kubernetes-client icon indicating copy to clipboard operation
kubernetes-client copied to clipboard

Published 20 hours ago verified publisher icon fabric8io

Vulnerability report on dependency: com.squareup.okhttp3/logging-interceptor

Open heruan opened this issue 1 year ago • 2 comments

Describe the bug

We have received a notification for a vulnerability in our project using kubernetes-client:jar:6.9.2. Details follow.

Vulnerabilities in: pkg:maven/com.squareup.okhttp3/[email protected] [CVE-2023-0833] (owasp)

+- com.vaadin:control-center-starter:jar:1.0-SNAPSHOT:compile
|  \- org.springframework.cloud:spring-cloud-starter-kubernetes-fabric8-config:jar:3.1.3:compile
|     \- org.springframework.cloud:spring-cloud-kubernetes-fabric8-config:jar:3.1.3:compile
|        +- io.fabric8:kubernetes-client:jar:6.9.2:compile
|        |  +- io.fabric8:kubernetes-httpclient-okhttp:jar:6.9.2:runtime
|        |  |  \- com.squareup.okhttp3:logging-interceptor:jar:3.12.12:runtime

currently there is not released version from io.fabric8:kubernetes-client with fixes on the reported dependency.

https://github.com/fabric8io/kubernetes-client/blob/32b34730825404610265ef817cea1c7d126f6d88/pom.xml#L94

Fabric8 Kubernetes Client version

SNAPSHOT

Steps to reproduce

Have the kubernetes-client dependency and run a SBOM vulnerability scan.

Expected behavior

Depend on a com.squareup.okhttp3:logging-interceptor version with the vulnerability fixed.

Runtime

Kubernetes (vanilla)

Kubernetes API Server version

1.25.3@latest

Environment

Linux

Fabric8 Kubernetes Client Logs

No response

Additional context

No response

heruan avatar Sep 12 '24 11:09 heruan

Fabric8 Kubernetes Client 7.0.0 will no longer depend on OkHttp 3.x: https://github.com/fabric8io/kubernetes-client/issues/5778

For previous versions, you should be able to override the OkHttp client version dependency in your pom.xml: https://github.com/fabric8io/kubernetes-client/blob/main/doc/KubernetesClientWithIPv6Clusters.md

Or using a different HttpClient implementation:

  • https://blog.marcnuri.com/kubernetes-client-6-httpclient-how-to

However, I'm not sure which of these options work better with spring-cloud-kubernetes.

Hopefully, v7 will be released soon though.

manusa avatar Sep 16 '24 06:09 manusa

hello Marc!

We will be integrating 7.0.0 when that is available, but not sooner then our 4.x.x releases, and we are currently at 3.x.x. From what I know, that will start happening somewhere next year.

wind57 avatar Sep 20 '24 06:09 wind57

This issue has been automatically marked as stale because it has not had any activity since 90 days. It will be closed if no further activity occurs within 7 days. Thank you for your contributions!

stale[bot] avatar Dec 20 '24 18:12 stale[bot]

Version 7.x is now available with no OkHttp mandatory dependencies. Optional OkHttp dependencies now point to version 4 which doesn't have vulnerabilities.

https://github.com/fabric8io/kubernetes-client/releases/tag/v7.0.1

manusa avatar Dec 21 '24 02:12 manusa