Open heruan opened 1 week ago
Fabric8 Kubernetes Client 7.0.0 will no longer depend on OkHttp 3.x: https://github.com/fabric8io/kubernetes-client/issues/5778
For previous versions, you should be able to override the OkHttp client version dependency in your pom.xml: https://github.com/fabric8io/kubernetes-client/blob/main/doc/KubernetesClientWithIPv6Clusters.md
Or using a different HttpClient implementation:
However, I'm not sure which of these options work better with spring-cloud-kubernetes.
Hopefully, v7 will be released soon though.
hello Marc!
We will be integrating 7.0.0 when that is available, but not sooner then our 4.x.x
releases, and we are currently at 3.x.x
. From what I know, that will start happening somewhere next year.
Describe the bug
We have received a notification for a vulnerability in our project using
kubernetes-client:jar:6.9.2
. Details follow.Vulnerabilities in: pkg:maven/com.squareup.okhttp3/logging-interceptor@3.12.12 [CVE-2023-0833] (owasp)
currently there is not released version from
io.fabric8:kubernetes-client
with fixes on the reported dependency.https://github.com/fabric8io/kubernetes-client/blob/32b34730825404610265ef817cea1c7d126f6d88/pom.xml#L94
Fabric8 Kubernetes Client version
SNAPSHOT
Steps to reproduce
Have the
kubernetes-client
dependency and run a SBOM vulnerability scan.Expected behavior
Depend on a
com.squareup.okhttp3:logging-interceptor
version with the vulnerability fixed.Runtime
Kubernetes (vanilla)
Kubernetes API Server version
1.25.3@latest
Environment
Linux
Fabric8 Kubernetes Client Logs
No response
Additional context
No response