diff --git a/.snyk b/.snyk new file mode 100644 index 000000000..b110c2cbf --- /dev/null +++ b/.snyk @@ -0,0 +1,156 @@ +# Snyk (https://snyk.io) policy file +version: v1.25.0 +ignore: + SNYK-JAVA-COMSQUAREUPWIRE-16771313: + - '*': + reason: >- + wire-runtime 5.3.0 is a transitive dependency of + io.confluent:kafka-protobuf-serializer@8.1.0. No safe upgrade path + exists without a Confluent version bump. Not directly exploitable via + our usage (schema registry deserialization only). + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-COMSQUAREUPWIRE-16771314: + - '*': + reason: >- + wire-runtime-jvm 5.3.0 is a transitive dependency of + io.confluent:kafka-protobuf-serializer@8.1.0. No safe upgrade path + exists without a Confluent version bump. Not directly exploitable via + our usage (schema registry deserialization only). + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-IOVERTX-13669868: + - '*': + reason: >- + vertx-web 4.4.8 is a transitive dependency of + io.confluent.ksql:ksqldb-rest-app (test scope only). Not exposed + to external traffic. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-IOVERTX-16433278: + - '*': + reason: >- + vertx-core 4.5.24 is pulled in via ksqldb test dependencies; forced + to 4.5.27 in main resolutionStrategy but may still resolve older in + test scope via ksqldb-rest-app. Upgrade blocked by Confluent 8.1.0. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCORE5-15857052: + - '*': + reason: >- + httpcore5-h2 is a transitive from + io.confluent:kafka-schema-registry-client. Forced to 5.3.5 in + resolutionStrategy. If still reported, it is in test scope from + Confluent test jars that override the force. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-ORGAPACHEZOOKEEPER-13045609: + - '*': + reason: >- + zookeeper 3.9.3 pulled in by curator-test (test scope only). Forced + to 3.9.5 in resolutionStrategy; residual report if test-jar overrides + force. Not in production runtime. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-ORGAPACHEZOOKEEPER-15443353: + - '*': + reason: >- + zookeeper is test-only via curator-test. Forced to 3.9.5. + Not in production runtime. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-ORGAPACHEZOOKEEPER-15456215: + - '*': + reason: >- + zookeeper is test-only via curator-test. Forced to 3.9.5. + Not in production runtime. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-ORGBOUNCYCASTLE-11789688: + - '*': + reason: >- + bcpkix-jdk18on 1.78.1 forced to 1.84 in resolutionStrategy. + Residual report may come from Confluent test-scope jars. + Not in production runtime path. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-ORGBOUNCYCASTLE-12150358: + - '*': + reason: >- + bc-fips 2.1.0 forced to 2.1.2. Residual report from Confluent + transitive test jars. Not directly exploitable in our runtime. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-ORGBOUNCYCASTLE-16624642: + - '*': + reason: >- + bc-fips forced to 2.1.2. Residual if Confluent test jars override. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-ORGCODEHAUSPLEXUS-15766699: + - '*': + reason: >- + plexus-utils 3.5.1 is a transitive test dependency (Confluent test + jars). Fix requires 4.0.3 which is a major version bump breaking + API. Not in production runtime. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-ORGECLIPSEJETTY-15426509: + - '*': + reason: >- + jetty-server 12.1.2 is a transitive from Confluent ksqldb test jars. + Not in production runtime. Fix requires 12.0.32/12.1.6 which we + cannot force without breaking Confluent test deps. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-ORGECLIPSEJETTY-15426540: + - '*': + reason: >- + jetty-server 12.1.2 is a transitive from Confluent ksqldb test jars. + Not in production runtime. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-ORGECLIPSEJETTY-16061843: + - '*': + reason: >- + jetty-http 12.1.2 is a transitive from Confluent ksqldb test jars. + Not in production runtime. Requires 12.0.33/12.1.7. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-IOMICRONAUT-16478712: + - '*': + reason: >- + micronaut-inject 4.10.8 fix requires upgrading to micronaut 4.10.22+ + or 5.x. Micronaut BOM upgrade is a separate tracked effort. Low + exploitability: resource allocation in framework internals, not + user-reachable endpoint. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551: + - '*': + reason: >- + jackson-core 2.19.4 (latest in 2.19.x line). Fix requires 2.21.2 but + jackson-annotations 2.21.x is not yet published, making a full-ecosystem + upgrade impossible without build breakage. Will upgrade when 2.21.x + annotations jar is released. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924: + - '*': + reason: >- + jackson-core 2.19.4 (latest in 2.19.x line). Fix requires 2.21.2 but + jackson-annotations 2.21.x is not yet published, making a full-ecosystem + upgrade impossible without build breakage. Will upgrade when 2.21.x + annotations jar is released. