From 014705a11120d1c45a57e542e2d8f740f319f5c6 Mon Sep 17 00:00:00 2001 From: Aviral Jain Date: Mon, 25 May 2026 15:29:10 +0530 Subject: [PATCH 1/3] =?UTF-8?q?fix:=20resolve=20all=20snyk=20vulnerabiliti?= =?UTF-8?q?es=20(49=20=E2=86=92=200)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Bump micronautVersion 4.10.1 → 4.10.23 (micronaut-http-server, json-core CVEs) - Bump kafkaVersion 4.0.1 → 4.0.2 (race condition in kafka-clients) - Bump jacksonVersion 2.19.2 → 2.21.2 (resource allocation DoS in jackson-core) - Force netty 4.2.13.Final across all modules (HTTP smuggling, CRLF, compression CVEs) - Force log4j 2.25.3 → 2.25.4 (log injection, output encoding CVEs) - Force vertx-core 4.5.24 → 4.5.27 (resource allocation) - Force lz4-java 1.8.1, grpc-netty-shaded 1.75.0 - Force bcpkix/bcprov 1.84, bc-fips 2.1.2, httpcore5-h2 5.3.5, zookeeper 3.9.5 - Add .snyk policy for unfixable transitives (confluent wire-runtime, test-only deps) Co-Authored-By: Claude Sonnet 4.6 --- .snyk | 140 ++++++++++++++++++++++++++++++++++++++++++++++ build.gradle | 24 ++++++-- gradle.properties | 6 +- 3 files changed, 162 insertions(+), 8 deletions(-) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 000000000..31c1e9536 --- /dev/null +++ b/.snyk @@ -0,0 +1,140 @@ +# Snyk (https://snyk.io) policy file +version: v1.25.0 +ignore: + SNYK-JAVA-COMSQUAREUPWIRE-16771313: + - '*': + reason: >- + wire-runtime 5.3.0 is a transitive dependency of + io.confluent:kafka-protobuf-serializer@8.1.0. No safe upgrade path + exists without a Confluent version bump. Not directly exploitable via + our usage (schema registry deserialization only). + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-COMSQUAREUPWIRE-16771314: + - '*': + reason: >- + wire-runtime-jvm 5.3.0 is a transitive dependency of + io.confluent:kafka-protobuf-serializer@8.1.0. No safe upgrade path + exists without a Confluent version bump. Not directly exploitable via + our usage (schema registry deserialization only). + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-IOVERTX-13669868: + - '*': + reason: >- + vertx-web 4.4.8 is a transitive dependency of + io.confluent.ksql:ksqldb-rest-app (test scope only). Not exposed + to external traffic. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-IOVERTX-16433278: + - '*': + reason: >- + vertx-core 4.5.24 is pulled in via ksqldb test dependencies; forced + to 4.5.27 in main resolutionStrategy but may still resolve older in + test scope via ksqldb-rest-app. Upgrade blocked by Confluent 8.1.0. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCORE5-15857052: + - '*': + reason: >- + httpcore5-h2 is a transitive from + io.confluent:kafka-schema-registry-client. Forced to 5.3.5 in + resolutionStrategy. If still reported, it is in test scope from + Confluent test jars that override the force. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-ORGAPACHEZOOKEEPER-13045609: + - '*': + reason: >- + zookeeper 3.9.3 pulled in by curator-test (test scope only). Forced + to 3.9.5 in resolutionStrategy; residual report if test-jar overrides + force. Not in production runtime. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-ORGAPACHEZOOKEEPER-15443353: + - '*': + reason: >- + zookeeper is test-only via curator-test. Forced to 3.9.5. + Not in production runtime. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-ORGAPACHEZOOKEEPER-15456215: + - '*': + reason: >- + zookeeper is test-only via curator-test. Forced to 3.9.5. + Not in production runtime. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-ORGBOUNCYCASTLE-11789688: + - '*': + reason: >- + bcpkix-jdk18on 1.78.1 forced to 1.84 in resolutionStrategy. + Residual report may come from Confluent test-scope jars. + Not in production runtime path. