Hi Jean-Marc, To be fair, the Flink project has a lot of dependencies that have false-positives from a Flink pov. We just can't fix all of them.
Let's see what others say on this topic. Best regards, Martijn On Fri, Nov 10, 2023 at 10:56 AM Jean-Marc Paulin <j...@uk.ibm.com> wrote: > > Hi, > > I am not exactly thrilled by the False positive statement. This always leads > to a difficult discussion with customers. > > Is there a chance of releasing a version of the connector to just add support > for Kafka 3.4.0, in conjunction with Flink 1.18 ? > > Kind regards > > Jean-Marc > ________________________________ > From: Martijn Visser <martijnvis...@apache.org> > Sent: Thursday, November 9, 2023 13:51 > To: dev@flink.apache.org <dev@flink.apache.org>; Mason Chen > <mas.chen6...@gmail.com> > Subject: [EXTERNAL] Re: Request a release of flink-connector-kafka version > 3.1.0 (to consume kafka 3.4.0 with Flink 1.18) > > Hi, > > The CVE is related to the Kafka Connect API and I think of that as a > false-positive for the Flink Kafka connector. I would be inclined to > preferably get https://issues.apache.org/jira/browse/FLINK-32197 in, > and then do a release afterwards. But I would like to understand from > Mason if he thinks that's feasible. > > Best regards, > > Martijn > > On Tue, Nov 7, 2023 at 9:45 AM Jean-Marc Paulin <j...@uk.ibm.com> wrote: > > > > Hi, > > > > I had a chat on [FLINK-31599] Update kafka version to 3.4.0 by Gerrrr · > > Pull Request #11 · apache/flink-connector-kafka > > (github.com)<https://github.com/apache/flink-connector-kafka/pull/11 > . > > > > We are consuming Flink 1.18, and the flink-connector-kafka 3.0.1. > > Flink 3.2.3 currently in use has the > > CVE-2023-25194<https://www.mend.io/vulnerability-database/disclosure-policy/?query=CVE-2023-25194 > > > vulnerability addressed in Kafka 3.4.0. We will need to move to Kafka > > 3.4.0 for our customers. I have tried to consume Kafka client 3.4.0 but > > that fails after a while. I tracked that down to a change required in the > > flink-connector-kafka source code. The PR11 above has the required changes, > > and is merge in main, but is not currently released. > > > > I would really appreciate if you could release a newer version of the > > flink-connector-kafka that would enable us to use Kafka 3.4.0. > > > > Many thanks > > > > JM > > > > [https://opengraph.githubassets.com/54669eeddff74373a431b6540c3602aefd5fb25232da040f59d9dbb1254615c6/apache/flink-connector-kafka/pull/11 > > ]<https://github.com/apache/flink-connector-kafka/pull/11 > > > [FLINK-31599] Update kafka version to 3.4.0 by Gerrrr · Pull Request #11 · > > apache/flink-connector-kafka<https://github.com/apache/flink-connector-kafka/pull/11 > > > > > Apache flink. Contribute to apache/flink-connector-kafka development by > > creating an account on GitHub. > > github.com > > > > Unless otherwise stated above: > > > > IBM United Kingdom Limited > > Registered in England and Wales with number 741598 > > Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU > > Unless otherwise stated above: > > IBM United Kingdom Limited > Registered in England and Wales with number 741598 > Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU
