Vulnerability in debezium/connect:2.7.0.Final

[rohit singh]

Hi Team,

I have my docker file which is using base image of debezium/connect:2.7.0.Final.

But when i am pushing to my artifactory it is giving me 4 high vulnerability from "docker-kitchensink-slave-002371ffkc7u3", Can you please help me how this can be resolved using my custom image if possible.

FROM debezium/connect:2.7.0.Final

# Set the folder where the libraries will be copied
ENV LIB_FOLDER=/kafka/connect/libs

# Create the folder
RUN mkdir -p $LIB_FOLDER


# Copy the libraries from the local directory
COPY confluentinc-kafka-connect-avro-converter-7.6.0/lib/* $LIB_FOLDER/

RUN rm -rf /kafka/external_libs/apicurio*

# Verify that the libraries have been copied
# RUN ls -l $LIB_FOLDER

[jiri.p...@gmail.com]

Hi,

could ou please share the list of vulnerabilities? Please mind that they might not come from Debezium as such but from underlying Kafka Connect too

Jiri

[rohit singh]

Hi Jiri,

Thanks for your reply,

I have attached the document containing all the vulnerabilities, 

The image layer from where the lib got added with vulnerabilities shown below.

{"created":1719558037,"instruction":"RUN |1 DEBEZIUM_VERSION=2.7.0-SNAPSHOT /bin/sh -c for CONNECTOR in {mysql,mongodb,postgres,sqlserver,oracle,db2,jdbc,spanner,vitess,informix,ibmi}; do     SNAPSHOT_VERSION=$(curl --silent -fSL $MAVEN_OSS_SNAPSHOT/io/debezium/debezium-connector-$CONNECTOR/$DEBEZIUM_VERSION/maven-metadata.xml | awk -F'\u003c[^\u003e]+\u003e' '/\u003cextension\u003etar.gz\u003c\\/extension\u003e/ {getline; print $2; exit}');     echo \"Downloading and installing debezium-connector-$CONNECTOR-$SNAPSHOT_VERSION-plugin.tar.gz ...\" ;     curl --silent -fSL -o /tmp/plugin.tar.gz                  $MAVEN_OSS_SNAPSHOT/io/debezium/debezium-connector-$CONNECTOR/$DEBEZIUM_VERSION/debezium-connector-$CONNECTOR-$SNAPSHOT_VERSION-plugin.tar.gz \u0026\u0026     echo \"Extracting debezium-connector-$CONNECTOR-$SNAPSHOT_VERSION-plugin.tar.gz ...\" \u0026\u0026     tar -xzf /tmp/plugin.tar.gz -C $KAFKA_CONNECT_PLUGINS_DIR \u0026\u0026     echo \"Successfully installed debezium-connector-$CONNECTOR-$SNAPSHOT_VERSION!\" \u0026\u0026     rm -f /tmp/plugin.tar.gz; done # buildkit","sizeBytes":215217948,"id":"\u003cmissing\u003e","emptyLayer":false}

Could you please help me to resolve these vulnerabilities.

List of jars file containing vulnerabilities:

com.google.guava_guava: 30.1.1-jre

com.google.guava_guava: 30.1.1-jre

org.apache.zookeeper_zookeeper: 3.8.3

org.apache.sshd_sshd-common: 2.9.2

guava: 30.1.1.jre

com.google.guava_guava: 31.1-jre

com.google.guava_guava: 31.1-jre

io.netty_netty-codec-http: 4.1.100.Final

[rohit singh]

Hi Jiri,

There are vulnerabilities shown in below link as well:

https://quay.io/repository/debezium/connect/manifest/sha256:ee7b2276d5806b8d20f1ac73adfe54dda556493cf26faee036a1ab9a3a4e3e0e?tab=vulnerabilities

Thanks

Rohit Singh

[rohit singh]

Latest List with the same version show below from our jfrog artifactory:

Thanks in advance.

Rohit Singh

[jiri.p...@gmail.com]

Hi,

please create a Jira issue for

* guava anf grpc protobuf - these affect Spanner and Vitess connector only, if you don't use any of them then they are not relevant for you

and another for

* sshd-common - this affects Oracle connector only

The other issues are not fixable by Debezium team as they are part of Kafka Connect.

Thanks

Jiri

[rohit singh]

Hi Jiri,

I have created the Jira Issue for the same.

Below is the link:

https://issues.redhat.com/browse/DBZ-8009

Let me know if you need anything from my side.

Thanks for your help.

Regards

Rohit Singh