CVE Fixes#77
Conversation
There was a problem hiding this comment.
Review — CVE Fixes
The remediation approach is solid — resolutionStrategy.force + jackson-bom is the right pattern for transitive-dep CVEs, and the PR description's CVE→version mapping table is excellent.
Two cleanups requested + one verification step. See inline comments. Quick summary:
| ID | Severity | File | Issue |
|---|---|---|---|
| M1 | Medium | streaming-connect-{common,sink}/build.gradle |
snakeyaml and commons-codec declared as direct implementation deps despite zero direct usage in the codebase. force already covers the CVE. |
| M2 | Medium | build.gradle |
Comment references CVE.md which doesn't exist in the repo. |
| L1 | Low | .gitignore |
.cursor/* is editor-specific and unrelated to CVE work — recommend dropping or splitting. |
| L2 | Low (nit) | dependencies.gradle |
jackson-bom comment wording. |
| V1 | Verify | dependencies.gradle |
SnakeYAML 1.16 → 2.0 changes default Yaml() Constructor behavior. Run docker-compose smoke test. |
| V2 | Verify | dependencies.gradle |
Jackson 2.14 → 2.21 is a 7-minor jump. Codebase usage is conservative (no enableDefaultTyping, bare ObjectMapper), so ./gradlew test passing is sufficient. |
There was a problem hiding this comment.
Follow-up review (after commit 8427cc4)
Thanks for the quick turnaround. Status of the previous comments and a few new observations from the latest commit:
Status of v1 findings
| ID | Status | Notes |
|---|---|---|
M1 — snakeyaml/commons-codec as direct deps |
✅ Resolved | Removed from both module build.gradle files and from dependencies.gradle. |
M2 — comment referencing missing CVE.md |
✅ Resolved | Comment dropped from build.gradle. (Optional: a committed CVE.md with the description's table is still nice-to-have so the traceability survives squash-merge.) |
L1 — .cursor/* in .gitignore |
❌ Open | Still on line 60. Not blocking. |
| L2 — jackson-bom comment wording | ✅ N/A | Block was removed; pure resolution. (Minor regret — the comment was useful context; future readers will wonder why libraries.jackson lists bare GAVs. Replacing with a one-liner like // jackson-bom resolves versions for all Jackson modules would be ideal.) |
| V1 — SnakeYAML 2.0 breaking-change verification | ✅ N/A (but see N1 below) | The force 'org.yaml:snakeyaml:2.0' was removed entirely. |
| V2 — Jackson 2.14 → 2.21 verification | 🟡 Still applies | Version bump is still in place; ./gradlew test + a smoke run should be sufficient. |
New findings from this commit
| ID | Severity | Where | Issue |
|---|---|---|---|
| N1 | Medium | PR description / build.gradle |
Snakeyaml dropped from the force list, but the PR description still claims snakeyaml 1.16 → 2.0 remediates 8 CVEs. Either restore the pin or update the description so the audit trail matches reality. |
| N2 | Low | Dockerfile:13 |
Base image tag is now floating (eclipse-temurin:11-jre-alpine) — same Dockerfile can produce different images on different days. Pin to a specific Temurin tag for reproducibility. |
| N3 | Nit | Dockerfile:64 |
File lost its trailing newline. |
| + | Positive | Dockerfile:26-29 |
curl -fsSLO (fail-fast on HTTP errors) and explicit gpg --batch --verify are genuine security improvements over the previous version, which silently swallowed 404s and never verified signatures despite downloading them. Nicely done. |
N1 — explanation
The PR description still has this row in the CVE table:
snakeyaml | 1.16 → 2.0 | 8 (all snakeyaml CVEs)
But the latest build.gradle no longer pins org.yaml:snakeyaml, so if snakeyaml is being pulled in transitively at the vulnerable version (kafka-connect-runtime pulls 1.x through its config-parsing path, and so does jjwt 0.9 in some configurations), those 8 CVEs are not being remediated by this PR.
