Update Kotlib Lib to 1.6.10, to address https://nvd.nist.gov/vuln/detail/CVE-2022-24329

[eolivelli]

Motivation

OWASP checker reports this vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2022-24329

Modifications

Update Kotlib Lib to 1.6.10, to address https://nvd.nist.gov/vuln/detail/CVE-2022-24329

Verifying this change

• Make sure that the change passes the CI checks.
• This change is a trivial rework / code cleanup without any test coverage.

[eolivelli]

@codelipenghui this is a new reported CVE.
If we want a CVE free Pulsar 2.10 release we have to cherry-pick this change as well

cc @nicoloboschi @dlg99

[nicoloboschi]

org.jetbrains.kotlin-kotlin-stdlib-1.6.10.jar unaccounted for in LICENSE
org.jetbrains.kotlin-kotlin-stdlib-common-1.6.10.jar unaccounted for in LICENSE
org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.6.10.jar unaccounted for in LICENSE
org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.6.10.jar unaccounted for in LICENSE
org.jetbrains.kotlin-kotlin-stdlib-1.4.32.jar mentioned in LICENSE, but not bundled
org.jetbrains.kotlin-kotlin-stdlib-common-1.4.32.jar mentioned in LICENSE, but not bundled
org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.4.32.jar mentioned in LICENSE, but not bundled
org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.4.32.jar mentioned in LICENSE, but not bundled

@eolivelli you have to update LICENSE files

[nodece]

LGTM

[lhotari]

The main concern is possible breaking changes. Kotlin stdlib was introduced in #13065 . It's a transitive dependency of OkHttp3 / Okio libraries.

Has anyone checked Kotlin release notes whether it's fine to replace Kotlin stdlib 1.4.x with 1.6.x ?

[eolivelli]

@lhotari I totally share your point.
The fact that CI passed is a good hint that Pulsar works well.

In any case we don't have any other possibility (it looks like the 1.4 branch is not very active and Kotlin moved forward with 2 major releases).

So I suggest to commit this patch as soon as possible, this way we will have time to see regressions when people use master branch for testing.

[lhotari]

@lhotari I totally share your point. The fact that CI passed is a good hint that Pulsar works well.

In any case we don't have any other possibility (it looks like the 1.4 branch is not very active and Kotlin moved forward with 2 major releases).

So I suggest to commit this patch as soon as possible, this way we will have time to see regressions when people use master branch for testing.

OkHttp3 is used by the io.kubernetes:client-java library that is used by the Pulsar Functions Kubenetes Runtime. We don't have much tests for that in Pulsar CI. That's why I suggested checking Kotlin release notes to find out whether it's fine to replace Kotlin stdlib 1.4.x with 1.6.x .
The most recent Okio and OkHttp3 versions depend on Kotlin stdlib 1.6.x .
CVE-2022-24329 doesn't look like a real problem in Kotlin."In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects."

[nicoloboschi]

This is the Kotlin changelog. It's honestly complex to predict issues due to the upgrade.

The cve is rated as medium, with a 5.0 score.
I would prefer to to add an exclusion for now instead of committing the upgrade without proper testing. And then upgrade Kotlin at the same time we will upgrade Okio and OkHttp3.

Note that we have to cherry-pick this change to 2.9 branch also.

[eolivelli]

I agree with @nicoloboschi
it is better to add the suppression