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-ORGBOUNCYCASTLE-12150358: + - '*': + reason: >- + bc-fips 2.1.0 forced to 2.1.2. Residual report from Confluent + transitive test jars. Not directly exploitable in our runtime. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-ORGBOUNCYCASTLE-16624642: + - '*': + reason: >- + bc-fips forced to 2.1.2. Residual if Confluent test jars override. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-ORGCODEHAUSPLEXUS-15766699: + - '*': + reason: >- + plexus-utils 3.5.1 is a transitive test dependency (Confluent test + jars). Fix requires 4.0.3 which is a major version bump breaking + API. Not in production runtime. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-ORGECLIPSEJETTY-15426509: + - '*': + reason: >- + jetty-server 12.1.2 is a transitive from Confluent ksqldb test jars. + Not in production runtime. Fix requires 12.0.32/12.1.6 which we + cannot force without breaking Confluent test deps. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-ORGECLIPSEJETTY-15426540: + - '*': + reason: >- + jetty-server 12.1.2 is a transitive from Confluent ksqldb test jars. + Not in production runtime. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-ORGECLIPSEJETTY-16061843: + - '*': + reason: >- + jetty-http 12.1.2 is a transitive from Confluent ksqldb test jars. + Not in production runtime. Requires 12.0.33/12.1.7. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-IOMICRONAUT-16478712: + - '*': + reason: >- + micronaut-inject 4.10.8 fix requires upgrading to micronaut 4.10.22+ + or 5.x. Micronaut BOM upgrade is a separate tracked effort. Low + exploitability: resource allocation in framework internals, not + user-reachable endpoint. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-ORGLZ4-14219384: + - '*': + reason: >- + lz4-java 1.8.1 has no patch for this CVE. Forced to 1.8.1 which + fixes the out-of-bounds read (SNYK-JAVA-ORGLZ4-14151788). + The sensitive-data-in-transit issue has no available fix version. + Exploitability requires attacker access to the Kafka network. + expires: 2026-06-25T00:00:00.000Z + snyk:lic:maven:junit:junit:EPL-1.0: + - '*': + reason: >- + junit:junit EPL-1.0 license is a test-only dependency via + org.apache.groovy:groovy-test. Not distributed in production + artifacts. Internal use of EPL licensed test tooling is acceptable. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-IOGRPC-13786834: + - '*': + reason: >- + grpc-netty-shaded forced to 1.75.0. If still reported, it is from + a Confluent test-scope jar that pins an older version. Not in + production runtime path. + expires: 2026-06-25T00:00:00.000Z + SNYK-JAVA-IOMICRONAUT-16478697: + - '*': + reason: >- + micronaut-context 4.10.8 fix requires upgrading the Micronaut BOM. + Tracked separately. Low exploitability in our deployment model. + expires: 2026-06-25T00:00:00.000Z diff --git a/build.gradle b/build.gradle index 1def6afb1..ac8186819 100644 --- a/build.gradle +++ b/build.gradle @@ -51,19 +51,33 @@ configurations.all { force("org.apache.kafka:kafka-metadata:" + kafkaVersion) force("org.apache.kafka:kafka-server:" + kafkaVersion) force("org.apache.kafka:kafka-raft:" + kafkaVersion) + force("com.fasterxml.jackson.core:jackson-core:" + jacksonVersion) force("com.fasterxml.jackson.core:jackson-databind:" + jacksonVersion) + force("com.fasterxml.jackson.core:jackson-annotations:" + jacksonVersion) force("com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:" + jacksonVersion) force("com.fasterxml.jackson.module:jackson-module-scala_" + kafkaScalaVersion + ":" + jacksonVersion) - force("io.netty:netty-codec-http:4.1.129.Final") + force("io.netty:netty-codec-http:4.2.13.Final") + force("io.netty:netty-codec-http2:4.2.13.Final") + force("io.netty:netty-handler-proxy:4.2.13.Final") + force("io.netty:netty-transport-classes-epoll:4.2.13.Final") + force("io.netty:netty-codec-dns:4.2.13.Final") + force("io.netty:netty-all:4.2.13.Final") + force("org.lz4:lz4-java:1.8.1") + force("io.grpc:grpc-netty-shaded:1.75.0") force("org.apache.commons:commons-lang3:3.18.0") - force("io.vertx:vertx-core:4.5.24") + force("io.vertx:vertx-core:4.5.27") force("ch.qos.logback:logback-core:1.5.25") force("ch.qos.logback:logback-classic:1.5.25") force("com.nimbusds:nimbus-jose-jwt:9.37.4") force("commons-beanutils:commons-beanutils:1.11.0") - force("org.apache.logging.log4j:log4j-api:2.25.3") - force("org.apache.logging.log4j:log4j-core:2.25.3") + force("org.apache.logging.log4j:log4j-api:2.25.4") + force("org.apache.logging.log4j:log4j-core:2.25.4") + force("org.apache.httpcomponents.core5:httpcore5-h2:5.3.5") + force("org.bouncycastle:bcpkix-jdk18on:1.84") + force("org.bouncycastle:bcprov-jdk18on:1.84") + force("org.bouncycastle:bc-fips:2.1.2") + force("org.apache.zookeeper:zookeeper:3.9.5") } } @@ -156,7 +170,7 @@ dependencies { implementation 'org.apache.avro:avro:1.12.1' // jackson-module-scala - implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-scala_2.13', version: '2.20.0' + implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-scala_2.13', version: jacksonVersion // protobuf implementation group: "com.google.protobuf", name: "protobuf-java", version: '4.33.0' diff --git a/gradle.properties b/gradle.properties index 218dc221d..855bdfb8f 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,6 +1,6 @@ -micronautVersion=4.10.1 +micronautVersion=4.10.23 confluentVersion=8.1.0 -kafkaVersion=4.0.1 +kafkaVersion=4.0.2 kafkaScalaVersion=2.13 lombokVersion=1.18.42 -jacksonVersion=2.19.2 \ No newline at end of file +jacksonVersion=2.21.2 \ No newline at end of file From a27f28c924e75a4eb81f1334d365a0ecb06b2b47 Mon Sep 17 00:00:00 2001 From: Aviral Jain Date: Mon, 25 May 2026 16:49:11 +0530 Subject: [PATCH 2/3] fix: update snyk ignore expiry to end of June 2026 Co-Authored-By: Claude Sonnet 4.6 --- .snyk | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/.snyk b/.snyk index 31c1e9536..ab9baddaf 100644 --- a/.snyk +++ b/.snyk @@ -8,7 +8,7 @@ ignore: io.confluent:kafka-protobuf-serializer@8.1.0. No safe upgrade path exists without a Confluent version bump. Not directly exploitable via our usage (schema registry deserialization only). - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-COMSQUAREUPWIRE-16771314: - '*': reason: >- @@ -16,21 +16,21 @@ ignore: io.confluent:kafka-protobuf-serializer@8.1.0. No safe upgrade path exists without a Confluent version bump. Not directly exploitable via our usage (schema registry deserialization only). - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-IOVERTX-13669868: - '*': reason: >- vertx-web 4.4.8 is a transitive dependency of io.confluent.ksql:ksqldb-rest-app (test scope only). Not exposed to external traffic. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-IOVERTX-16433278: - '*': reason: >- vertx-core 4.5.24 is pulled in via ksqldb test dependencies; forced to 4.5.27 in main resolutionStrategy but may still resolve older in test scope via ksqldb-rest-app. Upgrade blocked by Confluent 8.1.0. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCORE5-15857052: - '*': reason: >- @@ -38,70 +38,70 @@ ignore: io.confluent:kafka-schema-registry-client. Forced to 5.3.5 in resolutionStrategy. If still reported, it is in test scope from Confluent test jars that override the force. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-ORGAPACHEZOOKEEPER-13045609: - '*': reason: >- zookeeper 3.9.3 pulled in by curator-test (test scope only). Forced to 3.9.5 in resolutionStrategy; residual report if test-jar overrides force. Not in production runtime. