Hello, Kafka has the gradle dependency-check plugin configured, which can detect when CVEs are issued for dependencies of the project. Now, more often than not, those CVEs don't actually affect Kafka, but generally it's good to at least consider them: every once in a while they might justify expediting an update or applying a mitigation.
Currently I suspect few contributors ever run the report manually, and I don't think it's published somewhere. The result is that people from outside the project are posting Jira issues when these CVEs pop up in their security scanning tooling, which seems like a missed opportunity. Would it be interesting to (eventually automatically) create JIRA issues for any CVEs flagged by dependency-check? I don't think that would create a "dependabot-style" overwhelming amount of tickets: there's currently 9 CVEs flagged when you exclude the :jmh-benchmarks subproject. It's not a problem to make these JIRA tickets publicly available: given anyone can run that report, and Kafka is not impacted by most CVEs in dependencies, we don't consider the mere existence of those CVEs as sensitive information. When someone looks into them and finds Kafka is impacted, it might be better to continue the conversation on security@kafka.a.o. When people ask us about CVEs flagged by their dependency scanners, we could point them to those issues. Looking further ahead, it would be great to have the conclusions of these discussions in machine-readable form. For trunk, this could initially be the dependencycheck suppressions file[0] for CVEs where Kafka is not impacted. It might also be interesting to publish SBOM and VEX/VDR descriptions where we can explicitly say we are or are not affected - if there's sufficient interest, both for trunk and for currently-supported releases. I'd be happy to try things out and learn what might work best for Kafka! Kind regards, -- Arnout Engelen ASF Security Response
