Andy Coates created KAFKA-14660:
-----------------------------------
Summary: Divide by zero security vulnerability
Key: KAFKA-14660
URL: https://issues.apache.org/jira/browse/KAFKA-14660
Project: Kafka
Issue Type: Bug
Components: streams
Affects Versions: 3.3.2
Reporter: Andy Coates
Looks like SonaType has picked up a "Divide by Zero" issue reported in a PR
and, because the PR was never merged, is now reporting a it as a security
vulnerability in the latest Kafka Streams library.
See:
* [Vulnerability:
sonatype-2019-0422]([https://ossindex.sonatype.org/vulnerability/sonatype-2019-0422?component-type=maven&component-name=org.apache.kafka%2Fkafka-streams&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0)]
* [Original PR](https://github.com/apache/kafka/pull/7414)
While it looks from the comments made by [~mjsax] and [~bbejeck] that the
divide-by-zero is not really an issue, the fact that its now being reported as
a vulnerability is, especially with regulators.
PITA, but we should consider either getting this vulnerability removed (Google
wasn't very helpful in providing info on how to do this), or fixed (Again, not
sure how to tag the fix as fixing this issue). One option may just be to
reopen the PR and merge (and then fix forward by switching it to throw an
exception).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
