nicoloboschi opened a new pull request #14629: URL: https://github.com/apache/pulsar/pull/14629
Follow-up of https://github.com/apache/pulsar/pull/14579. ### Motivation OWASP checker reports this vulnerability https://nvd.nist.gov/vuln/detail/CVE-2022-24329 for Kotlin < 1.6.x Currently we import Kotlin 1.4.32 from OkHttp3 (see https://github.com/apache/pulsar/pull/13065). CVE-2022-24329 is rated as mid CVSS level (5.0). Kotlin is used only by the Kubernetes client runtime lib. Given that: * Pulsar codebase doesn't have a good coverage for K8S client * The vulnerability is mid level * The vulnerability doesn't look relevant for Pulsar It's safer to add the suppression instead of upgrading it without testing it. ### Modifications - Add the supression for Kotlin 1.4.32 for the cve CVE-2022-24329 - [x] `no-need-doc` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
