Skip to content

ASP-1893: Fix security vulnerabilities in kstreams-app-version-checker and kafka-topic-creator#48

Merged
suresh-prakash merged 3 commits into
mainfrom
upgrade_plugin_versions
Apr 16, 2026
Merged

ASP-1893: Fix security vulnerabilities in kstreams-app-version-checker and kafka-topic-creator#48
suresh-prakash merged 3 commits into
mainfrom
upgrade_plugin_versions

Conversation

@suresh-prakash

@suresh-prakash suresh-prakash commented Apr 16, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes critical and high severity CVEs in both images built from this repo by upgrading base images, dependencies, and build toolchain.

kstreams-app-version-checker

  • Alpine: 3.20 → 3.23 (patches OpenSSL to 3.3.7+ and curl to 8.14.1+)
  • kubectl: v1.28.14 → v1.35.4 (latest stable, compiled with patched Go)

kafka-topic-creator

  • Go: 1.22.7 → 1.26.2 (latest stable, fixes Go stdlib CVEs)

Build plugins

  • org.hypertrace.repository-plugin: 0.4.0 → 0.5.0
  • org.hypertrace.docker-plugin: 0.9.9 → 0.11.3
  • org.hypertrace.docker-publish-plugin: 0.9.9 → 0.11.3

CVEs Addressed

Dependency CVEs Severity
Go stdlib (kubectl + kafka-topic-creator) CVE-2025-68121 CRITICAL (10.0)
Go stdlib (kubectl + kafka-topic-creator) CVE-2025-61729, CVE-2025-61726, CVE-2025-61723, CVE-2025-58187, CVE-2025-58188, CVE-2025-47907, CVE-2026-25679, CVE-2026-32280, CVE-2026-32282 HIGH
OpenSSL (Alpine) CVE-2025-15467, CVE-2026-31790, CVE-2026-28390, CVE-2026-28389, CVE-2026-28388, CVE-2025-9230, CVE-2025-69421, CVE-2025-69420, CVE-2025-69419 HIGH
curl (Alpine) CVE-2025-9086, CVE-2025-5399 HIGH

Follow-up

After this is merged and new image versions are published, update helm/Chart.yaml in the consuming repos (activity-event-service, api-anomaly-detection, api-naming, insights) to reference the new chart version.

Jira: ASP-1893

Fixes security vulnerabilities (CVE-2025-68121, CVE-2025-15467, etc.)
in the kstreams-app-version-checker image by upgrading:
- Alpine: 3.20 → 3.23 (patches OpenSSL 3.3.7+ and curl 8.14.1+)
- kubectl: v1.28.14 → v1.35.4 (compiled with Go ≥1.24.13)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@suresh-prakash suresh-prakash changed the title Update plugin versions in build.gradle.kts ASP-1893: Fix security vulnerabilities in kstreams-app-version-checker Apr 16, 2026
Fixes Go stdlib CVEs (CVE-2025-68121, CVE-2025-61726, CVE-2026-25679,
CVE-2026-32280, etc.) flagged by Trivy scan in CI.

- Dockerfile: golang 1.22.7 → 1.26.2
- go.mod: go 1.22.7 → 1.26.2

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@suresh-prakash suresh-prakash changed the title ASP-1893: Fix security vulnerabilities in kstreams-app-version-checker ASP-1893: Fix security vulnerabilities in kstreams-app-version-checker and kafka-topic-creator Apr 16, 2026
@suresh-prakash suresh-prakash merged commit 0a7b8c2 into main Apr 16, 2026
3 checks passed
@suresh-prakash suresh-prakash deleted the upgrade_plugin_versions branch April 16, 2026 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants