Security vulnerabilities: protoc, grpc, kotlin

nikoncode commented 2 years ago

Hi.

We are using io.confluent:kafka-protobuf-serializer:6.2.1 (parially valid for higher versions) and it contains the following vulnerabilities:

https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-2331703 - requires update to com.google.protobuf:protobuf-java@3.19.2, @3.18.2, @3.16.1
https://security.snyk.io/vuln/SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744 - no fix available
https://security.snyk.io/vuln/SNYK-JAVA-IOGRPC-571957 - requires update to io.grpc:grpc-core@1.31.0

I can try to update this transitives in my project but I can't be sure that it will work. Since I don't know anything about 7 vs 6 compatibility, can you provide backport for 6.2.x for this?

nikoncode commented 2 years ago

Also, I am wondering can I upgrade just kafka-protobuf-serializer to the latest version without upgrading schema-registry backend?

There is any changes in schema registry API?

janjwerner-confluent commented 1 year ago

Mikita, Thank you for raising this issue. The latest release 6.2.6 ships with an updated protobuf-java-3.19.4.jar resolving the issue. https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-2331703.

confluentinc / schema-registry

Security vulnerabilities: protoc, grpc, kotlin #2185