You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Matthias J. Sax (Jira)" <ji...@apache.org> on 2023/02/03 16:53:00 UTC

[jira] [Comment Edited] (KAFKA-14660) Divide by zero security vulnerability (sonatype-2019-0422)

    [ https://issues.apache.org/jira/browse/KAFKA-14660?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17683951#comment-17683951 ] 

Matthias J. Sax edited comment on KAFKA-14660 at 2/3/23 4:52 PM:
-----------------------------------------------------------------

Not sure why the PR was not auto-linked... Fixed.

[https://github.com/apache/kafka/pull/13175]

Thanks for your follow up. Can we close this ticket? Let me know if there is anything else I can do.


was (Author: mjsax):
Not sure why the PR was not auto-linked... Fixed.

[https://github.com/apache/kafka/pull/13175]

> Divide by zero security vulnerability (sonatype-2019-0422)
> ----------------------------------------------------------
>
>                 Key: KAFKA-14660
>                 URL: https://issues.apache.org/jira/browse/KAFKA-14660
>             Project: Kafka
>          Issue Type: Bug
>          Components: streams
>    Affects Versions: 3.3.2
>            Reporter: Andy Coates
>            Assignee: Matthias J. Sax
>            Priority: Minor
>             Fix For: 3.5.0
>
>
> Looks like SonaType has picked up a "Divide by Zero" issue reported in a PR and, because the PR was never merged, is now reporting it as a security vulnerability in the latest Kafka Streams library.
>  
> See:
>  * [Vulnerability: sonatype-2019-0422]([https://ossindex.sonatype.org/vulnerability/sonatype-2019-0422?component-type=maven&component-name=org.apache.kafka%2Fkafka-streams&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0)]
>  * [Original PR]([https://github.com/apache/kafka/pull/7414])
>  
> While it looks from the comments made by [~mjsax] and [~bbejeck] that the divide-by-zero is not really an issue, the fact that its now being reported as a vulnerability is, especially with regulators.
> PITA, but we should consider either getting this vulnerability removed (Google wasn't very helpful in providing info on how to do this), or fixed (Again, not sure how to tag the fix as fixing this issue).  One option may just be to reopen the PR and merge (and then fix forward by switching it to throw an exception).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)