Probably False Positive with kafka-clients 2.7.1

[RunFox]

Hello. I want to clarify that dc shows the following alert in report:

"kafka-clients-2.7.1.jar CVE-2021-26291

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html

CWE-346 Origin Validation Error

CVSSv2: Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSSv3: Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N " As I understand it, this is some kind of common CVE, not specific for kafka-client. Is it FP?

[aikebah]

Completely unrelated to kafka. This is definitely a FP. The FP is caused by an improper affected software list at the NVD. I'll reach out to them.

[aikebah]

Well, slightly more nuanced than 'unrelated': their build pipeline appears to be affected. Have to dig a little deeper.

[aikebah]

From what I can gather from the project it appears to be completely immune for the maven CVE. It just happens to depend for some part of its connect-runtime on the Maven implementation of version parsing org.apache.maven.artifact.versioning.DefaultArtifactVersion

    // connect-runtime is used in tests, use `api` for modules below for backwards compatibility even though
    // applications should generally not depend on `connect-runtime`
    ...
    implementation libs.mavenArtifact
    ...

And as that library came from a vulnerable version of maven in order to not get flagged for vulnerable dependencies kafka updated its dependency to the 3.8.1 version of that library.

[aikebah]

I still consider my initial assessment that it's an FP valid and have reported my findings to NIST NVD team to see if they agree (and update the NVD listing for affected software)

[RunFox]

@aikebah thank you for answer. I will wait reaction form NVD NIST team)

[aikebah]

NVD NIST team responded that they've removed kafka from the affected software list for the CVE. FP should disappear once the update is synced to the datastreams (which should happen within 24 hours).