You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "VeeVee Wang (Jira)" <ji...@apache.org> on 2022/09/26 22:25:00 UTC
[jira] [Created] (KAFKA-14261) Dependency Vulnerability Scan Results (Mend/WhiteSource)
VeeVee Wang created KAFKA-14261:
-----------------------------------
Summary: Dependency Vulnerability Scan Results (Mend/WhiteSource)
Key: KAFKA-14261
URL: https://issues.apache.org/jira/browse/KAFKA-14261
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 3.2.3
Reporter: VeeVee Wang
Attachments: GH_kafka-vulnerability-report.xlsx
The Kafka repository was scanned with Mend's (formerly WhiteSource) SCA (software composition analysis) tool for 3rd party dependency vulnerabilities. We scanned Kafka version 3.2.3 on 9/20.
The scan result detected the following instances of vulnerability severities:
* 12 highs
* 12 mediums
* 1 low
We would like to submit the Mend findings (attached to this ticket) as a bug with the request to update to non-vulnerable library versions. In the attached spreadsheet, column W "Top Fix" has notes on non-vulnerable versions to upgrade to.
Is there an SLA or typical amount of time to remediate vulnerabilities in the Kafka repo?
Thank you.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)