From c32a11df6edd0f18fc85c2658a9b89e3dc1e687a Mon Sep 17 00:00:00 2001
From: Devin Smith <devinsmith@deephaven.io>
Date: Wed, 21 Feb 2024 12:03:36 -0800
Subject: [PATCH] Bump calcite to 1.36.0, add json-path constraint

https://calcite.apache.org/news/2023/07/26/release-1.35.0/
https://calcite.apache.org/news/2023/11/10/release-1.36.0/

Fixes CVE-2023-51074
---
 sql/build.gradle | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sql/build.gradle b/sql/build.gradle
index 8d4d5b9408c..77386d42c70 100644
--- a/sql/build.gradle
+++ b/sql/build.gradle
@@ -8,7 +8,14 @@ description = 'The Deephaven SQL parser'
 
 dependencies {
     api project(':qst')
-    implementation 'org.apache.calcite:calcite-core:1.34.0'
+    implementation 'org.apache.calcite:calcite-core:1.36.0'
+    constraints {
+        // This constraint can be removed once calcite-core has next release and we can
+        // pick up the fixed dependency transitively.
+        implementation('com.jayway.jsonpath:json-path:2.9.0') {
+            because 'json-path Out-of-bounds Write vulnerability, CVE-2023-51074'
+        }
+    }
 
     Classpaths.inheritImmutables(project)