Tools / shardingsphere / Security

Security Deep Dive

shardingsphere

Security posture and CVE patch evidence from tracked releases.

Back to Tool

33 critical dependency CVEs affects 5.5.3.

Audit transitive dependencies; consider upgrading or pinning replacements.

— Signed — SLSA ✓ SBOM ✗ Security policy Unknown cadence Active maintainer

Trust Signals — 2 of 9 Present

Evidence already collected from releases and repository metadata.

2/9 Present

Signed releases Unknown

Latest release artifact signature Latest release

—

SLSA provenance Unknown

Attestation predicate level Latest release

—

SBOM published Present

GitHub SBOM API Latest release

Last verified: 28d ago

SECURITY.md Absent

GitHub repository metadata Repository policy

Checked: 18d ago

Release cadence Unknown

12-release median Release history

Latest release: 3mo ago

Maintainer active Present

Recent commit activity Repository

Last commit: 3d ago

Checksums (SHA256SUMS) Not active yet

SHA256SUMS or equivalent Release asset

Latest release: 3mo ago

GitHub Actions attestation Not active yet

actions/attest-build-provenance Workflow file

Latest release: 3mo ago

Signing assets Not active yet

.sig, .crt, cosign.pub, or similar Release asset

Latest release: 3mo ago

5.2/10 Security Score

8.6/10 Scorecard

Dependency Exposure 151 transitive dependency CVEs found in the latest SBOM. 33 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

3d stale

scorecard

3.44 / 4.0

Score 8.6/10

cve health

0.00 / 2.5

No open CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: available

Release responsiveness

release responsiveness

10.0

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 33c/78h

Provenance trust

provenance trust

8.6

40%

scorecard score: 8.6 openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 3d

Operational risk

operational risk

8.5

10%

kev exposure: clear epss max: none

How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100

33 Transitive critical CVEs

0 KEV-transitive CVEs

100% Dependency freshness

Scorecard

Scorecard 8.6/10

OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.

Check	Score	Reason
Maintained	10	30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10
Code-Review	10	all changesets reviewed
Dangerous-Workflow	10	no dangerous workflow patterns detected
CII-Best-Practices	10	badge detected: Gold
Token-Permissions	10	GitHub workflow tokens follow principle of least privilege
License	10	license file detected
Branch-Protection	-1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	10	security policy file detected
Signed-Releases	-1	no releases found
Binary-Artifacts	10	no binaries found in the repo
Fuzzing	0	project is not fuzzed
Packaging	10	packaging workflow detected
SAST	10	SAST tool detected
Pinned-Dependencies	0	dependency not pinned by hash detected -- score normalized to 0

Dependency Vulnerabilities

745 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

High

Medium

Low

Unknown

Still affecting latest (1) All (151)