Two paths forward:
- Restore the force. Add
force 'org.yaml:snakeyaml:2.0'back. The breaking-change risk I flagged in V1 (SnakeYAML 2.0 default Constructor restricts arbitrary deserialization) is real but verifiable — run./gradlew clean buildplus a docker-compose smoke run and watch fororg.yaml.snakeyaml.constructor.ConstructorExceptionin connector startup logs. If clean, ship with the force. - Drop snakeyaml from the description. If you've confirmed via
./gradlew dependenciesthat no transitive path actually brings in vulnerable snakeyaml (or that what's pulled in isn't reachable at runtime), update the PR description to remove the snakeyaml row and add a sentence explaining the omission. That way the audit trail ingit log/ PR history matches the code.
| ## | ||
|
|
||
| FROM adoptopenjdk/openjdk11:jre-11.0.11_9-alpine | ||
| FROM eclipse-temurin:11-jre-alpine |
There was a problem hiding this comment.
[N2] Floating image tag.
eclipse-temurin:11-jre-alpine is a rolling tag — each docker build pulls whatever the current LTS 11 JRE image is, which trades reproducibility for free patches.
For a release artifact (especially one bundled into a Kafka Connect distribution), reproducible builds usually win. Consider pinning to a specific Temurin tag, e.g.:
FROM eclipse-temurin:11.0.24_8-jre-alpineThe migration off adoptopenjdk itself is correct — that image is deprecated. This is just about the tag specificity.
| curl -fsSLO "https://archive.apache.org/dist/kafka/${KAFKA_VERSION}/${KAFKA_DIST_TGZ}" && \ | ||
| curl -fsSLO "https://archive.apache.org/dist/kafka/${KAFKA_VERSION}/${KAFKA_DIST_ASC}" && \ | ||
| curl -fsSL https://downloads.apache.org/kafka/KEYS | gpg -q --import - && \ | ||
| gpg --batch --verify "${KAFKA_DIST_ASC}" "${KAFKA_DIST_TGZ}" && \ |
There was a problem hiding this comment.
[Positive] Real security improvements here. Two things worth calling out:
curl -fsSLOnow fails fast on HTTP errors. Previously, a 404 would silently save the HTML error page askafka-2.8.0.tgz, andtar xfzlater would either fail confusingly or — worse — succeed with junk. This is a genuine bug fix masquerading as a flag tweak.- The explicit
gpg --batch --verify "${KAFKA_DIST_ASC}" "${KAFKA_DIST_TGZ}"step closes a real gap — the previous Dockerfile downloaded the signature and KEYS file but never actually calledgpg --verify, so the chain of trust was theatre. Now it's real.
No action needed; just acknowledging.
| ENTRYPOINT ["/docker-entrypoint.sh"] | ||
|
|
||
| CMD ["./start-connect.sh"] | ||
| CMD ["./start-connect.sh"] No newline at end of file |
There was a problem hiding this comment.
[N3 — nit] Missing trailing newline.
The \ No newline at end of file marker shows this file lost its trailing \n. POSIX text files should end with a newline; most tooling handles either form fine, but some shell-driven CI checks complain. Easy to fix: re-save with a trailing newline. Not blocking.
| allprojects { | ||
| configurations.all { | ||
| resolutionStrategy { | ||
| force 'commons-codec:commons-codec:1.18.0' |
There was a problem hiding this comment.
Can we identify which other libraries are introducing older versions of these library?
| force 'commons-codec:commons-codec:1.18.0' | ||
| force 'org.apache.commons:commons-lang3:3.18.0' | ||
| force 'com.fasterxml.jackson.core:jackson-core:2.21.3' | ||
| force 'com.fasterxml.jackson.core:jackson-databind:2.21.3' |
There was a problem hiding this comment.
Versions can be referenced from dependencies.gradle, versions used across the project are controlled by this file.
|
|
||
| allprojects { | ||
| configurations.all { | ||
| resolutionStrategy { |
There was a problem hiding this comment.
Can we not add resolutionStrategy to line 292 configurations.all block ?
| ## | ||
|
|
||
| FROM adoptopenjdk/openjdk11:jre-11.0.11_9-alpine | ||
| FROM eclipse-temurin:11.0.31_11-jre-alpine |
There was a problem hiding this comment.
Just curious, is there issue with old jre version ?
|
@prasoon16081994 Can you please add git issue to this fix and list of vulnerable libraries in the issue. |
3 participants
Uh oh!
There was an error while loading. Please reload this page.