Welcome! Please see the About page for a little more info on how this works.

+1 vote
in Peer API by

When running Datomic on the Postgres storage, we wanted to exclude H2 from the Peer classpath, but this turns out not to be possible.

With the following deps.edn

{:deps      {com.datomic/datomic-pro   {:mvn/version "1.0.6362"
                                        :exclusions  [com.h2database/h2]}
             org.postgresql/postgresql {:mvn/version "42.3.1"}}
 :mvn/repos {"my.datomic.com" {:url "https://my.datomic.com/repo"}}}

trying to create the database leads to

(d/create-database "datomic:sql://test?jdbc:postgresql://localhost:5432/datomic?user=datomic")
Execution error (ClassNotFoundException) at java.net.URLClassLoader/findClass (URLClassLoader.java:387).

Is there another way to accomplish this?

The reason we want to exclude h2 from the classpath is because the maven artifact for h2 has several HIGH CVEs reported on it (https://mvnrepository.com/artifact/com.h2database/h2/1.3.172). I understand that Datomic does not run the H2 console and is also does not involve SQLXML, so it is probably not vulnerable to the specific CVEs, however, it would be an easy way to remove a dev-only dependency in a production deployment.

1 Answer

0 votes

Have you considered/tested overriding with an h2 version not suffering from the mentioned CVEs? I am supposing here that h2 is not actually used. Any advice on the latter would be welcome as well.