Critical 33 High 78 Medium 37 Low 3

CVE	Severity	KEV	Dependency	Affected version	Cleared in release
CVE-2016-3720	critical	—	com.fasterxml.jackson.dataformat:jackson-dataformat-xml	—	—
CVE-2017-15095	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2017-17485	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2017-5929	critical	—	ch.qos.logback:logback-classic	—	—
CVE-2017-7525	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2018-11307	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2018-1282	critical	—	org.apache.hive:hive-jdbc	—	—
CVE-2018-14718	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2018-14719	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2018-14720	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2018-14721	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2018-19360	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2018-19361	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2018-19362	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2018-7489	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2019-13990	critical	—	org.quartz-scheduler:quartz	—	—
CVE-2019-14379	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2019-14540	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2019-16335	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2019-16942	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2019-16943	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2019-17267	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2019-17531	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2019-20330	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-8840	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-9546	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-9547	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-9548	critical	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2021-42392	critical	—	com.h2database:h2	—	—
CVE-2022-23221	critical	—	com.h2database:h2	—	—
CVE-2022-39135	critical	—	org.apache.calcite:calcite-core	—	—
CVE-2022-42889	critical	—	org.apache.commons:commons-text	—	—
CVE-2024-1597	critical	—	org.postgresql:postgresql	—	—
CVE-2012-1618	high	—	org.postgresql:postgresql	—	—
CVE-2016-4970	high	—	io.netty:netty-handler	—	—
CVE-2016-7051	high	—	com.fasterxml.jackson.dataformat:jackson-dataformat-xml	—	—
CVE-2017-18640	high	—	org.yaml:snakeyaml	—	—
CVE-2017-3523	high	—	mysql:mysql-connector-java	—	—
CVE-2018-12022	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2018-12023	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2018-3258	high	—	mysql:mysql-connector-java	—	—
CVE-2018-5968	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2019-12086	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2019-14439	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2019-14892	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2019-14893	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2019-9843	high	—	com.diffplug.spotless:spotless-maven-plugin	—	—
CVE-2020-10650	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-10672	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-10673	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-10968	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-10969	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-11111	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-11112	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-11113	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-11612	high	—	io.netty:netty-handler	—	—
CVE-2020-11619	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-11620	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-13692	high	—	org.postgresql:postgresql	—	—
CVE-2020-14060	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-14061	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-14062	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-14195	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-24616	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-24750	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-25649	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-35490	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-35491	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-35728	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-36179	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-36180	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-36181	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-36182	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-36183	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-36184	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-36185	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-36186	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-36187	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-36188	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-36189	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-36518	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2020-7238	high	—	io.netty:netty-handler	—	—
CVE-2021-20190	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2021-22569	high	—	com.google.protobuf:protobuf-java	—	—
CVE-2021-23463	high	—	com.h2database:h2	—	—
CVE-2021-37136	high	—	io.netty:netty-codec	—	—
CVE-2021-37137	high	—	io.netty:netty-codec	—	—
CVE-2021-46877	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2022-1471	high	—	org.yaml:snakeyaml	—	—
CVE-2022-21724	high	—	org.postgresql:postgresql	—	—
CVE-2022-25857	high	—	org.yaml:snakeyaml	—	—
CVE-2022-31197	high	—	org.postgresql:postgresql	—	—
CVE-2022-3509	high	—	com.google.protobuf:protobuf-java	—	—
CVE-2022-3510	high	—	com.google.protobuf:protobuf-java	—	—
CVE-2022-42003	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2022-42004	high	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2022-45868	high	—	com.h2database:h2	—	—
CVE-2023-1428	high	—	io.grpc:grpc-protobuf	—	—
CVE-2023-22102	high	—	mysql:mysql-connector-java	—	—
CVE-2023-22102	high	—	com.mysql:mysql-connector-j	—	—
CVE-2023-32731	high	—	io.grpc:grpc-protobuf	—	—
CVE-2023-6378	high	—	ch.qos.logback:logback-classic	—	—
CVE-2024-7254	high	—	com.google.protobuf:protobuf-java	—	—
CVE-2025-24970	high	—	io.netty:netty-handler	—	—
CVE-2025-49146	high	—	org.postgresql:postgresql	—	—
CVE-2025-59250	high	—	com.microsoft.sqlserver:mssql-jdbc	—	—
CVE-2026-42198	high	—	org.postgresql:postgresql	42.7.8	—
CVE-2026-42577	high	—	io.netty:netty-transport-native-epoll	—	—
CVE-2026-42583	high	—	io.netty:netty-codec	—	—
GHSA-86q5-qcjc-7pv4	high	—	com.facebook.presto:presto-jdbc	—	—
GHSA-xm7x-f3w2-4hjm	high	—	com.facebook.presto:presto-jdbc	—	—
CVE-2014-3488	medium	—	io.netty:netty-handler	—	—
CVE-2015-2575	medium	—	mysql:mysql-connector-java	—	—
CVE-2017-3586	medium	—	mysql:mysql-connector-java	—	—
CVE-2018-1000873	medium	—	com.fasterxml.jackson.datatype:jackson-datatype-jsr310	—	—
CVE-2018-10237	medium	—	com.google.guava:guava	—	—
CVE-2018-1314	medium	—	org.apache.hive:hive-jdbc	—	—
CVE-2019-12384	medium	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2019-12814	medium	—	com.fasterxml.jackson.core:jackson-databind	—	—
CVE-2019-20445	medium	—	io.netty:netty-handler	—	—
CVE-2019-2692	medium	—	mysql:mysql-connector-java	—	—
CVE-2020-13955	medium	—	org.apache.calcite:calcite-core	—	—
CVE-2021-2471	medium	—	mysql:mysql-connector-java	—	—
CVE-2022-21363	medium	—	mysql:mysql-connector-java	—	—
CVE-2022-3171	medium	—	com.google.protobuf:protobuf-java	—	—
CVE-2022-38749	medium	—	org.yaml:snakeyaml	—	—
CVE-2022-38750	medium	—	org.yaml:snakeyaml	—	—
CVE-2022-38751	medium	—	org.yaml:snakeyaml	—	—
CVE-2022-38752	medium	—	org.yaml:snakeyaml	—	—
CVE-2022-41854	medium	—	org.yaml:snakeyaml	—	—
CVE-2022-41946	medium	—	org.postgresql:postgresql	—	—
CVE-2023-2976	medium	—	com.google.guava:guava	—	—
CVE-2023-32732	medium	—	io.grpc:grpc-protobuf	—	—
CVE-2023-33202	medium	—	org.bouncycastle:bcpkix-jdk18on	—	—
CVE-2023-34462	medium	—	io.netty:netty-handler	—	—
CVE-2023-35701	medium	—	org.apache.hive:hive-jdbc	—	—
CVE-2023-51074	medium	—	com.jayway.jsonpath:json-path	—	—
CVE-2024-23689	medium	—	com.clickhouse:clickhouse-jdbc	—	—
CVE-2024-29857	medium	—	org.bouncycastle:bctls-jdk18on	—	—
CVE-2024-30171	medium	—	org.bouncycastle:bctls-jdk18on	—	—
CVE-2024-30172	medium	—	org.bouncycastle:bctls-jdk18on	—	—
CVE-2025-48924	medium	—	commons-lang:commons-lang	—	—
CVE-2025-48924	medium	—	org.apache.commons:commons-lang3	—	—
CVE-2025-58057	medium	—	io.netty:netty-codec	—	—
CVE-2025-8885	medium	—	org.bouncycastle:bctls-jdk18on	—	—
CVE-2025-8916	medium	—	org.bouncycastle:bcpkix-jdk18on	—	—
CVE-2026-5588	medium	—	org.bouncycastle:bcpkix-jdk18on	—	—
GHSA-673j-qm5f-xpv8	medium	—	org.postgresql:postgresql	—	—
CVE-2017-3589	low	—	mysql:mysql-connector-java	—	—
CVE-2020-8908	low	—	com.google.guava:guava	—	—
CVE-2022-26520	low	—	org.postgresql:postgresql	—	—

Showing 151 of 151