antville/antville
antville/antville
1
1
Fork 0
Code Issues 48 Pull requests 17 Projects Releases 9 Wiki Activity Actions 2

Update dependency com.h2database:h2 to v2 [SECURITY] #475

Merged
tobi merged 1 commit from renovate/maven-com.h2database-h2-vulnerability into main 2025-10-02 19:51:06 +00:00
Conversation 2 Commits 1 Files changed 1 -3
renovate-bot commented 2025-01-03 19:30:18 +00:00
Collaborator
Copy link

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
com.h2database:h2 (source) 1.4.200 -> 2.2.220 age adoption passing confidence

⚠️ Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Improper Restriction of XML External Entity Reference in com.h2database:h2.

CVE-2021-23463 / GHSA-7rpj-hg47-cx62

More information

Details

H2 is an embeddable RDBMS written in Java. The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

RCE in H2 Console

CVE-2021-42392 / GHSA-h376-j262-vhq6

More information

Details

Impact

H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI.

H2 Console doesn't accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn't set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet).

It is also possible to load them by creation a linked table in these versions, but it requires ADMIN privileges and user with ADMIN privileges has full access to the Java process by design. These privileges should never be granted to untrusted users.

Patches

Since version 2.0.206 H2 Console and linked tables explicitly forbid attempts to specify LDAP URLs for JNDI. Only local data sources can be used.

Workarounds

H2 Console should never be available to untrusted users.

-webAllowOthers is a dangerous setting that should be avoided.

H2 Console Servlet deployed on a web server can be protected with a security constraint:
https://h2database.com/html/tutorial.html#usingH2ConsoleServlet
If webAllowOthers is specified, you need to uncomment and edit <security-role> and <security-constraint> as necessary. See documentation of your web server for more details.

References

This issue was found and privately reported to H2 team by JFrog Security's vulnerability research team with detailed information.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Arbitrary code execution in H2 Console

CVE-2022-23221 / GHSA-45hx-wfhj-473x

More information

Details

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Password exposure in H2 Database

