Question about Critical Security Findings in kafka-exporter dependency in Strimzi images


kerstin.maier@...
 

Hi,
we do regular automatic security scans for the Strimzi images we use in our organization and the latest images always have a few CRITICAL findings in our security scan, at the moment this are
NVD - CVE-2021-38297 (nist.gov) and NVD - cve-2022-23806 (nist.gov).

We took a look where this is coming from and seems it's cause the latest Kafka exporter release 1.4.2 (from September 21st, 2021) still comes with Go 1.17.1
https://github.com/danielqsj/kafka_exporter/tags

Looking at the Github repo of Kafka Exporter, it doesn't look as if anybody is actively working on this repo anymore at the moment. We are wondering,are there any plans from Strimzi to deal with such dependencies that aren't regularily updated?
I assume many projects to regular security scans of their images and if some dependencies aren't updated regularily or at all anymore, the critical findings won't disappear.

Thanks,
Kerstin

Join cncf-strimzi-users@lists.cncf.io to automatically receive all group messages.