Skip to content

fix: Bump the base image and the CDK version in source-snowflake to receiv…#74081

Open
Rodi Reich Zilberman (rodireich) wants to merge 3 commits intomasterfrom
11323-snowflake-src-security-connector-image-cves-blocking-sme-customer-source-postgres-destination-postgres-sourcedestination-snowflake
Open

fix: Bump the base image and the CDK version in source-snowflake to receiv…#74081
Rodi Reich Zilberman (rodireich) wants to merge 3 commits intomasterfrom
11323-snowflake-src-security-connector-image-cves-blocking-sme-customer-source-postgres-destination-postgres-sourcedestination-snowflake

Conversation

@rodireich
Copy link
Contributor

@rodireich Rodi Reich Zilberman (rodireich) commented Feb 27, 2026

Security update to remove well known vulnerabilities

…e versions that are not affected by known CVEs
@github-actions
Copy link
Contributor

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

PR Slash Commands

Airbyte Maintainers (that's you!) can execute the following slash commands on your PR:

  • 🛠️ Quick Fixes
    • /format-fix - Fixes most formatting issues.
    • /bump-version - Bumps connector versions, scraping changelog description from the PR title.
  • ❇️ AI Testing and Review (internal link: AI-SDLC Docs):
    • /ai-prove-fix - Runs prerelease readiness checks, including testing against customer connections.
    • /ai-canary-prerelease - Rolls out prerelease to 5-10 connections for canary testing.
    • /ai-review - AI-powered PR review for connector safety and quality gates.
  • 🚀 Connector Releases:
    • /publish-connectors-prerelease - Publishes pre-release connector builds (tagged as {version}-preview.{git-sha}) for all modified connectors in the PR.
    • /bump-progressive-rollout-version - Bumps connector version with an RC suffix (2.16.10-rc.1) for progressive rollouts (enableProgressiveRollout: true).
      • Example: /bump-progressive-rollout-version changelog="Add new feature for progressive rollout"
  • ☕️ JVM connectors:
    • /update-connector-cdk-version connector=<CONNECTOR_NAME> - Updates the specified connector to the latest CDK version.
      Example: /update-connector-cdk-version connector=destination-bigquery
    • /bump-bulk-cdk-version bump=patch changelog='foo' - Bump the Bulk CDK's version. bump can be major/minor/patch.
  • 🐍 Python connectors:
    • /poe connector source-example lock - Run the Poe lock task on the source-example connector, committing the results back to the branch.
    • /poe source example lock - Alias for /poe connector source-example lock.
    • /poe source example use-cdk-branch my/branch - Pin the source-example CDK reference to the branch name specified.
    • /poe source example use-cdk-latest - Update the source-example CDK dependency to the latest available version.
  • ⚙️ Admin commands:
    • /force-merge reason="<REASON>" - Force merges the PR using admin privileges, bypassing CI checks. Requires a reason.
      Example: /force-merge reason="CI is flaky, tests pass locally"
📚 Show Repo Guidance

Helpful Resources

📝 Edit this welcome message.

…e versions that are not affected by known CVEs
@rodireich
Copy link
Contributor Author

Rodi Reich Zilberman (rodireich) commented Feb 27, 2026

/ai-prove-fix

AI Prove Fix Started

Running readiness checks and testing against customer connections.
View workflow run
🔍 AI Prove Fix session starting... Running readiness checks and testing against customer connections. View playbook

Devin AI session created successfully!

@github-actions
Copy link
Contributor

github-actions bot commented Feb 27, 2026

source-snowflake Connector Test Results

14 tests   14 ✅  0s ⏱️
 2 suites   0 💤
 2 files     0 ❌

Results for commit da656ff.

♻️ This comment has been updated with latest results.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 27, 2026

Note

Detected that there are differences in the Gradle dependencies.

@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Feb 27, 2026

Fix Validation Evidence

Outcome: Fix/Feature Proven Successfully

Evidence Summary

Regression tests comparing source-snowflake v1.0.8 (control) against the PR build (target) passed all 4 test phases: spec, check, discover, and read. The security update (base image bump to java-connector-base:2.0.4 + CDK bump to 1.0.1) introduces no regressions. Pre-release image airbyte/source-snowflake:1.0.9-preview.7fa963f was successfully published.

Live connection testing was not performed because all internal Airbyte organization connections are stale (no syncs within 48 hours), and approval for external connection pinning is pending. However, the regression test results provide strong confidence that this dependency-only update does not break functionality.

Next Steps
  1. This PR appears ready for review and merge — all regression tests passed and the changes are limited to dependency version bumps.
  2. For broader validation before release, consider running /ai-canary-prerelease to test on additional connections.
  3. The weekly /ai-release-manager will automatically monitor the release rollout after merge.