CVE-2022-45868 / GHSA-22wj-vf5f-wrvj

More information

Details

The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [com.h2database:h2](https://h2database.com) ([source](https://github.com/h2database/h2database)) | `1.4.200` -> `2.2.220` | [![age](https://developer.mend.io/api/mc/badges/age/maven/com.h2database:h2/2.2.220?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/com.h2database:h2/2.2.220?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/com.h2database:h2/1.4.200/2.2.220?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/com.h2database:h2/1.4.200/2.2.220?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Improper Restriction of XML External Entity Reference in com.h2database:h2. [CVE-2021-23463](https://nvd.nist.gov/vuln/detail/CVE-2021-23463) / [GHSA-7rpj-hg47-cx62](https://github.com/advisories/GHSA-7rpj-hg47-cx62) <details> <summary>More information</summary> #### Details H2 is an embeddable RDBMS written in Java. The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability. #### Severity - CVSS Score: 8.1 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-23463](https://nvd.nist.gov/vuln/detail/CVE-2021-23463) - [https://github.com/h2database/h2database/issues/3195](https://github.com/h2database/h2database/issues/3195) - [https://github.com/h2database/h2database/pull/3199](https://github.com/h2database/h2database/pull/3199) - [https://github.com/h2database/h2database/pull/3199#issuecomment-1002830390](https://github.com/h2database/h2database/pull/3199#issuecomment-1002830390) - [https://github.com/boris-unckel/h2database/commit/f9ad6aef2bfa59eba2b4d3e7c4c32d2cce8e8b05](https://github.com/boris-unckel/h2database/commit/f9ad6aef2bfa59eba2b4d3e7c4c32d2cce8e8b05) - [https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8%23diff-008c2e4462609982199cd83e7cf6f1d6b41296b516783f6752c44b9f15dc7bc3](https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8%23diff-008c2e4462609982199cd83e7cf6f1d6b41296b516783f6752c44b9f15dc7bc3) - [https://github.com/h2database/h2database](https://github.com/h2database/h2database) - [https://security.netapp.com/advisory/ntap-20230818-0010](https://security.netapp.com/advisory/ntap-20230818-0010) - [https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238](https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238) - [https://www.oracle.com/security-alerts/cpuapr2022.html](https://www.oracle.com/security-alerts/cpuapr2022.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-7rpj-hg47-cx62) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### RCE in H2 Console [CVE-2021-42392](https://nvd.nist.gov/vuln/detail/CVE-2021-42392) / [GHSA-h376-j262-vhq6](https://github.com/advisories/GHSA-h376-j262-vhq6) <details> <summary>More information</summary> #### Details ##### Impact H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI. H2 Console doesn't accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn't set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet). It is also possible to load them by creation a linked table in these versions, but it requires `ADMIN` privileges and user with `ADMIN` privileges has full access to the Java process by design. These privileges should never be granted to untrusted users. ##### Patches Since version 2.0.206 H2 Console and linked tables explicitly forbid attempts to specify LDAP URLs for JNDI. Only local data sources can be used. ##### Workarounds H2 Console should never be available to untrusted users. `-webAllowOthers` is a dangerous setting that should be avoided. H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If `webAllowOthers` is specified, you need to uncomment and edit `<security-role>` and `<security-constraint>` as necessary. See documentation of your web server for more details. ##### References This issue was found and privately reported to H2 team by [JFrog Security](https://www.jfrog.com/)'s vulnerability research team with detailed information. #### Severity - CVSS Score: 9.8 / 10 (Critical) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` #### References - [https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6](https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6) - [https://nvd.nist.gov/vuln/detail/CVE-2021-42392](https://nvd.nist.gov/vuln/detail/CVE-2021-42392) - [https://github.com/h2database/h2database](https://github.com/h2database/h2database) - [https://github.com/h2database/h2database/releases/tag/version-2.0.206](https://github.com/h2database/h2database/releases/tag/version-2.0.206) - [https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console](https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console) - [https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html](https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html) - [https://security.netapp.com/advisory/ntap-20220119-0001](https://security.netapp.com/advisory/ntap-20220119-0001) - [https://www.debian.org/security/2022/dsa-5076](https://www.debian.org/security/2022/dsa-5076) - [https://www.oracle.com/security-alerts/cpuapr2022.html](https://www.oracle.com/security-alerts/cpuapr2022.html) - [https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console](https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-h376-j262-vhq6) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Arbitrary code execution in H2 Console [CVE-2022-23221](https://nvd.nist.gov/vuln/detail/CVE-2022-23221) / [GHSA-45hx-wfhj-473x](https://github.com/advisories/GHSA-45hx-wfhj-473x) <details> <summary>More information</summary> #### Details H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392. #### Severity - CVSS Score: 9.8 / 10 (Critical) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2022-23221](https://nvd.nist.gov/vuln/detail/CVE-2022-23221) - [https://github.com/h2database/h2database](https://github.com/h2database/h2database) - [https://github.com/h2database/h2database/releases/tag/version-2.1.210](https://github.com/h2database/h2database/releases/tag/version-2.1.210) - [https://github.com/h2database/h2database/security/advisories](https://github.com/h2database/h2database/security/advisories) - [https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html](https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html) - [https://security.netapp.com/advisory/ntap-20230818-0011](https://security.netapp.com/advisory/ntap-20230818-0011) - [https://twitter.com/d0nkey_man/status/1483824727936450564](https://twitter.com/d0nkey_man/status/1483824727936450564) - [https://www.debian.org/security/2022/dsa-5076](https://www.debian.org/security/2022/dsa-5076) - [https://www.oracle.com/security-alerts/cpuapr2022.html](https://www.oracle.com/security-alerts/cpuapr2022.html) - [https://www.oracle.com/security-alerts/cpujul2022.html](https://www.oracle.com/security-alerts/cpujul2022.html) - [http://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.html](http://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.html) - [http://seclists.org/fulldisclosure/2022/Jan/39](http://seclists.org/fulldisclosure/2022/Jan/39) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-45hx-wfhj-473x) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Password exposure in H2 Database [CVE-2022-45868](https://nvd.nist.gov/vuln/detail/CVE-2022-45868) / [GHSA-22wj-vf5f-wrvj](https://github.com/advisories/GHSA-22wj-vf5f-wrvj) <details> <summary>More information</summary> #### Details The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." #### Severity - CVSS Score: 7.8 / 10 (High) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2022-45868](https://nvd.nist.gov/vuln/detail/CVE-2022-45868) - [https://github.com/h2database/h2database/issues/3686](https://github.com/h2database/h2database/issues/3686) - [https://github.com/h2database/h2database/pull/3833](https://github.com/h2database/h2database/pull/3833) - [https://github.com/h2database/h2database/commit/581ed18ff9d6b3761d851620ed88a3994a351a0d](https://github.com/h2database/h2database/commit/581ed18ff9d6b3761d851620ed88a3994a351a0d) - [https://github.com/advisories/GHSA-22wj-vf5f-wrvj](https://github.com/advisories/GHSA-22wj-vf5f-wrvj) - [https://github.com/h2database/h2database](https://github.com/h2database/h2database) - [https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347](https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347) - [https://github.com/h2database/h2database/releases/tag/version-2.2.220](https://github.com/h2database/h2database/releases/tag/version-2.2.220) - [https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243](https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-22wj-vf5f-wrvj) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJqYXZhIiwibWFqb3IiLCJydW50aW1lIiwic2VjdXJpdHkiLCJ1cmdlbnQiXX0=-->
renovate-bot added the
java
major
runtime
security
urgent
 labels 2025-01-03 19:30:18 +00:00
renovate-bot added 1 commit 2025-01-03 19:30:19 +00:00
renovate-bot scheduled this pull request to auto merge when all checks succeed 2025-01-03 19:30:20 +00:00
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from 1a7f847f85 to 36489e6955 2025-01-03 19:32:35 +00:00 Compare
tobi commented 2025-01-03 19:35:17 +00:00
Owner
Copy link