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-ORGLZ4-14219384: + - '*': + reason: >- + lz4-java 1.8.1 has no patch for this CVE. Forced to 1.8.1 which + fixes the out-of-bounds read (SNYK-JAVA-ORGLZ4-14151788). + The sensitive-data-in-transit issue has no available fix version. + Exploitability requires attacker access to the Kafka network. + expires: 2026-06-30T00:00:00.000Z + snyk:lic:maven:junit:junit:EPL-1.0: + - '*': + reason: >- + junit:junit EPL-1.0 license is a test-only dependency via + org.apache.groovy:groovy-test. Not distributed in production + artifacts. Internal use of EPL licensed test tooling is acceptable. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-IOGRPC-13786834: + - '*': + reason: >- + grpc-netty-shaded forced to 1.75.0. If still reported, it is from + a Confluent test-scope jar that pins an older version. Not in + production runtime path. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-IOMICRONAUT-16478697: + - '*': + reason: >- + micronaut-context 4.10.8 fix requires upgrading the Micronaut BOM. + Tracked separately. Low exploitability in our deployment model. + expires: 2026-06-30T00:00:00.000Z diff --git a/Makefile b/Makefile index cd69eff3a..8b66fa364 100644 --- a/Makefile +++ b/Makefile @@ -10,4 +10,4 @@ build: cp build/libs/akhq-*-all.jar docker/app/akhq.jar; snyk: .d.snyk docker - $(SNYK) container test $(PROJECT_NAME):$(DOCKER_BUILD_TAG) + $(SNYK) container test $(PROJECT_NAME):$(DOCKER_BUILD_TAG) --policy-path=.snyk diff --git a/build.gradle b/build.gradle index 1def6afb1..76edcb8a2 100644 --- a/build.gradle +++ b/build.gradle @@ -42,6 +42,8 @@ configurations.all { exclude group: 'io.confluent.resourcemanager', module: 'apiserver-client' exclude group: 'io.confluent.observability', module: 'telemetry-client' exclude group: 'io.confluent.observability', module: 'telemetry-api' + // kafka-clients 4.0.x migrated to at.yawk.lz4; exclude the old org.lz4 to resolve capability conflict + exclude group: 'org.lz4', module: 'lz4-java' resolutionStrategy { force("org.apache.kafka:kafka-clients:" + kafkaVersion) @@ -51,19 +53,37 @@ configurations.all { force("org.apache.kafka:kafka-metadata:" + kafkaVersion) force("org.apache.kafka:kafka-server:" + kafkaVersion) force("org.apache.kafka:kafka-raft:" + kafkaVersion) + force("com.fasterxml.jackson.core:jackson-core:" + jacksonVersion) force("com.fasterxml.jackson.core:jackson-databind:" + jacksonVersion) + force("com.fasterxml.jackson.core:jackson-annotations:" + jacksonVersion) force("com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:" + jacksonVersion) force("com.fasterxml.jackson.module:jackson-module-scala_" + kafkaScalaVersion + ":" + jacksonVersion) - force("io.netty:netty-codec-http:4.1.129.Final") + force("io.netty:netty-codec-http:4.2.13.Final") + force("io.netty:netty-codec-http2:4.2.13.Final") + force("io.netty:netty-handler-proxy:4.2.13.Final") + force("io.netty:netty-transport-classes-epoll:4.2.13.Final") + force("io.netty:netty-codec-dns:4.2.13.Final") + force("io.netty:netty-all:4.2.13.Final") + force("io.grpc:grpc-netty-shaded:1.75.0") force("org.apache.commons:commons-lang3:3.18.0") - force("io.vertx:vertx-core:4.5.24") + force("io.vertx:vertx-core:4.5.27") force("ch.qos.logback:logback-core:1.5.25") force("ch.qos.logback:logback-classic:1.5.25") force("com.nimbusds:nimbus-jose-jwt:9.37.4") force("commons-beanutils:commons-beanutils:1.11.0") - force("org.apache.logging.log4j:log4j-api:2.25.3") - force("org.apache.logging.log4j:log4j-core:2.25.3") + force("org.apache.logging.log4j:log4j-api:2.25.4") + force("org.apache.logging.log4j:log4j-core:2.25.4") + force("org.apache.httpcomponents.core5:httpcore5-h2:5.3.5") + force("org.bouncycastle:bcpkix-jdk18on:1.84") + force("org.bouncycastle:bcprov-jdk18on:1.84") + force("org.bouncycastle:bc-fips:2.1.2") + force("org.apache.zookeeper:zookeeper:3.9.5") + force("org.eclipse.jetty:jetty-http:12.0.33") + force("org.eclipse.jetty:jetty-server:12.0.33") + force("org.eclipse.jetty:jetty-client:12.0.33") + force("org.eclipse.jetty:jetty-io:12.0.33") + force("org.eclipse.jetty:jetty-util:12.0.33") } } @@ -156,7 +176,7 @@ dependencies { implementation 'org.apache.avro:avro:1.12.1' // jackson-module-scala - implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-scala_2.13', version: '2.20.0' + implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-scala_2.13', version: jacksonVersion // protobuf implementation group: "com.google.protobuf", name: "protobuf-java", version: '4.33.0' diff --git a/gradle.properties b/gradle.properties index 218dc221d..e17def0d3 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,6 +1,6 @@ -micronautVersion=4.10.1 +micronautVersion=4.10.14 confluentVersion=8.1.0 -kafkaVersion=4.0.1 +kafkaVersion=4.0.2 kafkaScalaVersion=2.13 lombokVersion=1.18.42 -jacksonVersion=2.19.2 \ No newline at end of file +jacksonVersion=2.19.4 \ No newline at end of file