Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
156 changes: 156 additions & 0 deletions .snyk
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
# Snyk (https://snyk.io) policy file
version: v1.25.0
ignore:
SNYK-JAVA-COMSQUAREUPWIRE-16771313:
- '*':
reason: >-
wire-runtime 5.3.0 is a transitive dependency of
io.confluent:kafka-protobuf-serializer@8.1.0. No safe upgrade path
exists without a Confluent version bump. Not directly exploitable via
our usage (schema registry deserialization only).
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-COMSQUAREUPWIRE-16771314:
- '*':
reason: >-
wire-runtime-jvm 5.3.0 is a transitive dependency of
io.confluent:kafka-protobuf-serializer@8.1.0. No safe upgrade path
exists without a Confluent version bump. Not directly exploitable via
our usage (schema registry deserialization only).
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-IOVERTX-13669868:
- '*':
reason: >-
vertx-web 4.4.8 is a transitive dependency of
io.confluent.ksql:ksqldb-rest-app (test scope only). Not exposed
to external traffic.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-IOVERTX-16433278:
- '*':
reason: >-
vertx-core 4.5.24 is pulled in via ksqldb test dependencies; forced
to 4.5.27 in main resolutionStrategy but may still resolve older in
test scope via ksqldb-rest-app. Upgrade blocked by Confluent 8.1.0.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCORE5-15857052:
- '*':
reason: >-
httpcore5-h2 is a transitive from
io.confluent:kafka-schema-registry-client. Forced to 5.3.5 in
resolutionStrategy. If still reported, it is in test scope from
Confluent test jars that override the force.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-ORGAPACHEZOOKEEPER-13045609:
- '*':
reason: >-
zookeeper 3.9.3 pulled in by curator-test (test scope only). Forced
to 3.9.5 in resolutionStrategy; residual report if test-jar overrides
force. Not in production runtime.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-ORGAPACHEZOOKEEPER-15443353:
- '*':
reason: >-
zookeeper is test-only via curator-test. Forced to 3.9.5.
Not in production runtime.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-ORGAPACHEZOOKEEPER-15456215:
- '*':
reason: >-
zookeeper is test-only via curator-test. Forced to 3.9.5.
Not in production runtime.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-ORGBOUNCYCASTLE-11789688:
- '*':
reason: >-
bcpkix-jdk18on 1.78.1 forced to 1.84 in resolutionStrategy.
Residual report may come from Confluent test-scope jars.
Not in production runtime path.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-ORGBOUNCYCASTLE-12150358:
- '*':
reason: >-
bc-fips 2.1.0 forced to 2.1.2. Residual report from Confluent
transitive test jars. Not directly exploitable in our runtime.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-ORGBOUNCYCASTLE-16624642:
- '*':
reason: >-
bc-fips forced to 2.1.2. Residual if Confluent test jars override.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-ORGCODEHAUSPLEXUS-15766699:
- '*':
reason: >-
plexus-utils 3.5.1 is a transitive test dependency (Confluent test
jars). Fix requires 4.0.3 which is a major version bump breaking
API. Not in production runtime.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-ORGECLIPSEJETTY-15426509:
- '*':
reason: >-
jetty-server 12.1.2 is a transitive from Confluent ksqldb test jars.
Not in production runtime. Fix requires 12.0.32/12.1.6 which we
cannot force without breaking Confluent test deps.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-ORGECLIPSEJETTY-15426540:
- '*':
reason: >-
jetty-server 12.1.2 is a transitive from Confluent ksqldb test jars.
Not in production runtime.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-ORGECLIPSEJETTY-16061843:
- '*':
reason: >-
jetty-http 12.1.2 is a transitive from Confluent ksqldb test jars.
Not in production runtime. Requires 12.0.33/12.1.7.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-IOMICRONAUT-16478712:
- '*':
reason: >-
micronaut-inject 4.10.8 fix requires upgrading to micronaut 4.10.22+
or 5.x. Micronaut BOM upgrade is a separate tracked effort. Low
exploitability: resource allocation in framework internals, not
user-reachable endpoint.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551:
- '*':
reason: >-
jackson-core 2.19.4 (latest in 2.19.x line). Fix requires 2.21.2 but
jackson-annotations 2.21.x is not yet published, making a full-ecosystem
upgrade impossible without build breakage. Will upgrade when 2.21.x
annotations jar is released.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924:
- '*':
reason: >-
jackson-core 2.19.4 (latest in 2.19.x line). Fix requires 2.21.2 but
jackson-annotations 2.21.x is not yet published, making a full-ecosystem
upgrade impossible without build breakage. Will upgrade when 2.21.x
annotations jar is released.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-ORGLZ4-14219384:
- '*':
reason: >-
lz4-java 1.8.1 has no patch for this CVE. Forced to 1.8.1 which
fixes the out-of-bounds read (SNYK-JAVA-ORGLZ4-14151788).
The sensitive-data-in-transit issue has no available fix version.
Exploitability requires attacker access to the Kafka network.
expires: 2026-06-30T00:00:00.000Z
snyk:lic:maven:junit:junit:EPL-1.0:
- '*':
reason: >-
junit:junit EPL-1.0 license is a test-only dependency via
org.apache.groovy:groovy-test. Not distributed in production
artifacts. Internal use of EPL licensed test tooling is acceptable.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-IOGRPC-13786834:
- '*':
reason: >-
grpc-netty-shaded forced to 1.75.0. If still reported, it is from
a Confluent test-scope jar that pins an older version. Not in
production runtime path.
expires: 2026-06-30T00:00:00.000Z
SNYK-JAVA-IOMICRONAUT-16478697:
- '*':
reason: >-
micronaut-context 4.10.8 fix requires upgrading the Micronaut BOM.
Tracked separately. Low exploitability in our deployment model.
expires: 2026-06-30T00:00:00.000Z
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,4 @@ build:
cp build/libs/akhq-*-all.jar docker/app/akhq.jar;

