As I told you on the Strimzi mailing list: * You should check the paths where the vulnerabilities are found and in which component they are => that should tell you where it needs to be addressed * You should also compare which ones are already addressed in the upcoming Kafka 3.5.2 (or in Kafka 3.6.1 for example that is already released)
Then you might know which of them are related to Kafka and are still not addressed yet. Then you can go through them and see if they actually have any impact or not. Thanks & Regards Jakub On Fri, Dec 8, 2023 at 6:21 PM <balagopal.sanka...@cognizant.com.invalid> wrote: > Hi Team, > > > > We have run a Trivy scan on the image : > quay.io/strimzi/kafka:latest-kafka-3.5.1 and found 7 high and 2 critical > vulnerabilities. Please take a look at the attached report. > > > > Could you please let me know when these issues will be fixed ? > > > > Severity Package/Jar > Vulnerability > HIGH > io.netty:netty-codec-http2(netty-codec-http2-4.1.93.Final.jar) > GHSA-xpw8-rcwv-8f8p > HIGH org.bitbucket.b_c:jose4j (jose4j-0.7.8.jar) > CVE-2023-31582 > HIGH org.elasticsearch:elasticsearch (elasticsearch-7.17.3.jar) > CVE-2023-31418 > HIGH org.json:json (json-20230227.jar) > CVE-2023-5072 > HIGH org.xerial.snappy:snappy-java (snappy-java-1.1.10.1.jar) > CVE-2023-43642 > HIGH golang.org/x/net > CVE-2023-39325 > CRITICAL org.apache.zookeeper:zookeeper (zookeeper-3.6.3.jar/ > CVE-2023-44981 > > zookeeper-3.6.4.jar) > > > > Regards, > > Balagopal S > > > This e-mail and any files transmitted with it are for the sole use of the > intended recipient(s) and may contain confidential and privileged > information. If you are not the intended recipient(s), please reply to the > sender and destroy all copies of the original message. Any unauthorized > review, use, disclosure, dissemination, forwarding, printing or copying of > this email, and/or any action taken in reliance on the contents of this > e-mail is strictly prohibited and may be unlawful. Where permitted by > applicable law, this e-mail and other e-mail communications sent to and > from Cognizant e-mail addresses may be monitored. >
