We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 2.0.x | ✅ |
| < 2.0 | ❌ |
We take the security of SQLAlchemy JDBC/ODBC API seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- Open a public GitHub issue for security vulnerabilities
- Disclose the vulnerability publicly before it has been addressed
Report security vulnerabilities by emailing: danesh_patel@outlook.com
Please include the following information in your report:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Assessment: We will confirm the vulnerability and determine its severity within 7 days
- Fix Development: We will work on a fix and keep you informed of progress
- Release: Once a fix is ready, we will:
- Release a security update
- Publicly disclose the vulnerability in our CHANGELOG
- Credit you for the discovery (unless you prefer to remain anonymous)
- Security updates will be released as soon as possible after validation
- Users will be notified via:
- GitHub Security Advisories
- Release notes in CHANGELOG.md
- PyPI release announcements
When using SQLAlchemy JDBC/ODBC API:
- Keep dependencies updated: Regularly update to the latest version
- Use parameterized queries: Always use SQLAlchemy's parameter binding to prevent SQL injection
- Secure connection strings: Never hardcode credentials; use environment variables or secure vaults
- Validate input: Validate and sanitize all user input before using in queries
- Use HTTPS/TLS: Always use encrypted connections to databases when possible
- Limit permissions: Use database accounts with minimal required privileges
- Review JVM security: When using JDBC, ensure your JVM security settings are appropriate
- Keep JVM/JDBC drivers updated: Update Java runtime and JDBC drivers regularly
- JDBC drivers are downloaded from Maven Central by default
- Drivers are verified using SHA-256 checksums when available
- We recommend specifying driver versions explicitly in production environments
- The library uses JPype1 to interact with the JVM
- Ensure your Java runtime is kept up-to-date with security patches
- Consider JVM security policies for production deployments
- ODBC drivers should be obtained from official vendor sources
- Ensure ODBC drivers are kept up-to-date with security patches
We regularly monitor and update our dependencies. Key dependencies include:
- SQLAlchemy (>= 2.0)
- JPype1 (>= 1.5.0) for JDBC support
- pyodbc (>= 5.0.0) for ODBC support (optional)
Please review the security advisories for these dependencies as well.
We appreciate security researchers who help keep our project secure. Contributors who responsibly disclose vulnerabilities will be acknowledged here (with permission).
Thank you for helping keep SQLAlchemy JDBC/ODBC API and our users safe!