You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Andy Coates (Jira)" <ji...@apache.org> on 2023/02/03 00:07:00 UTC

[jira] [Reopened] (KAFKA-14660) Divide by zero security vulnerability (sonatype-2019-0422)

     [ https://issues.apache.org/jira/browse/KAFKA-14660?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andy Coates reopened KAFKA-14660:
---------------------------------

The issue here is more the SonaType security vulnerability report than any impossible to reach divide by zero issue. Unfortunately, I'm struggling to find information on _how_ to mark the vulnerability resolved in SonaType.  This was why I was suggesting opening and merging the PR, as it seems the PR is the cause of the report.

I realise the PR's solution wasn't ideal. Hence I was suggesting to merge and put in a second change after to fix the fix, so to speak.

If you've already summited a fix for the DBZ, then I see two potential ways forward:
 # work out how to inform SonaType the issue is fixed:
 ## There is a [Report correction|https://ossindex.sonatype.org/doc/report-vulnerability] link on the bug report.  May you, or I if you let me know the PR you fixed the DBZ in, can use this to raise the fact its been fixed?
 ## Maybe just tagging the [SonaType issue|https://ossindex.sonatype.org/vulnerability/sonatype-2019-0422?component-type=maven&component-name=org.apache.kafka%2Fkafka-streams&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0] in your PR would be enough?
 ## Does someone in Confluent know about this stuff that you can talk to?
 ## ????
 # reopen, 'adjust' and merge the original PR... hopefully triggering SonaType to mark the issue resolved.

> Divide by zero security vulnerability (sonatype-2019-0422)
> ----------------------------------------------------------
>
>                 Key: KAFKA-14660
>                 URL: https://issues.apache.org/jira/browse/KAFKA-14660
>             Project: Kafka
>          Issue Type: Bug
>          Components: streams
>    Affects Versions: 3.3.2
>            Reporter: Andy Coates
>            Assignee: Matthias J. Sax
>            Priority: Minor
>             Fix For: 3.5.0
>
>
> Looks like SonaType has picked up a "Divide by Zero" issue reported in a PR and, because the PR was never merged, is now reporting it as a security vulnerability in the latest Kafka Streams library.
>  
> See:
>  * [Vulnerability: sonatype-2019-0422]([https://ossindex.sonatype.org/vulnerability/sonatype-2019-0422?component-type=maven&component-name=org.apache.kafka%2Fkafka-streams&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0)]
>  * [Original PR]([https://github.com/apache/kafka/pull/7414])
>  
> While it looks from the comments made by [~mjsax] and [~bbejeck] that the divide-by-zero is not really an issue, the fact that its now being reported as a vulnerability is, especially with regulators.
> PITA, but we should consider either getting this vulnerability removed (Google wasn't very helpful in providing info on how to do this), or fixed (Again, not sure how to tag the fix as fixing this issue).  One option may just be to reopen the PR and merge (and then fix forward by switching it to throw an exception).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)