Vulnerability report on dependency: com.squareup.okhttp3/logging-interceptor

[heruan]

We have received a notification for a vulnerability in our project using spring-cloud-kubernetes-fabric8-config:jar:3.1.3. Details follow.

Vulnerabilities in: pkg:maven/com.squareup.okhttp3/logging-interceptor@3.12.12 [CVE-2023-0833] (owasp)

+- com.vaadin:control-center-starter:jar:1.0-SNAPSHOT:compile
|  \- org.springframework.cloud:spring-cloud-starter-kubernetes-fabric8-config:jar:3.1.3:compile
|     \- org.springframework.cloud:spring-cloud-kubernetes-fabric8-config:jar:3.1.3:compile
|        +- io.fabric8:kubernetes-client:jar:6.9.2:compile
|        |  +- io.fabric8:kubernetes-httpclient-okhttp:jar:6.9.2:runtime
|        |  |  \- com.squareup.okhttp3:logging-interceptor:jar:3.12.12:runtime 

currently there is not released version from io.fabric8:kubernetes-client with fixes on the reported dependency.

[heruan]

Upstream reference: fabric8io/kubernetes-client#6344

[heruan]

Fabric8 Kubernetes 7.0.0 has been released, but it looks like it missed Spring Cloud Kubernetes 3.2.0. Any chance to have the bump still in 3.2?

[ryanjbaxter]

No we cannot make a major change to a dependency in a minor of sc-kubernetes. We would need to do this in a major. We could ask them to backport it to the version of fabric8 we are using in 3.2 and see if they will do a release, then we can pick that up.

[heruan]

Thanks for the feedback! So upgrade to Fabric8 Kubernetes 7.0 has to wait for Spring Cloud Kubernetes 4.0?

Frameworks like Java Operator SDK are adopting Fabric8 Kubernetes 7.0 already and an estimation for this to happen in Spring Cloud would be useful to lay out roadmaps for projects using both.

[ryanjbaxter]

The current plan is to have a GA release of our next major in November. See https://spring.io/blog/2024/10/01/from-spring-framework-6-2-to-7-0

[ryanjbaxter]

We ended up having to upgrade to Fabric8 7.0.x for 3.2.0 due to jackson compatibility issues. See #1924