You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "VeeVee Wang (Jira)" <ji...@apache.org> on 2022/09/26 22:25:00 UTC

[jira] [Created] (KAFKA-14261) Dependency Vulnerability Scan Results (Mend/WhiteSource)

VeeVee Wang created KAFKA-14261:
-----------------------------------

             Summary: Dependency Vulnerability Scan Results (Mend/WhiteSource)
                 Key: KAFKA-14261
                 URL: https://issues.apache.org/jira/browse/KAFKA-14261
             Project: Kafka
          Issue Type: Bug
          Components: security
    Affects Versions: 3.2.3
            Reporter: VeeVee Wang
         Attachments: GH_kafka-vulnerability-report.xlsx

The Kafka repository was scanned with Mend's (formerly WhiteSource) SCA (software composition analysis) tool for 3rd party dependency vulnerabilities. We scanned Kafka version 3.2.3 on 9/20. 

The scan result detected the following instances of vulnerability severities:
 * 12 highs
 * 12 mediums
 * 1 low

We would like to submit the Mend findings (attached to this ticket) as a bug with the request to update to non-vulnerable library versions. In the attached spreadsheet, column W "Top Fix" has notes on non-vulnerable versions to upgrade to.

Is there an SLA or typical amount of time to remediate vulnerabilities in the Kafka repo? 

Thank you. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)