Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(dataflow): CVEs related to com.microsoft.azure:adal4j #5458

Merged
merged 1 commit into from Mar 19, 2024
Merged

fix(dataflow): CVEs related to com.microsoft.azure:adal4j #5458

merged 1 commit into from Mar 19, 2024

Conversation

lc525
Copy link
Member

@lc525 lc525 commented Mar 18, 2024
edited

com.microsof.azure:adal4j is a deprecated library, and an optional dependency of io.kubernetes:client-java.

However, when building fat-jars, gradle and the "shadow" plugin fetches all transitive depdendencies, including optional ones (i.e ones which are not used).

In this case, we don't use any of the code in adal4j via io.kubernetes.

UNTESTED with confluent cloud due to external issue.

This shouldn't make a difference; we are using MS Entra ID for OAUTHBEARER auth, and MS AD (Active Directory) was the previous name for that.

adal4j is a deprecated library handling interactions with MS AD.

However, we shouldn't need to use it via k8s. Rather, the kafka streams library will make the right HTTP calls to Entra ID to fetch a token.

So this should be unrelated, but it would be good to make sure. Marked as draft because of not being able to test with Confluent Cloud yet.

@lc525
fix(dataflow) CVEs related to com.microsoft.azure:adal4j
1141bd5 
com.microsof.azure:adal4j is a deprecated library, and an _optional_ dependency
of io.kubernetes:client-java.

However, when building fat-jars, gradle and the "shadow" plugin fetches all
transitive depdendencies, including optional ones (i.e ones which are not used).

In this case, we don't use any of the code in adal4j via io.kubernetes.
@lc525 lc525 added the v2 label Mar 18, 2024
@sakoush sakoush marked this pull request as ready for review March 19, 2024 16:07
@sakoush sakoush self-requested a review as a code owner March 19, 2024 16:07
sakoush
sakoush approved these changes Mar 19, 2024
View reviewed changes
Copy link
Member

@sakoush sakoush left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, we will do more testing with CC post-merge.

@sakoush sakoush merged commit c5421c3 into SeldonIO:v2 Mar 19, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sakoush sakoush sakoush approved these changes

Assignees
No one assigned
Labels
v2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@lc525 @sakoush