Comments (4)
maciejadamski0
commented on June 11, 2024
1
Hi @janjwerner-confluent
Mvn central repository link:
https://mvnrepository.com/artifact/com.kjetland/mbknor-jackson-jsonschema_2.13/1.0.39
++ copied list of vulnerabilities from dependency:
CVE-2023-6378
CVE-2022-42004
CVE-2022-42003
CVE-2022-36944
CVE-2021-46877
CVE-2020-36518
CVE-2020-25649
Override of the scala library has passed all the tests we have for schema registry.
I will try this action and let you know if it helped in our case.
from schema-registry.
janjwerner-confluent
commented on June 11, 2024
@maciejadamski0
Can you try to override the version of scala-library that is brought into your project using the dependency management?
If you look at the current 7.5.x dependency tree, you should notice that an updated version of kafka and scala jars.
[INFO] --- dependency:3.3.0:tree (default-cli) @ kafka-json-schema-serializer --- [INFO] io.confluent:kafka-json-schema-serializer:jar:7.5.4-0 [INFO] +- org.apache.kafka:kafka_2.13:jar:7.5.4-10-ccs:provided [INFO] | +- org.apache.kafka:kafka-clients:jar:7.5.4-10-ccs:compile [INFO] | | +- com.github.luben:zstd-jni:jar:1.5.5-1:runtime [INFO] | | +- org.lz4:lz4-java:jar:1.8.0:runtime [INFO] | | \- org.xerial.snappy:snappy-java:jar:1.1.10.5:runtime [INFO] | +- org.scala-lang:scala-library:jar:2.13.10:compile
from schema-registry.
maciejadamski0
commented on June 11, 2024
@janjwerner-confluent
Sorry, I'm not a Scala expert, but my understanding of this language works on the principle that if we have this library
https://mvnrepository.com/artifact/com.kjetland/mbknor-jackson-jsonschema_2.13/1.0.39
This library indicates which version of Scala it was written for or information is in the table ("Scala Target"). It may happen that the library stops working or behaving correctly.
The mbknor-jsonschema library itself contains many vulnerabilities and will probably become quite dangerous to use soon. Do you have a plan to change this library in the upcoming releases?
from schema-registry.
janjwerner-confluent
commented on June 11, 2024
@maciejadamski0
I'm not aware of the current plans to replace the library. Override of the scala library has passed all the tests we have for schema registry.
You mentioned "The mbknor-jsonschema library itself contains many vulnerabilities " - can you point me to the those vulnerabilities?
from schema-registry.
Related Issues (20)
- Vulnerabilities in Schema Registry 7.5.3 dependencies HOT 1
- schema-registry-start server - ClassNotFoundException
- High severity vulnerabilities CVE-2024-26308 and CVE-2024-25710 detected in schema-registry HOT 4
- [Bug] KafkaJsonSchemaSerializer adds initial null bytes (00 00 00 00 0C 7B) HOT 1
- Multiple replica of schema registry- one pod failed with "error_code":50005,"message":"Unrecognized token 'upstream': was expecting (JSON String, Number (or 'NaN'/'INF'/'+INF'), Array, Object or token 'null', 'true' or 'false')
- KafkaAvroDeserializer does not use SPECIFIC_AVRO_VALUE_TYPE_CONFIG when using `configure`
- KafkaProtobufSerializer throughput issues with skip.known.types = true
- ReflectionAvroDeserializer - SerializationException when trying to find a reader schema via reflection HOT 1
- If latest.compatibility.strict=true, IOException should output compatibility errors HOT 1
- High severity vulnerabilities CVE-2024-1597 detected in schema-registry HOT 1
- Resolve CCL License headers in client libraries
- grpc has been updated to 4.26, GeneratedMessageV3 has changed to GeneratedMesssage HOT 2
- Schema registry client : No Authentication header appearing in http request HOT 1
- If the name contains a dot (.) in the name a newly created schema's name and namespaces are overridden. HOT 1
- SpringBoot reactor kafka NATIVE image fails with KafkaException: Could not find a public no-argument constructor for io.confluent.kafka.serializers.KafkaJsonSerializer
- CFK Schema Registry Basic Auth Vault Secret Auto-reload Failed
- Wrong metric value for `kafka_schema_registry_node_count_node_count`
- java.lang.NoClassDefFoundError: org/apache/commons/codec/Charsets HOT 1
- Breaking change in io.confluent:kafka-protobuf-serializer from 7.6.0 to 7.6.1 HOT 2
- Error deserializing AVRO - schema evolution example HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from schema-registry.