I was scanning all our Jenkins plugins using JFrog Xray and found that the Performance Plugin has a dependency on HyperSQL Database (HSQLDB). This dependency includes two Java classes (java.sql.Statement and java.sql.PreparedStatement) which are vulnerable to the critical vulnerability CVE-2022-41853.

As per the security ticket raised here: SECURITY-3436, your team has confirmed that these classes (java.sql.Statement and java.sql.PreparedStatement) from HSQLDB are not used in this plugin as a transitive dependency of the net.sf.ucanaccess library. Could you please confirm this?

However, I noticed that the JAR file hsqldb-2.5.0.jar is present in the plugin code, which may contain these classes (java.sql.Statement and java.sql.PreparedStatement).

Could you please consider updating the HSQLDB JAR to the latest version or at least version 2.7.1?

For more information, please refer to the Jira ticket here: SECURITY-3436.