search

fabric8io / kubernetes-client

Java client for Kubernetes & OpenShift
http://fabric8.io
Apache License 2.0
3.39k stars 1.46k forks source link

Vulnerability report on dependency: com.squareup.okhttp3/logging-interceptor #6344

Open heruan opened 1 week ago

heruan commented 1 week ago

Describe the bug

We have received a notification for a vulnerability in our project using kubernetes-client:jar:6.9.2. Details follow.

Vulnerabilities in: pkg:maven/com.squareup.okhttp3/logging-interceptor@3.12.12 [CVE-2023-0833] (owasp)

+- com.vaadin:control-center-starter:jar:1.0-SNAPSHOT:compile
|  \- org.springframework.cloud:spring-cloud-starter-kubernetes-fabric8-config:jar:3.1.3:compile
|     \- org.springframework.cloud:spring-cloud-kubernetes-fabric8-config:jar:3.1.3:compile
|        +- io.fabric8:kubernetes-client:jar:6.9.2:compile
|        |  +- io.fabric8:kubernetes-httpclient-okhttp:jar:6.9.2:runtime
|        |  |  \- com.squareup.okhttp3:logging-interceptor:jar:3.12.12:runtime

currently there is not released version from io.fabric8:kubernetes-client with fixes on the reported dependency.

https://github.com/fabric8io/kubernetes-client/blob/32b34730825404610265ef817cea1c7d126f6d88/pom.xml#L94

Fabric8 Kubernetes Client version

SNAPSHOT

Steps to reproduce

Have the kubernetes-client dependency and run a SBOM vulnerability scan.

Expected behavior

Depend on a com.squareup.okhttp3:logging-interceptor version with the vulnerability fixed.

Runtime

Kubernetes (vanilla)

Kubernetes API Server version

1.25.3@latest

Environment

Linux

Fabric8 Kubernetes Client Logs

No response

Additional context

No response

manusa commented 6 days ago

Fabric8 Kubernetes Client 7.0.0 will no longer depend on OkHttp 3.x: https://github.com/fabric8io/kubernetes-client/issues/5778

For previous versions, you should be able to override the OkHttp client version dependency in your pom.xml: https://github.com/fabric8io/kubernetes-client/blob/main/doc/KubernetesClientWithIPv6Clusters.md

Or using a different HttpClient implementation:

However, I'm not sure which of these options work better with spring-cloud-kubernetes.

Hopefully, v7 will be released soon though.

wind57 commented 2 days ago

hello Marc!

We will be integrating 7.0.0 when that is available, but not sooner then our 4.x.x releases, and we are currently at 3.x.x. From what I know, that will start happening somewhere next year.