[ https://issues.apache.org/jira/browse/KAFKA-16645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17844334#comment-17844334 ]
Igor Soarez commented on KAFKA-16645: ------------------------------------- The vulnerability report flags {{libexpat}} version {{{}2.5.0-r2{}}}. Both {{apache/kafka:3.7.0}} and {{apache/kafka:latest}} ship with the library: {code:java} $ docker run --rm -it apache/kafka:3.7.0 -- apk list | grep libexpat libexpat-2.5.0-r2 aarch64 {expat} (MIT) [installed]~ak trunk ⇣ $ docker run --rm -it apache/kafka:latest -- apk list | grep libexpat libexpat-2.5.0-r2 aarch64 {expat} (MIT) [installed]{code} Neither Kafka nor its container image directly depend on {{{}libexpat{}}}. The library is instead bundled into the [base image {{eclipse-temurin:21-jre-alpine}}|https://github.com/apache/kafka/blob/21bf715622e9d05984fa8a2a1f9f12d54b76ce41/docker/jvm/Dockerfile#L44]. {code:java} $ docker run --rm -it eclipse-temurin:21-jre-alpine -- apk list | grep libexpat libexpat-2.6.2-r0 aarch64 {expat} (MIT) [installed] $ docker inspect eclipse-temurin:21-jre-alpine | jq -r '.[0].Created' 2024-04-23T20:51:38Z~ak/docker trunk ⇣ $ docker inspect apache/kafka:3.7.0 | jq -r '.[0].Created' 2024-02-09T14:51:42.808028351Z~ak/docker trunk ⇣ $ docker inspect apache/kafka:latest | jq -r '.[0].Created' 2024-02-09T14:51:42.808028351Z{code} The vulnerability has already been addressed in the base image, under the same image tag. To confirm, I ran the vulnerability scanner against a locally built image. {code:java} $ python docker_build_test.py kafka/test -tag=localkafkaimg -type=jvm -u=https://downloads.apache.org/kafka/3.7.0/kafka_2.13-3.7.0.tgz (...) $ docker run -it -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image kafka/test:localkafkaimg -s CRITICAL,HIGH 2024-05-07T14:57:18Z INFO Need to update DB 2024-05-07T14:57:18Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2" 45.90 MiB / 45.90 MiB [-----------------------------------------------------------------------------------------------------------------------] 100.00% 20.98 MiB p/s 2.4s 2024-05-07T14:57:22Z INFO Vulnerability scanning is enabled 2024-05-07T14:57:22Z INFO Secret scanning is enabled 2024-05-07T14:57:22Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-05-07T14:57:22Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection 2024-05-07T14:57:23Z INFO Java DB Repository repository=ghcr.io/aquasecurity/trivy-java-db:1 2024-05-07T14:57:23Z INFO Downloading the Java DB... 606.06 MiB / 606.06 MiB [----------------------------------------------------------------------------------------------------------------------] 100.00% 24.19 MiB p/s 25s 2024-05-07T14:57:49Z INFO The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache. 2024-05-07T14:57:49Z INFO Detected OS family="alpine" version="3.19.1" 2024-05-07T14:57:49Z INFO [alpine] Detecting vulnerabilities... os_version="3.19" repository="3.19" pkg_num=43 2024-05-07T14:57:49Z INFO Number of language-specific files num=1 2024-05-07T14:57:49Z INFO [jar] Detecting vulnerabilities... kafka/test:localkafkaimg (alpine 3.19.1) Total: 0 (HIGH: 0, CRITICAL: 0){code} I don't think we republish releases without a version change, so unless we want to create an exception for container images and republish the {{3.7.0}} and {{latest}} tags now, so I propose we take no action here as the next images built will not have these issues. Please let me know if you disagree. > CVEs in 3.7.0 docker image > -------------------------- > > Key: KAFKA-16645 > URL: https://issues.apache.org/jira/browse/KAFKA-16645 > Project: Kafka > Issue Type: Task > Affects Versions: 3.7.0 > Reporter: Mickael Maison > Priority: Blocker > Fix For: 3.8.0, 3.7.1 > > > Our [Docker Image CVE > Scanner|https://github.com/apache/kafka/actions/runs/8888874393] GitHub > action reports 2 high CVEs in our base image: > apache/kafka:3.7.0 (alpine 3.19.1) > ================================== > Total: 2 (HIGH: 2, CRITICAL: 0) > ┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ > │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed > Version │ Title │ > ├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ > │ libexpat │ CVE-2023-52425 │ HIGH │ fixed │ 2.5.0-r2 │ > 2.6.0-r0 │ expat: parsing large tokens can trigger a denial of service │ > │ │ │ │ │ │ > │ https://avd.aquasec.com/nvd/cve-2023-52425 │ > │ ├────────────────┤ │ │ > ├───────────────┼─────────────────────────────────────────────────────────────┤ > │ │ CVE-2024-28757 │ │ │ │ > 2.6.2-r0 │ expat: XML Entity Expansion │ > │ │ │ │ │ │ > │ https://avd.aquasec.com/nvd/cve-2024-28757 │ > └──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ > Looking at the > [KIP|https://cwiki.apache.org/confluence/display/KAFKA/KIP-975%3A+Docker+Image+for+Apache+Kafka#KIP975:DockerImageforApacheKafka-WhatifweobserveabugoracriticalCVEinthereleasedApacheKafkaDockerImage?] > that introduced the docker images, it seems we should release a bugfix when > high CVEs are detected. It would be good to investigate and assess whether > Kafka is impacted or not. -- This message was sent by Atlassian Jira (v8.20.10#820010)