[
https://issues.apache.org/jira/browse/KAFKA-15128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17737576#comment-17737576
]
Kamal Chandraprakash commented on KAFKA-15128:
----------------------------------------------
Snappy jar will be used to compress the records from producer. If you're not
setting the {{compression.type}} as {{snappy}} in your producer configuration,
then you can safely exclude this jar from your distribution.
https://github.com/apache/kafka/blob/trunk/build.gradle#L1342
https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L89
> snappy-java-1.1.8.4.jar library vulnerability
> ---------------------------------------------
>
> Key: KAFKA-15128
> URL: https://issues.apache.org/jira/browse/KAFKA-15128
> Project: Kafka
> Issue Type: Bug
> Components: clients
> Affects Versions: 3.4.0
> Reporter: priyatama
> Priority: Major
> Attachments: Screenshot 2023-06-27 at 12.30.51 PM.png
>
>
> Hi Team,
> we found new vulnerability introduced in snappy-java-1.1.8.4 library, so we
> need to get rid of it.
> !Screenshot 2023-06-27 at 12.30.51 PM.png|width=321,height=230!
> during analysis, we found snappy-java coming via kafka-clients.
> As our application is not directly using snappy-java jar.
> Can any one please explain what is use of snappy-java in kafka-client or can
> we exclude that?
> Latest kafka-client also having vulnerable snappy-jar, by when kafka-client
> will release next version which is having non-vulnerable snappy-java jar in
> it?
> cc: [Mickael
> Maison|https://issues.apache.org/jira/secure/ViewProfile.jspa?name=mimaison]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
