Re: Question about Critical Security Findings in kafka-exporter dependency in Strimzi images
toggle quoted messageShow quoted text
I'm not really a Golang expert. As for CVE-2022-23806, crypto functions will be used between the Kafka Exporter where mTLS is used. The CVE-2021-38297 seems to suggest it applies only to WASM modules in which case I wonder if it applies here. But obviously it will be showing in scanners anyway.
Did you raise it on the Kafka Exporter project as well? There was not much development going on, but there were occasional releases happening there. Last commit seems to be from January. In general, we tend to rely on the binaries provided by the other projects because having our own build of something like this requires a lot of time (CI, updates, know-how etc.). But if there would not be a new release with a fix, we might need to decide whether we want to fork it to maintain our own build or find some other project for exporting the consumer lag.
Thanks & Regards
On Wed, Jun 22, 2022 at 4:13 PM kerstin.maier via lists.cncf.io <kerstin.maier=mercedes-benz.com@...> wrote: