Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability report on dependency: com.squareup.okhttp3/logging-interceptor #6344

Closed
heruan opened this issue Sep 12, 2024 · 4 comments
Closed

Vulnerability report on dependency: com.squareup.okhttp3/logging-interceptor #6344

heruan opened this issue Sep 12, 2024 · 4 comments
Labels
status/stale

Comments

@heruan
Copy link

heruan commented Sep 12, 2024

Describe the bug

We have received a notification for a vulnerability in our project using kubernetes-client:jar:6.9.2. Details follow.

Vulnerabilities in: pkg:maven/com.squareup.okhttp3/[email protected] [CVE-2023-0833] (owasp)

+- com.vaadin:control-center-starter:jar:1.0-SNAPSHOT:compile
|  \- org.springframework.cloud:spring-cloud-starter-kubernetes-fabric8-config:jar:3.1.3:compile
|     \- org.springframework.cloud:spring-cloud-kubernetes-fabric8-config:jar:3.1.3:compile
|        +- io.fabric8:kubernetes-client:jar:6.9.2:compile
|        |  +- io.fabric8:kubernetes-httpclient-okhttp:jar:6.9.2:runtime
|        |  |  \- com.squareup.okhttp3:logging-interceptor:jar:3.12.12:runtime

currently there is not released version from io.fabric8:kubernetes-client with fixes on the reported dependency.

kubernetes-client/pom.xml

Line 94 in 32b3473

<okhttp.version>3.12.12</okhttp.version>

Fabric8 Kubernetes Client version

SNAPSHOT

Steps to reproduce

Have the kubernetes-client dependency and run a SBOM vulnerability scan.

Expected behavior

Depend on a com.squareup.okhttp3:logging-interceptor version with the vulnerability fixed.

Runtime

Kubernetes (vanilla)

Kubernetes API Server version

1.25.3@latest

Environment

Linux

Fabric8 Kubernetes Client Logs

No response

Additional context

No response
@heruan heruan mentioned this issue Sep 12, 2024
Open
@manusa
Copy link
Member

manusa commented Sep 16, 2024

Fabric8 Kubernetes Client 7.0.0 will no longer depend on OkHttp 3.x: #5778

For previous versions, you should be able to override the OkHttp client version dependency in your pom.xml: https://github.com/fabric8io/kubernetes-client/blob/main/doc/KubernetesClientWithIPv6Clusters.md

Or using a different HttpClient implementation:

However, I'm not sure which of these options work better with spring-cloud-kubernetes.

Hopefully, v7 will be released soon though.

@wind57
Copy link
Contributor

wind57 commented Sep 20, 2024

hello Marc!

We will be integrating 7.0.0 when that is available, but not sooner then our 4.x.x releases, and we are currently at 3.x.x. From what I know, that will start happening somewhere next year.

@stale Stale
Copy link

stale bot commented Dec 20, 2024

This issue has been automatically marked as stale because it has not had any activity since 90 days. It will be closed if no further activity occurs within 7 days. Thank you for your contributions!

@stale stale bot added the status/stale label Dec 20, 2024
@manusa
Copy link
Member

manusa commented Dec 21, 2024

Version 7.x is now available with no OkHttp mandatory dependencies.
Optional OkHttp dependencies now point to version 4 which doesn't have vulnerabilities.

https://github.com/fabric8io/kubernetes-client/releases/tag/v7.0.1

@manusa manusa closed this as completed Dec 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@manusa @heruan @wind57