Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability report on dependency: com.squareup.okhttp3/logging-interceptor #6344

Open
heruan opened this issue Sep 12, 2024 · 2 comments
Open

Vulnerability report on dependency: com.squareup.okhttp3/logging-interceptor #6344

heruan opened this issue Sep 12, 2024 · 2 comments

Comments

@heruan
Copy link

heruan commented Sep 12, 2024

Describe the bug

We have received a notification for a vulnerability in our project using kubernetes-client:jar:6.9.2. Details follow.

Vulnerabilities in: pkg:maven/com.squareup.okhttp3/[email protected] [CVE-2023-0833] (owasp)

+- com.vaadin:control-center-starter:jar:1.0-SNAPSHOT:compile
|  \- org.springframework.cloud:spring-cloud-starter-kubernetes-fabric8-config:jar:3.1.3:compile
|     \- org.springframework.cloud:spring-cloud-kubernetes-fabric8-config:jar:3.1.3:compile
|        +- io.fabric8:kubernetes-client:jar:6.9.2:compile
|        |  +- io.fabric8:kubernetes-httpclient-okhttp:jar:6.9.2:runtime
|        |  |  \- com.squareup.okhttp3:logging-interceptor:jar:3.12.12:runtime

currently there is not released version from io.fabric8:kubernetes-client with fixes on the reported dependency.

kubernetes-client/pom.xml

Line 94 in 32b3473

<okhttp.version>3.12.12</okhttp.version>

Fabric8 Kubernetes Client version

SNAPSHOT

Steps to reproduce

Have the kubernetes-client dependency and run a SBOM vulnerability scan.

Expected behavior

Depend on a com.squareup.okhttp3:logging-interceptor version with the vulnerability fixed.

Runtime

Kubernetes (vanilla)

Kubernetes API Server version

1.25.3@latest

Environment

Linux

Fabric8 Kubernetes Client Logs

No response

Additional context

No response
@heruan heruan mentioned this issue Sep 12, 2024
Open
@manusa
Copy link
Member

manusa commented Sep 16, 2024

Fabric8 Kubernetes Client 7.0.0 will no longer depend on OkHttp 3.x: #5778

For previous versions, you should be able to override the OkHttp client version dependency in your pom.xml: https://github.com/fabric8io/kubernetes-client/blob/main/doc/KubernetesClientWithIPv6Clusters.md

Or using a different HttpClient implementation:

However, I'm not sure which of these options work better with spring-cloud-kubernetes.

Hopefully, v7 will be released soon though.

@wind57
Copy link
Contributor

wind57 commented Sep 20, 2024

hello Marc!

We will be integrating 7.0.0 when that is available, but not sooner then our 4.x.x releases, and we are currently at 3.x.x. From what I know, that will start happening somewhere next year.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@manusa @heruan @wind57