[
https://issues.apache.org/jira/browse/KAFKA-16645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17844334#comment-17844334
]
Igor Soarez commented on KAFKA-16645:
-
The vulnerability report flags {{libexpat}} version {{{}2.5.0-r2{}}}. Both
{{apache/kafka:3.7.0}} and {{apache/kafka:latest}} ship with the library:
{code:java}
$ docker run --rm -it apache/kafka:3.7.0 -- apk list | grep libexpat
libexpat-2.5.0-r2 aarch64 {expat} (MIT) [installed]~ak trunk ⇣
$ docker run --rm -it apache/kafka:latest -- apk list | grep libexpat
libexpat-2.5.0-r2 aarch64 {expat} (MIT) [installed]{code}
Neither Kafka nor its container image directly depend on {{{}libexpat{}}}. The
library is instead bundled into the [base image
{{eclipse-temurin:21-jre-alpine}}|https://github.com/apache/kafka/blob/21bf715622e9d05984fa8a2a1f9f12d54b76ce41/docker/jvm/Dockerfile#L44].
{code:java}
$ docker run --rm -it eclipse-temurin:21-jre-alpine -- apk list | grep libexpat
libexpat-2.6.2-r0 aarch64 {expat} (MIT) [installed]
$ docker inspect eclipse-temurin:21-jre-alpine | jq -r '.[0].Created'
2024-04-23T20:51:38Z~ak/docker trunk ⇣
$ docker inspect apache/kafka:3.7.0 | jq -r '.[0].Created'
2024-02-09T14:51:42.808028351Z~ak/docker trunk ⇣
$ docker inspect apache/kafka:latest | jq -r '.[0].Created'
2024-02-09T14:51:42.808028351Z{code}
The vulnerability has already been addressed in the base image, under the same
image tag. To confirm, I ran the vulnerability scanner against a locally built
image.
{code:java}
$ python docker_build_test.py kafka/test -tag=localkafkaimg -type=jvm
-u=https://downloads.apache.org/kafka/3.7.0/kafka_2.13-3.7.0.tgz
(...)
$ docker run -it -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy
image kafka/test:localkafkaimg -s CRITICAL,HIGH
2024-05-07T14:57:18Z INFO Need to update DB
2024-05-07T14:57:18Z INFO Downloading DB...
repository="ghcr.io/aquasecurity/trivy-db:2"
45.90 MiB / 45.90 MiB
[---]
100.00% 20.98 MiB p/s 2.4s
2024-05-07T14:57:22Z INFO Vulnerability scanning is enabled
2024-05-07T14:57:22Z INFO Secret scanning is enabled
2024-05-07T14:57:22Z INFO If your scanning is slow, please try
'--scanners vuln' to disable secret scanning
2024-05-07T14:57:22Z INFO Please see also
https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation
for faster secret detection
2024-05-07T14:57:23Z INFO Java DB Repository
repository=ghcr.io/aquasecurity/trivy-java-db:1
2024-05-07T14:57:23Z INFO Downloading the Java DB...
606.06 MiB / 606.06 MiB
[--]
100.00% 24.19 MiB p/s 25s
2024-05-07T14:57:49Z INFO The Java DB is cached for 3 days. If you want
to update the database more frequently, the '--reset' flag clears the DB cache.
2024-05-07T14:57:49Z INFO Detected OS family="alpine" version="3.19.1"
2024-05-07T14:57:49Z INFO [alpine] Detecting vulnerabilities...
os_version="3.19" repository="3.19" pkg_num=43
2024-05-07T14:57:49Z INFO Number of language-specific files num=1
2024-05-07T14:57:49Z INFO [jar] Detecting vulnerabilities...
kafka/test:localkafkaimg (alpine 3.19.1)
Total: 0 (HIGH: 0, CRITICAL: 0){code}
I don't think we republish releases without a version change, so unless we want
to create an exception for container images and republish the {{3.7.0}} and
{{latest}} tags now, so I propose we take no action here as the next images
built will not have these issues.
Please let me know if you disagree.
> CVEs in 3.7.0 docker image
> --
>
> Key: KAFKA-16645
> URL: https://issues.apache.org/jira/browse/KAFKA-16645
> Project: Kafka
> Issue Type: Task
>Affects Versions: 3.7.0
>Reporter: Mickael Maison
>Priority: Blocker
> Fix For: 3.8.0, 3.7.1
>
>
> Our [Docker Image CVE
> Scanner|https://github.com/apache/kafka/actions/runs/874393] GitHub
> action reports 2 high CVEs in our base image:
> apache/kafka:3.7.0 (alpine 3.19.1)
> ==
> Total: 2 (HIGH: 2, CRITICAL: 0)
> ┌──┬┬──┬┬───┬───┬─┐
> │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed
> Version │Title│
> ├──┼┼──┼┼───┼───┼─┤
> │ libexpat │ CVE-2023-52425 │ HIGH │ fixed │ 2.5.0-r2 │
> 2.6.0-r0 │ expat: parsing large tokens can trigger a denial of