Copied from https://github.com/antville/antville/pull/309#issuecomment-991704185:

In version 2 of H2 value is a reserved keyword. Thus, the postgre.sql script fails to create the metadata table when running ./gradlew :antclick:build.

While this can be worked around by wrapping the keyword in quotes ("value"), it still causes problems in subsequent SQL statements because Helma still tries to access the column without quotes.

Renaming the column and adding an updater script for existing databases seems to be a better solution.

_Copied from https://github.com/antville/antville/pull/309#issuecomment-991704185:_ In version 2 of H2 `value` is a reserved keyword. Thus, the `postgre.sql` script fails to create the `metadata` table when running `./gradlew :antclick:build`. While this can be worked around by wrapping the keyword in quotes (`"value"`), it still causes problems in subsequent SQL statements because Helma still tries to access the column without quotes. Renaming the column and adding an updater script for existing databases seems to be a better solution.
tobi added the
needs work
 label 2025-01-03 19:35:27 +00:00
tobi self-assigned this 2025-01-03 19:35:30 +00:00
tobi changed title from Update dependency com.h2database:h2 to v2 [SECURITY] to WIP: Update dependency com.h2database:h2 to v2 [SECURITY] 2025-01-03 19:35:33 +00:00
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from 36489e6955 to 16041aecda 2025-01-03 20:43:02 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from 16041aecda to d085c0b0ef 2025-01-03 21:43:03 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from d085c0b0ef to 0d0a357ea5 2025-01-03 22:43:01 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from 0d0a357ea5 to d83f2d6cda 2025-02-15 14:42:47 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from d83f2d6cda to 6ef29c8f22 2025-02-15 16:43:07 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from 6ef29c8f22 to c98d67c4db 2025-02-15 17:42:25 +00:00 Compare
tobi changed title from WIP: Update dependency com.h2database:h2 to v2 [SECURITY] to Update dependency com.h2database:h2 to v2 [SECURITY] 2025-02-15 19:32:47 +00:00
tobi force-pushed renovate/maven-com.h2database-h2-vulnerability from c98d67c4db to 268af94c97 2025-02-15 19:32:51 +00:00 Compare
tobi canceled auto merging this pull request when all checks succeed 2025-02-15 19:33:35 +00:00
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from 268af94c97 to 7f330e9e34 2025-02-15 20:42:24 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from 7f330e9e34 to 4d0e49c667 2025-03-01 15:42:57 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from 4d0e49c667 to 5b7a86bc9d 2025-03-01 17:42:55 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from 5b7a86bc9d to 4958ceab1c 2025-03-01 18:43:05 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from 4958ceab1c to d594d00d7a 2025-04-22 19:42:59 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from d594d00d7a to 81098fc91c 2025-04-22 20:07:37 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from 81098fc91c to f1bfe232f3 2025-04-22 20:42:51 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from f1bfe232f3 to d5dcd45ff4 2025-05-24 20:42:46 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from d5dcd45ff4 to ff97bd12ef 2025-05-25 15:42:48 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from ff97bd12ef to 9733a4d5ba 2025-05-25 16:42:47 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from 9733a4d5ba to dc37ff236a 2025-05-25 21:43:03 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from dc37ff236a to b5ebf674e3 2025-05-27 18:42:31 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from b5ebf674e3 to 00e5104207 2025-05-28 21:42:29 +00:00 Compare
renovate-bot force-pushed renovate/maven-com.h2database-h2-vulnerability from 00e5104207 to 22013f2267 2025-05-29 22:42:34 +00:00 Compare
tobi added 3 commits 2025-05-30 20:24:36 +00:00 
See <https://www.h2database.com/html/commands.html#set_non_keywords>
tobi commented 2025-05-30 20:27:42 +00:00
Owner
Copy link

In version 2 of H2 value is a reserved keyword. Thus, the postgre.sql script fails to create the metadata table when running ./gradlew :antclick:build.

Found the compatibility setting non_keywords that should be good enough for AntClick:

There is a compatibility setting SET NON_KEYWORDS that can be used as a temporary workaround for applications that use keywords as unquoted identifiers. — (Source, at the bottom of the section)

Added the string to the JDBC URLs accordingly in 67573db0e0.

> In version 2 of H2 `value` is a reserved keyword. Thus, the `postgre.sql` script fails to create the `metadata` table when running `./gradlew :antclick:build`. Found the compatibility setting [`non_keywords`](https://www.h2database.com/html/commands.html#set_non_keywords) that should be good enough for AntClick: > There is a compatibility setting `SET NON_KEYWORDS` that can be used as a temporary workaround for applications that use keywords as unquoted identifiers. — _([Source](https://www.h2database.com/html/advanced.html#keywords), at the bottom of the section)_ Added the string to the JDBC URLs accordingly in 67573db0e0bcabcc4c94034ba9529145110bfeb1.
tobi merged commit ae79a59639 into main 2025-05-30 20:28:00 +00:00
tobi deleted branch renovate/maven-com.h2database-h2-vulnerability 2025-05-30 20:28:01 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
antville.org

   
bug

   
compatibility

   
dependency

Pull request that updates a dependency file

  
duplicate

   
enhancement

   
help wanted

   
invalid

   
java

Pull requests that update Java code

  
javascript

Pull requests that update Javascript code

  
major

   
needs feedback

   
needs work

   
no-issue-activity

   
runtime

   
security

   
urgent

   
usability

   
wontfix
No labels
antville.org
bug
compatibility
dependency
duplicate
enhancement
help wanted
invalid
java
javascript
major
needs feedback
needs work
no-issue-activity
runtime
security
urgent
usability
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
tobi
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: antville/antville#475
No description provided.
Delete branch "renovate/maven-com.h2database-h2-vulnerability"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?