Hi Bernd, I'm not a big fan of all auto tests like dependbot, sonar, snyk, etc. IMHO, it's better to run it on demand/manually.
Anyway, back to the point, I don't see issue with RSA karaf features in regards of the karaf version used: https://github.com/apache/aries-rsa/blob/master/features/src/main/resources/features.xml Here, the features repo doesn't mention karaf features repositories, so it works with any karaf version at runtime, from 4.0.x to 4.3.x. Karaf version is used to verify the features repository and run tests. So, not a vulnerability issue in distribution or runtime. About zookeeper and other dependencies, I'm part of the committer duty to verify the dependencies (in Karaf, SMX or other projects, I have my own tool/script to do that, I don't work on Aries RSA). To summarize, I don't see an issue with aries rsa in regard of karaf version. Regards JB On Tue, Apr 5, 2022 at 3:13 AM Bernd Eckenfels <e...@zusammenkunft.net> wrote: > > Hello, > > I got a lot of security issues of karaf 4.0.4 (mostly embedded Tomcat) > reported by the Snyk scan service for Aries-rsa dependency (feature/pom.xml). > Snyk claims it is fixed with karaf 4.1.1. I understand that this minimum > version is mostly to be compatible with older karaf versions api. > > So I Wonder do you have a policy when to bump up those versions, especially > if the existing ones are with known vulnerabilities? It’s not so much an > issue of the delivery, I guess - given that users would have to pick unsafe > old karaf versions and can easily deploy into an up-to-date container - if I > see that correctly? But it does endorse somewhat know-bad versions. > > I have here in our ‘fork’ the open Snyk reports (not sure if they all apply > to upstream master but they do apply for feature/Pom.xml (karaf 4.0.4): > https://github.com/seeburger-ag/aries-rsa/pulls > > Is it also an option to enable that directly on the asf Repo? > > Gruss > Bernd > -- > http://bernd.eckenfels.net
