kafka-connect: resolve CVE-2025-48734 #13561
Conversation
…sion to 1.11.0 to resolve CVE with hive
|
resolves #13563 |
kafka-connect/build.gradle
Outdated
| } | ||
| all { | ||
| exclude group: 'javax.activation', module: 'activation' | ||
| exclude group: 'commons-beanutils' |
There was a problem hiding this comment.
The (compile) checkstyle fails because of this line. Do we really need to exclude it?
When we add exclude group: 'commons-beanutils' to our configurations.all block, we are instructing Gradle to prevent any version of commons-beanutils from being included in any configuration's classpath for that project. This includes the classpath that Gradle sets up for its own plugins, like the Checkstyle plugin.
There was a problem hiding this comment.
My goal here is to not include it when not building for hive. But I'll file a separate issue for that and work on that for a future release. We don't need these hadoop deps for the non-Hive build. I'll update my PR shortly.
There was a problem hiding this comment.
Yes. We should focus on fixing CVE for main distribution (not hive) first. As that is the plugin we are gonna upload to confluent repo.
|
I locally tried by just adding one line under existing Trivy also ran after that successfully. |
| test { | ||
| useJUnitPlatform() | ||
| } | ||
| } |
There was a problem hiding this comment.
nit: can we revert the unnecessary white space change
There was a problem hiding this comment.
LGTM.
I don't think we have integration test for distributions. So, maybe someone can confirm it works fine with this change.
Maybe @bryanck.
Regarding CVE, I have verified that it doesn't exist after this.
|
thanks @liko9 for the fix and @ajantha-bhat @nandorKollar for the review |
## Summary - Upgrade to iceberg 1.10.0 to grab column [stats](apache/iceberg#10659), and some CVE's: [CVE](apache/iceberg#13561) (and parquet, avro transitively), and [BigQueryMetastoreCatalog](apache/iceberg#12808), [Google Auth](apache/iceberg#13212). - Column stats is the key feature here - we rely on extracting the puffin files and grabbing stats metadata. <img width="1342" height="461" alt="Screenshot 2025-09-20 at 4 30 35 PM" src="https://github.com/user-attachments/assets/bc8eeb80-6ff7-4abe-8ffb-a0eebf48bc4e" /> ## Checklist - [ ] Added Unit Tests - [ ] Covered by existing CI - [ ] Integration tested - [ ] Documentation update <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Per-partition, per-column statistics extraction with optional persistence to a new data-quality metrics KV store; platform APIs can produce a metrics-specific KV store. * **Breaking Changes** * Extraction API signatures and summary/key formats changed; thrift summary shapes updated; config token renamed "groupbys" → "group_bys"; /api/summary-series now returns null. * **Refactor** * Large-scale test package reorganizations and import consolidations across the codebase. <!-- end of auto-generated comment: release notes by coderabbit.ai --> <!-- av pr metadata This information is embedded by the av CLI when creating PRs to track the status of stacks when using Aviator. Please do not delete or edit this section of the PR. ``` {"parent":"main","parentHead":"","trunk":"main"} ``` --> --------- Co-authored-by: thomaschow <[email protected]>
4 participants
removes commons-beanutils from non-hive deps, bump version to 1.11.0 to resolve CVE when using hive