[
https://issues.apache.org/jira/browse/KAFKA-14660?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17682304#comment-17682304
]
Andy Coates commented on KAFKA-14660:
-------------------------------------
As per description, I think the best 'fix' might be to re-open the PR and merge
it, as it looks to me that the vulnerability report it tied to the PR.
If you know how I can tag a new PR to resolve the vulnerability, then I'm all
ears.
> Divide by zero security vulnerability (sonatype-2019-0422)
> ----------------------------------------------------------
>
> Key: KAFKA-14660
> URL: https://issues.apache.org/jira/browse/KAFKA-14660
> Project: Kafka
> Issue Type: Bug
> Components: streams
> Affects Versions: 3.3.2
> Reporter: Andy Coates
> Assignee: Matthias J. Sax
> Priority: Minor
>
> Looks like SonaType has picked up a "Divide by Zero" issue reported in a PR
> and, because the PR was never merged, is now reporting it as a security
> vulnerability in the latest Kafka Streams library.
>
> See:
> * [Vulnerability:
> sonatype-2019-0422]([https://ossindex.sonatype.org/vulnerability/sonatype-2019-0422?component-type=maven&component-name=org.apache.kafka%2Fkafka-streams&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0)]
> * [Original PR]([https://github.com/apache/kafka/pull/7414])
>
> While it looks from the comments made by [~mjsax] and [~bbejeck] that the
> divide-by-zero is not really an issue, the fact that its now being reported
> as a vulnerability is, especially with regulators.
> PITA, but we should consider either getting this vulnerability removed
> (Google wasn't very helpful in providing info on how to do this), or fixed
> (Again, not sure how to tag the fix as fixing this issue). One option may
> just be to reopen the PR and merge (and then fix forward by switching it to
> throw an exception).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
