Try to fix transitive dependency conflict issue introduced at bom consumers.

.github/workflows/trivy-dependency-scan.yml

@@ -0,0 +1,37 @@
+name: Trivy Dependency Scan
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - 'kafka-bom/build.gradle.kts'
+      - '.github/workflows/trivy-dependency-scan.yml'
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+      # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{github.event.pull_request.head.ref}}
+          repository: ${{github.event.pull_request.head.repo.full_name}}
+          fetch-depth: 0
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_READ_USER }}
+          password: ${{ secrets.DOCKERHUB_READ_TOKEN }}
+
+      - name: Build with Gradle
+        uses: hypertrace/github-actions/gradle@main
+        with:
+          args: assemble dockerBuildImages
+
+      - name: Run Trivy vulnerability scanner
+        uses: hypertrace/github-actions/trivy-image-scan@main
+        with:
+          image: hypertrace/kafka-streams-framework
+          output-mode: github

build.gradle.kts

@@ -9,6 +9,7 @@ plugins {
   id("org.hypertrace.jacoco-report-plugin") version "0.3.0" apply false
   id("org.hypertrace.code-style-plugin") version "2.1.2" apply false
   id("org.owasp.dependencycheck") version "12.1.3"
+  id("org.hypertrace.docker-java-application-plugin") version "0.11.3" apply false
 }
 
 subprojects {
@@ -28,14 +29,13 @@ subprojects {
     }
   }
 
-  // Handle lz4-java redirect capability conflict:
-  // Sonatype added a redirect from org.lz4:lz4-java:1.8.1 -> at.yawk.lz4:lz4-java:1.8.1 to address CVE-2025-12183.
-  // Both artifacts declare the same capability, causing a conflict when upgrading from Kafka's org.lz4:lz4-java:1.8.0.
-  // This resolution strategy tells Gradle to automatically select the highest version when this conflict occurs.
+  // Replace org.lz4:lz4-java with at.yawk.lz4:lz4-java to handle Sonatype relocation
+  // This MUST be in each consuming repo - BOMs cannot enforce this automatically
   configurations.all {
-    resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") {
-      select("at.yawk.lz4:lz4-java:1.8.1")
-      because("Both org.lz4 and at.yawk.lz4 provide lz4-java due to Sonatype redirect")
+    resolutionStrategy.dependencySubstitution {
+      substitute(module("org.lz4:lz4-java"))
+        .using(module("at.yawk.lz4:lz4-java:1.10.1"))
+        .because("org.lz4:lz4-java has been relocated to at.yawk.lz4:lz4-java to fix CVE-2025-12183")
     }
   }
 }

kafka-bom/build.gradle.kts

@@ -3,8 +3,7 @@ plugins {
   id("org.hypertrace.publish-plugin")
 }
 
-
-var confluentVersion = "7.7.0"
+var confluentVersion = "7.9.5"
 var confluentCcsVersion = "$confluentVersion-ccs"
 var protobufVersion = "3.25.8"
 
@@ -25,10 +24,6 @@ dependencies {
     api("org.apache.commons:commons-lang3:3.18.0") {
       because("CVE-2025-48924 is fixed in 3.18.0")
     }
-    api("org.lz4:lz4-java:1.8.1") {
-      because("[https://nvd.nist.gov/vuln/detail/CVE-2025-12183] in org.lz4:lz4-java:1.8.0")
-      because("CVE-2025-12183 is fixed in 1.8.1")
-    }
 
     api("io.confluent:kafka-streams-avro-serde:$confluentVersion")
     api("io.confluent:kafka-protobuf-serializer:$confluentVersion")

kafka-streams-framework/build.gradle.kts

@@ -4,6 +4,7 @@ plugins {
   id("org.hypertrace.publish-plugin")
   id("org.hypertrace.jacoco-report-plugin")
   id("org.hypertrace.avro-plugin")
+  id("org.hypertrace.docker-java-application-plugin")
 }
 
 tasks.test {