search

snowflakedb / snowflake-kafka-connector

Snowflake Kafka Connector (Sink Connector)
Apache License 2.0
136 stars 96 forks source link

com.google.protobuf:protobuf-java:3.19.3 CVE in snowflake-kafka-connector jar 2.3.0 #877

Closed margamraviteja closed 1 month ago

margamraviteja commented 1 month ago

Hi,

I'm trying to use the latest Snowflake Kafka Connect sink connector 2.3.0, and encountered with the following CVE with severity High

CVE | CVSS Score | Message CVE-2022-3510 | 7.5 | [CVE-2022-3510] com.google.protobuf:protobuf-java 3.19.3 CVE-2022-3509 | 7.5 | [CVE-2022-3509] com.google.protobuf:protobuf-java 3.19.3 CVE-2022-3171 | 7.5 | [CVE-2022-3171] com.google.protobuf:protobuf-java 3.19.3

Can you please look into it and let me know when a new version can be released ??

sfc-gh-xhuang commented 1 month ago

@margamraviteja We package 3.19.6 in the jar and it is a safe version according to the CVEs you listed.

Please review and check if your vulnerability scanner has flagged a false positive

margamraviteja commented 1 month ago

I downloaded the snowflake kafka connector 2.3.0 and I see protobuf-java is 3.19.3 in META-INF/maven/com.google.protobuf/protobuf-java

margamraviteja commented 1 month ago

image

margamraviteja commented 1 month ago

If this is false positive, we can close this issue

margamraviteja commented 1 month ago

@sfc-gh-xhuang I can’t go with 2.3.0 as it is flagged as high. I will update whenever a new version is released. Closing this now.

sfc-gh-xhuang commented 1 month ago

Will keep this open to look into it more as to why it shows 3.19.3. The Snowpipe Streaming package we use has 3.19.6 for a long time: https://github.com/snowflakedb/snowflake-ingest-java/blob/1d2ec04074d84c2453dfebfff4b2f99a2e0cd5ac/pom.xml#L66

margamraviteja commented 1 month ago

I don't see the same issue with 2.2.2 version because there is no META-INF/maven/com.google.protobuf/protobuf-java in 2.2.2 jar.

margamraviteja commented 1 month ago

I cloned this repo and I see protobuf-java is resolved to 3.19.3 from jackson-datatype-protobuf because of conflicts image

margamraviteja commented 1 month ago

The nexus-staging-maven-plugin:1.6.7 has vulnerabilities so I was not able to build it (because of jackson-databind 2.3.1). https://mvnrepository.com/artifact/org.sonatype.plugins/nexus-staging-maven-plugin/1.6.7

{
  "errors": [
    {
      "status": 403,
      "message": "Artifact download request rejected: com/fasterxml/jackson/core/jackson-databind/2.3.1/jackson-databind-2.3.1.jar was not downloaded due to the download blocking policy configured in Xray for cloudera-cache."
    }
  ]
}

So I updated to 1.7.0 in my local to build.

margamraviteja commented 1 month ago

I see the issue is fixed in the PR https://github.com/snowflakedb/snowflake-kafka-connector/pull/892. When we will be the next release ??