fix kafka CVE-2023-25194, update kafka client to 3.4.0 #2481
Conversation
kafka_version = '3.4.0'
zstd-jni versions 1.5.2-1 lz4-java versions 1.8.0 snappy-java versions 1.1.8.4
spring-kafka-test:3.0.3
xie-shujian
requested review from
cliu123,
cwperks,
DarshitChanpura,
davidlago,
peternied,
RyanL1997 and
stephen-crawford
as code owners
|
Hi @xie-shujian, thank you for taking the time to open up a PR to update the Kafka dependency. Edit: Apparently there is a workaround to fix the version mismatch. |
There was a problem hiding this comment.
Thank you for creating this pull request.
The DCO check failed, learn more about it and how to remedy from the failure https://github.com/opensearch-project/security/pull/2481/checks?check_run_id=11567975502
Also sounds like after this is resolved there will be the problem that @scrawfor99 mentioned, did you have thoughts on if this can be worked around?
build.gradle
Outdated
| @@ -24,7 +24,8 @@ buildscript { | |||
| opensearch_build = version_tokens[0] + '.0' | |||
|
|
|||
| common_utils_version = System.getProperty("common_utils.version", '3.0.0.0-SNAPSHOT') | |||
| kafka_version = '3.0.2' | |||
| kafka_version = '3.4.0' | |||
| kafkaVersion = '3.4.0' | |||
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## main #2481 +/- ##
============================================
- Coverage 61.19% 61.18% -0.02%
+ Complexity 3325 3322 -3
============================================
Files 260 260
Lines 18494 18494
Branches 3268 3268
============================================
- Hits 11318 11316 -2
Misses 5578 5578
- Partials 1598 1600 +2
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
|
Hi @xie-shujian, as @peternied, I am happy to help out with this issue if you have any questions. That being said, it looks like I was mistaken about the version we need not being out yet. The website I looked at was outdated... If you are able to address the comments Peter left, we can get this squared away together. You will want to follow the guidance on this question. |
Description
[Describe what this change achieves]
Issues Resolved
[List any issues this PR will resolve]
fix kafka CVE-2023-25194, update kafka client to 3.4.0
Is this a backport? If so, please add backport PR # and/or commits #
upgrade kafka client and spring test framework
Testing
[Please provide details of testing done: unit testing, integration testing and manual testing]
Test pass
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.