[
https://issues.apache.org/jira/browse/KAFKA-14660?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17682648#comment-17682648
]
Matthias J. Sax commented on KAFKA-14660:
-----------------------------------------
The original PR did not make sense, as if totalCapacity would really be zero,
there is a bug and just setting it to 1 does not sound right. I did already
merge a new PR that just raises an exception for this case, and thus avoid
divide-by-zero. This should resolve the issue.
> Divide by zero security vulnerability (sonatype-2019-0422)
> ----------------------------------------------------------
>
> Key: KAFKA-14660
> URL: https://issues.apache.org/jira/browse/KAFKA-14660
> Project: Kafka
> Issue Type: Bug
> Components: streams
> Affects Versions: 3.3.2
> Reporter: Andy Coates
> Assignee: Matthias J. Sax
> Priority: Minor
> Fix For: 3.5.0
>
>
> Looks like SonaType has picked up a "Divide by Zero" issue reported in a PR
> and, because the PR was never merged, is now reporting it as a security
> vulnerability in the latest Kafka Streams library.
>
> See:
> * [Vulnerability:
> sonatype-2019-0422]([https://ossindex.sonatype.org/vulnerability/sonatype-2019-0422?component-type=maven&component-name=org.apache.kafka%2Fkafka-streams&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0)]
> * [Original PR]([https://github.com/apache/kafka/pull/7414])
>
> While it looks from the comments made by [~mjsax] and [~bbejeck] that the
> divide-by-zero is not really an issue, the fact that its now being reported
> as a vulnerability is, especially with regulators.
> PITA, but we should consider either getting this vulnerability removed
> (Google wasn't very helpful in providing info on how to do this), or fixed
> (Again, not sure how to tag the fix as fixing this issue). One option may
> just be to reopen the PR and merge (and then fix forward by switching it to
> throw an exception).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
