Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in the adl4j dependency #3096

Open
NikolayMetchev opened this issue Feb 19, 2024 · 5 comments
Open

Vulnerability in the adl4j dependency #3096

NikolayMetchev opened this issue Feb 19, 2024 · 5 comments
Assignees
@nielsreijers
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines.

Comments

@NikolayMetchev
Copy link

Describe the bug
It appears you are using an archived version of adl4j which has a vulnerability: AzureAD/azure-activedirectory-library-for-java#309
It seems you need to upgrade to this library:
https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk

The downstream vulnerabilities:
https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748
https://security.snyk.io/vuln/SNYK-JAVA-COMNIMBUSDS-6247633

Client Version
20.0.0

Kubernetes Version
N/A

Java Version
17

To Reproduce
Run a vulnerability scan

Expected behavior
A clean vulnerability scan

KubeConfig
N/A

Server (please complete the following information):
N/A

Additional context
N/A
@brendandburns
Copy link
Contributor

Looks like we need to upgrade to a different library (MSAL4J).

We'd be happy to take PRs for that, or we'll get to it eventually.

@brendandburns brendandburns added the good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. label Feb 19, 2024
@hritikchaudhary
Copy link

/assign

@hritikchaudhary hritikchaudhary removed their assignment Feb 21, 2024
@nielsreijers
Copy link
Contributor

/assign

@nielsreijers
Copy link
Contributor

I have some spare time and would be happy to look into this. But as a first contributor it may take a bit more time than for someone already familiar with the code.

@nielsreijers
Copy link
Contributor

@brendandburns quick question:

I noticed a similar issue for the python client (kubernetes-client/python#1983) where you mention in-tree providers are being deprecated in favour of exec providers, and that for the Python client it might be better to remove the code altogether since Azure now has kubelogin.

If I read KubeConfig.java:239 right, the Java client also supports exec providers, so would it be better to simply remove the native code in the Java client as well?

(and a small side question: it seems all three native providers get registered twice, once via the static constructor in KubeConfig, and then again via the static constructors in each class. I suppose it doesn't do any harm since the authenticators map would just keep the last one added, but I was curious if there's any reason for this?)

@NikolayMetchev NikolayMetchev changed the title Vulnerability in a dependancy Vulnerability in the adl4j dependency Mar 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nielsreijers nielsreijers

Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@NikolayMetchev @nielsreijers @brendandburns @hritikchaudhary