diff --git a/.github/workflows/trivy-dependency-scan.yml b/.github/workflows/trivy-dependency-scan.yml new file mode 100644 index 0000000..1fc9e89 --- /dev/null +++ b/.github/workflows/trivy-dependency-scan.yml @@ -0,0 +1,37 @@ +name: Trivy Dependency Scan + +on: + workflow_dispatch: + pull_request: + paths: + - 'kafka-bom/build.gradle.kts' + - '.github/workflows/trivy-dependency-scan.yml' + +jobs: + build: + runs-on: ubuntu-22.04 + steps: + # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation + - name: Check out code + uses: actions/checkout@v4 + with: + ref: ${{github.event.pull_request.head.ref}} + repository: ${{github.event.pull_request.head.repo.full_name}} + fetch-depth: 0 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_READ_USER }} + password: ${{ secrets.DOCKERHUB_READ_TOKEN }} + + - name: Build with Gradle + uses: hypertrace/github-actions/gradle@main + with: + args: assemble dockerBuildImages + + - name: Run Trivy vulnerability scanner + uses: hypertrace/github-actions/trivy-image-scan@main + with: + image: hypertrace/kafka-streams-framework + output-mode: github \ No newline at end of file diff --git a/build.gradle.kts b/build.gradle.kts index 5013857..ed6c2d5 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -9,6 +9,7 @@ plugins { id("org.hypertrace.jacoco-report-plugin") version "0.3.0" apply false id("org.hypertrace.code-style-plugin") version "2.1.2" apply false id("org.owasp.dependencycheck") version "12.1.3" + id("org.hypertrace.docker-java-application-plugin") version "0.11.3" apply false } subprojects { @@ -28,14 +29,13 @@ subprojects { } } - // Handle lz4-java redirect capability conflict: - // Sonatype added a redirect from org.lz4:lz4-java:1.8.1 -> at.yawk.lz4:lz4-java:1.8.1 to address CVE-2025-12183. - // Both artifacts declare the same capability, causing a conflict when upgrading from Kafka's org.lz4:lz4-java:1.8.0. - // This resolution strategy tells Gradle to automatically select the highest version when this conflict occurs. + // Replace org.lz4:lz4-java with at.yawk.lz4:lz4-java to handle Sonatype relocation + // This MUST be in each consuming repo - BOMs cannot enforce this automatically configurations.all { - resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") { - select("at.yawk.lz4:lz4-java:1.8.1") - because("Both org.lz4 and at.yawk.lz4 provide lz4-java due to Sonatype redirect") + resolutionStrategy.dependencySubstitution { + substitute(module("org.lz4:lz4-java")) + .using(module("at.yawk.lz4:lz4-java:1.10.1")) + .because("org.lz4:lz4-java has been relocated to at.yawk.lz4:lz4-java to fix CVE-2025-12183") } } } diff --git a/kafka-bom/build.gradle.kts b/kafka-bom/build.gradle.kts index da8deda..dc4c48b 100644 --- a/kafka-bom/build.gradle.kts +++ b/kafka-bom/build.gradle.kts @@ -3,8 +3,7 @@ plugins { id("org.hypertrace.publish-plugin") } - -var confluentVersion = "7.7.0" +var confluentVersion = "7.9.5" var confluentCcsVersion = "$confluentVersion-ccs" var protobufVersion = "3.25.8" @@ -25,10 +24,6 @@ dependencies { api("org.apache.commons:commons-lang3:3.18.0") { because("CVE-2025-48924 is fixed in 3.18.0") } - api("org.lz4:lz4-java:1.8.1") { - because("[https://nvd.nist.gov/vuln/detail/CVE-2025-12183] in org.lz4:lz4-java:1.8.0") - because("CVE-2025-12183 is fixed in 1.8.1") - } api("io.confluent:kafka-streams-avro-serde:$confluentVersion") api("io.confluent:kafka-protobuf-serializer:$confluentVersion") diff --git a/kafka-streams-framework/build.gradle.kts b/kafka-streams-framework/build.gradle.kts index cc9fd3d..ac88463 100644 --- a/kafka-streams-framework/build.gradle.kts +++ b/kafka-streams-framework/build.gradle.kts @@ -4,6 +4,7 @@ plugins { id("org.hypertrace.publish-plugin") id("org.hypertrace.jacoco-report-plugin") id("org.hypertrace.avro-plugin") + id("org.hypertrace.docker-java-application-plugin") } tasks.test {