::${ACCESS_TOKEN}"
+
+          if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+            echo "FAIL: Could not extract JFrog access token"
+            exit 1
+          fi
+
+          echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
+
+      - name: Configure maven
+        run: |
+          set -euo pipefail
+
+          mkdir -p ~/.m2
+          cat > ~/.m2/settings.xml << EOF
+          <settings>
+            <mirrors>
+              <mirror>
+                <id>jfrog-central</id>
+                <mirrorOf>*</mirrorOf>
+                <url>https://databricks.jfrog.io/artifactory/db-maven/</url>
+              </mirror>
+            </mirrors>
+            <servers>
+              <server>
+                <id>jfrog-central</id>
+                <username>gha-service-account</username>
+                <password>${JFROG_ACCESS_TOKEN}</password>
+              </server>
+            </servers>
+          </settings>
+          EOF
+
+      - name: Run OWASP Dependency Check
+        run: |
+          mvn -pl jdbc-core org.owasp:dependency-check-maven:check \
+            -Dnvd.api.key=${{ secrets.NVD_API_KEY }} \
+            -DfailBuildOnCVSS=7
+
+      - name: Upload scan reports
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6db9b8a1f7b0951caef032b8f2f72 # v4
+        with:
+          name: release-vulnerability-scan
+          path: |
+            jdbc-core/target/dependency-check-report.html
+            jdbc-core/target/dependency-check-report.json
+
   publish:
     # DISABLED: Third-party package publishing frozen per company-wide policy.
     # Remove this line to re-enable publishing.
     if: false
+    needs: vulnerability-scan
     runs-on:
       group: databricks-protected-runner-group
       labels: linux-ubuntu-latest
@@ -42,14 +121,12 @@ jobs:
         run: |
           set -euo pipefail
 
-          # Get GitHub OIDC ID token
           ID_TOKEN=$(curl -sLS \
             -H "User-Agent: actions/oidc-client" \
             -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
             "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
           echo "::add-mask::${ID_TOKEN}"
 
-          # Exchange for JFrog access token
           ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
             "https://databricks.jfrog.io/access/api/v1/oidc/token" \
             -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
@@ -123,4 +200,3 @@ jobs:
         with:
           files: |
             assembly-uber/target/databricks-jdbc-*.jar
-

src/main/java/com/databricks/jdbc/api/impl/DatabricksDatabaseMetaData.java

@@ -1132,9 +1132,18 @@ public ResultSet getCrossReference(
             foreignTable));
 
     throwExceptionIfConnectionIsClosed();
-    if (parentTable == null && foreignTable == null) {
+    // Thrift requires parentTable — null or empty parentTable is invalid
+    if (parentTable == null || parentTable.isEmpty()) {
+      LOGGER.debug("getCrossReference: parentTable is null or empty, throwing");
       throw new DatabricksSQLException(
-          "Invalid argument: foreignTable and parentTableName are both null",
+          "Invalid argument: parentTable may not be null or empty",
+          DatabricksDriverErrorCode.INVALID_STATE);
+    }
+    // Empty foreign table is also invalid — Thrift server rejects it
+    if (foreignTable != null && foreignTable.isEmpty()) {
+      LOGGER.debug("getCrossReference: foreignTable is empty string, throwing");
+      throw new DatabricksSQLException(
+          "Invalid argument: foreignTable may not be empty",
           DatabricksDriverErrorCode.INVALID_STATE);
     }