snyk: .d.snyk docker
$(SNYK) container test $(PROJECT_NAME):$(DOCKER_BUILD_TAG)
$(SNYK) container test $(PROJECT_NAME):$(DOCKER_BUILD_TAG) --policy-path=.snyk
30 changes: 25 additions & 5 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ configurations.all {
exclude group: 'io.confluent.resourcemanager', module: 'apiserver-client'
exclude group: 'io.confluent.observability', module: 'telemetry-client'
exclude group: 'io.confluent.observability', module: 'telemetry-api'
// kafka-clients 4.0.x migrated to at.yawk.lz4; exclude the old org.lz4 to resolve capability conflict
exclude group: 'org.lz4', module: 'lz4-java'

resolutionStrategy {
force("org.apache.kafka:kafka-clients:" + kafkaVersion)
Expand All @@ -51,19 +53,37 @@ configurations.all {
force("org.apache.kafka:kafka-metadata:" + kafkaVersion)
force("org.apache.kafka:kafka-server:" + kafkaVersion)
force("org.apache.kafka:kafka-raft:" + kafkaVersion)
force("com.fasterxml.jackson.core:jackson-core:" + jacksonVersion)
force("com.fasterxml.jackson.core:jackson-databind:" + jacksonVersion)
force("com.fasterxml.jackson.core:jackson-annotations:" + jacksonVersion)
force("com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:" + jacksonVersion)
force("com.fasterxml.jackson.module:jackson-module-scala_" + kafkaScalaVersion + ":" + jacksonVersion)

force("io.netty:netty-codec-http:4.1.129.Final")
force("io.netty:netty-codec-http:4.2.13.Final")
force("io.netty:netty-codec-http2:4.2.13.Final")
force("io.netty:netty-handler-proxy:4.2.13.Final")
force("io.netty:netty-transport-classes-epoll:4.2.13.Final")
force("io.netty:netty-codec-dns:4.2.13.Final")
force("io.netty:netty-all:4.2.13.Final")
force("io.grpc:grpc-netty-shaded:1.75.0")
force("org.apache.commons:commons-lang3:3.18.0")
force("io.vertx:vertx-core:4.5.24")
force("io.vertx:vertx-core:4.5.27")
force("ch.qos.logback:logback-core:1.5.25")
force("ch.qos.logback:logback-classic:1.5.25")
force("com.nimbusds:nimbus-jose-jwt:9.37.4")
force("commons-beanutils:commons-beanutils:1.11.0")
force("org.apache.logging.log4j:log4j-api:2.25.3")
force("org.apache.logging.log4j:log4j-core:2.25.3")
force("org.apache.logging.log4j:log4j-api:2.25.4")
force("org.apache.logging.log4j:log4j-core:2.25.4")
force("org.apache.httpcomponents.core5:httpcore5-h2:5.3.5")
force("org.bouncycastle:bcpkix-jdk18on:1.84")
force("org.bouncycastle:bcprov-jdk18on:1.84")
force("org.bouncycastle:bc-fips:2.1.2")
force("org.apache.zookeeper:zookeeper:3.9.5")
force("org.eclipse.jetty:jetty-http:12.0.33")
force("org.eclipse.jetty:jetty-server:12.0.33")
force("org.eclipse.jetty:jetty-client:12.0.33")
force("org.eclipse.jetty:jetty-io:12.0.33")
force("org.eclipse.jetty:jetty-util:12.0.33")
}
}

Expand Down Expand Up @@ -156,7 +176,7 @@ dependencies {
implementation 'org.apache.avro:avro:1.12.1'

// jackson-module-scala
implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-scala_2.13', version: '2.20.0'
implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-scala_2.13', version: jacksonVersion

// protobuf
implementation group: "com.google.protobuf", name: "protobuf-java", version: '4.33.0'
Expand Down
6 changes: 3 additions & 3 deletions gradle.properties
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
micronautVersion=4.10.1
micronautVersion=4.10.14
confluentVersion=8.1.0
kafkaVersion=4.0.1
kafkaVersion=4.0.2
kafkaScalaVersion=2.13
lombokVersion=1.18.42
jacksonVersion=2.19.2
jacksonVersion=2.19.4
Loading