search

DarioBalinzo / kafka-connect-elasticsearch-source

Kafka Connect Elasticsearch Source
Apache License 2.0
65 stars 38 forks source link

Connector Vulnerabilities #89

Closed ddonaghy-c closed 1 year ago

ddonaghy-c commented 1 year ago

Confluent regularly perform security scans on Confluent Hub connectors, as per Confluent’s security policy. Unfortunately this connector has been flagged as having unacceptable vulnerabilities and our policy is to escalate this connector to removal stages, unless we receive confirmation that the issues are being addressed as below.

Find enclosed the details of the underlying CVE & library associated with the vulnerability: org.yaml:snakeyaml@1.32 Upgrading to org.yaml:snakeyaml@2 should remediate this vulnerability - https://avd.aquasec.com/nvd/cve-2022-1471

or

Confirmation that the vulnerability is a false positive Confirmation that the issue is valid but not exploitable

If you require further information on any of the above, please do not hesitate to reply to this issue.

CCET Team, Confluent

DarioBalinzo commented 1 year ago

Hi, Thanks for reaching me. I will need few days to upgrade the dependency and test if everything still works fine.

I will keep you updated ASAP with the link to the new release.

Dario

Il Lun 20 Mar 2023, 20:29 David Donaghy @.***> ha scritto:

Confluent regularly perform security scans on Confluent Hub connectors, as per Confluent’s security policy. Unfortunately this connector has been flagged as having unacceptable vulnerabilities and our policy is to escalate this connector to removal stages, unless we receive confirmation that the issues are being addressed as below.

Find enclosed the details of the underlying CVE & library associated with the vulnerability: @. Upgrading to @. should remediate this vulnerability - https://avd.aquasec.com/nvd/cve-2022-1471

or

Confirmation that the vulnerability is a false positive Confirmation that the issue is valid but not exploitable

If you require further information on any of the above, please do not hesitate to reply to this issue.

CCET Team, Confluent

— Reply to this email directly, view it on GitHub https://github.com/DarioBalinzo/kafka-connect-elasticsearch-source/issues/89, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABXLQ6PT2T5JB2MURALAIIDW5CVZLANCNFSM6AAAAAAWBQUBEA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

ddonaghy-c commented 1 year ago

Thanks very much for your quick reply to this; we appreciate it. We'll check in at a later date to see how this is progressing; but we will reach out before any action is taken on the Confluent Hub regarding the listing.

DarioBalinzo commented 1 year ago

Hi, you can check the latest release that should fix the vulnerability here: https://github.com/DarioBalinzo/kafka-connect-elasticsearch-source/releases/tag/v1.5.3