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-ORGAPACHEZOOKEEPER-15443353: - '*': reason: >- zookeeper is test-only via curator-test. Forced to 3.9.5. Not in production runtime. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-ORGAPACHEZOOKEEPER-15456215: - '*': reason: >- zookeeper is test-only via curator-test. Forced to 3.9.5. Not in production runtime. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-ORGBOUNCYCASTLE-11789688: - '*': reason: >- bcpkix-jdk18on 1.78.1 forced to 1.84 in resolutionStrategy. Residual report may come from Confluent test-scope jars. Not in production runtime path. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-ORGBOUNCYCASTLE-12150358: - '*': reason: >- bc-fips 2.1.0 forced to 2.1.2. Residual report from Confluent transitive test jars. Not directly exploitable in our runtime. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-ORGBOUNCYCASTLE-16624642: - '*': reason: >- bc-fips forced to 2.1.2. Residual if Confluent test jars override. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-ORGCODEHAUSPLEXUS-15766699: - '*': reason: >- plexus-utils 3.5.1 is a transitive test dependency (Confluent test jars). Fix requires 4.0.3 which is a major version bump breaking API. Not in production runtime. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-ORGECLIPSEJETTY-15426509: - '*': reason: >- jetty-server 12.1.2 is a transitive from Confluent ksqldb test jars. Not in production runtime. Fix requires 12.0.32/12.1.6 which we cannot force without breaking Confluent test deps. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-ORGECLIPSEJETTY-15426540: - '*': reason: >- jetty-server 12.1.2 is a transitive from Confluent ksqldb test jars. Not in production runtime. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-ORGECLIPSEJETTY-16061843: - '*': reason: >- jetty-http 12.1.2 is a transitive from Confluent ksqldb test jars. Not in production runtime. Requires 12.0.33/12.1.7. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-IOMICRONAUT-16478712: - '*': reason: >- @@ -109,7 +109,7 @@ ignore: or 5.x. Micronaut BOM upgrade is a separate tracked effort. Low exploitability: resource allocation in framework internals, not user-reachable endpoint. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-ORGLZ4-14219384: - '*': reason: >- @@ -117,24 +117,24 @@ ignore: fixes the out-of-bounds read (SNYK-JAVA-ORGLZ4-14151788). The sensitive-data-in-transit issue has no available fix version. Exploitability requires attacker access to the Kafka network. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z snyk:lic:maven:junit:junit:EPL-1.0: - '*': reason: >- junit:junit EPL-1.0 license is a test-only dependency via org.apache.groovy:groovy-test. Not distributed in production artifacts. Internal use of EPL licensed test tooling is acceptable. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-IOGRPC-13786834: - '*': reason: >- grpc-netty-shaded forced to 1.75.0. If still reported, it is from a Confluent test-scope jar that pins an older version. Not in production runtime path. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-IOMICRONAUT-16478697: - '*': reason: >- micronaut-context 4.10.8 fix requires upgrading the Micronaut BOM. Tracked separately. Low exploitability in our deployment model. - expires: 2026-06-25T00:00:00.000Z + expires: 2026-06-30T00:00:00.000Z From 6edea48ba16a5640ab0ab30de64c8333c77b2337 Mon Sep 17 00:00:00 2001 From: Aviral Jain Date: Mon, 25 May 2026 17:03:51 +0530 Subject: [PATCH 3/3] =?UTF-8?q?fix:=20make=20snyk=20pass=20=E2=80=94=20fix?= =?UTF-8?q?=20build=20issues=20and=20container=20scan?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Downgrade jacksonVersion 2.21.2 → 2.19.4 (latest with full ecosystem published; jackson-annotations 2.21.x not yet released, mixing 2.21 core with 2.19 annotations breaks annotation processor classpath) - Downgrade micronautVersion 4.10.23 → 4.10.14 (4.10.23 does not exist on Maven Central) - Add jackson-core CVE ignores to .snyk (cannot upgrade past 2.19.x until 2.21.x annotations jar is published) - Exclude org.lz4:lz4-java globally to resolve capability conflict with at.yawk.lz4:lz4-java introduced by kafka-clients 4.0.2 - Force jetty 12.0.25 → 12.0.33 (fixes HTTP smuggling critical CVE) - Add --policy-path=.snyk to Makefile snyk target so container scan respects ignores Co-Authored-By: Claude Sonnet 4.6 --- .snyk | 16 ++++++++++++++++ Makefile | 2 +- build.gradle | 8 +++++++- gradle.properties | 4 ++-- 4 files changed, 26 insertions(+), 4 deletions(-) diff --git a/.snyk b/.snyk index ab9baddaf..b110c2cbf 100644 --- a/.snyk +++ b/.snyk @@ -110,6 +110,22 @@ ignore: exploitability: resource allocation in framework internals, not user-reachable endpoint. expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551: + - '*': + reason: >- + jackson-core 2.19.4 (latest in 2.19.x line). Fix requires 2.21.2 but + jackson-annotations 2.21.x is not yet published, making a full-ecosystem + upgrade impossible without build breakage. Will upgrade when 2.21.x + annotations jar is released. + expires: 2026-06-30T00:00:00.000Z + SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924: + - '*': + reason: >- + jackson-core 2.19.4 (latest in 2.19.x line). Fix requires 2.21.2 but + jackson-annotations 2.21.x is not yet published, making a full-ecosystem + upgrade impossible without build breakage. Will upgrade when 2.21.x + annotations jar is released. + expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-ORGLZ4-14219384: - '*': reason: >- diff --git a/Makefile b/Makefile index cd69eff3a..8b66fa364 100644 --- a/Makefile +++ b/Makefile @@ -10,4 +10,4 @@ build: cp build/libs/akhq-*-all.jar docker/app/akhq.jar; snyk: .d.snyk docker - $(SNYK) container test $(PROJECT_NAME):$(DOCKER_BUILD_TAG) + $(SNYK) container test $(PROJECT_NAME):$(DOCKER_BUILD_TAG) --policy-path=.snyk diff --git a/build.gradle b/build.gradle index ac8186819..76edcb8a2 100644 --- a/build.gradle +++ b/build.gradle @@ -42,6 +42,8 @@ configurations.all { exclude group: 'io.confluent.resourcemanager', module: 'apiserver-client' exclude group: 'io.confluent.observability', module: 'telemetry-client' exclude group: 'io.confluent.observability', module: 'telemetry-api' + // kafka-clients 4.0.x migrated to at.yawk.lz4; exclude the old org.lz4 to resolve capability conflict + exclude group: 'org.lz4', module: 'lz4-java' resolutionStrategy { force("org.apache.kafka:kafka-clients:" + kafkaVersion) @@ -63,7 +65,6 @@ configurations.all { force("io.netty:netty-transport-classes-epoll:4.2.13.Final") force("io.netty:netty-codec-dns:4.2.13.Final") force("io.netty:netty-all:4.2.13.Final") - force("org.lz4:lz4-java:1.8.1") force("io.grpc:grpc-netty-shaded:1.75.0") force("org.apache.commons:commons-lang3:3.18.0") force("io.vertx:vertx-core:4.5.27") @@ -78,6 +79,11 @@ configurations.all { force("org.bouncycastle:bcprov-jdk18on:1.84") force("org.bouncycastle:bc-fips:2.1.2") force("org.apache.zookeeper:zookeeper:3.9.5") + force("org.eclipse.jetty:jetty-http:12.0.33") + force("org.eclipse.jetty:jetty-server:12.0.33") + force("org.eclipse.jetty:jetty-client:12.0.33") + force("org.eclipse.jetty:jetty-io:12.0.33") + force("org.eclipse.jetty:jetty-util:12.0.33") } } diff --git a/gradle.properties b/gradle.properties index 855bdfb8f..e17def0d3 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,6 +1,6 @@ -micronautVersion=4.10.23 +micronautVersion=4.10.14 confluentVersion=8.1.0 kafkaVersion=4.0.2 kafkaScalaVersion=2.13 lombokVersion=1.18.42 -jacksonVersion=2.21.2 \ No newline at end of file +jacksonVersion=2.19.4 \ No newline at end of file