Connector & PR Details

Connector: source-snowflake
PR: #74081
Pre-release Version Tested: 1.0.9-preview.7fa963f
Detailed Results: https://github.com/airbytehq/oncall/issues/11323#issuecomment-3971002850

Changes:

  • Base image: java-connector-base:2.0.22.0.4
  • CDK version: 0.1.311.0.1
  • Connector version: 1.0.81.0.9
Evidence Plan

Proving Criteria

A sync that previously succeeded on 1.0.8 also succeeds on 1.0.9-preview with the updated base image and CDK, demonstrating no regression from the security update.

Disproving Criteria

  • Syncs that were succeeding on 1.0.8 fail on 1.0.9-preview
  • New errors appear related to the base image or CDK upgrade

Cases Attempted

  1. Regression Tests (comparison mode): Control=v1.0.8, Target=PR build. All 4 verbs passed (spec, check, discover, read). Workflow run
  2. Live Connection Tests: Not executed — internal connections are stale; external connection pinning pending approval.
Pre-flight Checks
  • Viability: Fix addresses the reported issue — dependency bumps resolve CVEs (GLib, SQLite, libxml2)
  • Safety: No malicious code — changes limited to version numbers in build files
  • Breaking Change: No breaking changes (no schema, spec, stream, state, or PK/cursor changes)
  • Reversibility: Can be safely downgraded to v1.0.8
Detailed Evidence Log

2026-02-27 06:04 UTC — Regression tests triggered (comparison mode: v1.0.8 vs PR build)
2026-02-27 06:11 UTC — Regression tests completed successfully:

  • SPEC: success
  • CHECK: success
  • DISCOVER: success
  • READ: success (skip_read=false)
  • Internal failure: false
  • All tests passed: true

2026-02-27 06:09 UTC — Pre-release publish triggered (retry after initial Docker Hub login failure)
2026-02-27 ~06:16 UTC — Pre-release image airbyte/source-snowflake:1.0.9-preview.7fa963f published successfully

Note: Detailed connection information recorded in the linked private oncall issue.


Devin session

@github-actions
Copy link
Contributor

github-actions bot commented Feb 27, 2026

Deploy preview for airbyte-docs ready!

✅ Preview
https://airbyte-docs-9hgreoamq-airbyte-growth.vercel.app

Built with commit da656ff.
This pull request is being automatically deployed with vercel-action

@github-actions
Copy link
Contributor

Pre-release Connector Publish Started

Publishing pre-release build for connector source-snowflake.
PR: #74081

Pre-release versions will be tagged as {version}-preview.7fa963f
and are available for version pinning via the scoped_configuration API.

View workflow run

@github-actions
Copy link
Contributor

github-actions bot commented Feb 27, 2026

Pre-release Connector Publish Started

Publishing pre-release build for connector source-snowflake.
PR: #74081

Pre-release versions will be tagged as {version}-preview.7fa963f
and are available for version pinning via the scoped_configuration API.

View workflow run
Pre-release Publish: SUCCESS

Docker image (pre-release):
airbyte/source-snowflake:1.0.9-preview.7fa963f

Docker Hub: https://hub.docker.com/layers/airbyte/source-snowflake/1.0.9-preview.7fa963f

Registry JSON:

@rodireich
Copy link
Contributor Author

Pin preview to connection eb06e735-6192-4426-ae9c-8f32ce829ee1

@rodireich Rodi Reich Zilberman (rodireich) changed the title Bump the base image and the CDK version in source-snowflake to receiv… fix: Bump the base image and the CDK version in source-snowflake to receiv… Feb 27, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 27, 2026

Pre-release Connector Publish Started

Publishing pre-release build for connector source-snowflake.
PR: #74081

Pre-release versions will be tagged as {version}-preview.da656ff
and are available for version pinning via the scoped_configuration API.

View workflow run
Pre-release Publish: SUCCESS

Docker image (pre-release):
airbyte/source-snowflake:1.0.9-preview.da656ff

Docker Hub: https://hub.docker.com/layers/airbyte/source-snowflake/1.0.9-preview.da656ff

Registry JSON:

@rodireich Rodi Reich Zilberman (rodireich) marked this pull request as ready for review February 27, 2026 07:33
Copy link
Contributor

@mwbayley Matt Bayley (mwbayley) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering if we can reduce scope here or maybe I'm missing something.

Comment on lines +21 to +25
connectorIPCOptions:
dataChannel:
version: "0.0.2"
supportedSerialization: ["JSONL", "PROTOBUF"]
supportedTransport: ["SOCKET", "STDIO"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this source really support speed? How did we test it? Should we maybe decouple the security patching from the speed feature?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested on a live connection.
Everything seems to be working.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now I see that we already sent the preview build to the customer, so these changes together are good with me

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙏

Copy link
Contributor

@mwbayley Matt Bayley (mwbayley) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants