From 55b99391cc8b42825e8fe28dd98609a06db54596 Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 15:36:40 +0530 Subject: [PATCH 01/18] I want to test whether the resolutionStrategy is enough to constraint lz4. --- kafka-bom/build.gradle.kts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kafka-bom/build.gradle.kts b/kafka-bom/build.gradle.kts index da8deda..709e394 100644 --- a/kafka-bom/build.gradle.kts +++ b/kafka-bom/build.gradle.kts @@ -25,10 +25,10 @@ dependencies { api("org.apache.commons:commons-lang3:3.18.0") { because("CVE-2025-48924 is fixed in 3.18.0") } - api("org.lz4:lz4-java:1.8.1") { - because("[https://nvd.nist.gov/vuln/detail/CVE-2025-12183] in org.lz4:lz4-java:1.8.0") - because("CVE-2025-12183 is fixed in 1.8.1") - } +// api("org.lz4:lz4-java:1.8.1") { +// because("[https://nvd.nist.gov/vuln/detail/CVE-2025-12183] in org.lz4:lz4-java:1.8.0") +// because("CVE-2025-12183 is fixed in 1.8.1") +// } api("io.confluent:kafka-streams-avro-serde:$confluentVersion") api("io.confluent:kafka-protobuf-serializer:$confluentVersion") From cbe5b34e3fe2258a48053fe059c7202ee707631f Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 20:38:30 +0530 Subject: [PATCH 02/18] Revert "I want to test whether the resolutionStrategy is enough to constraint lz4." This reverts commit 55b99391cc8b42825e8fe28dd98609a06db54596. --- kafka-bom/build.gradle.kts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kafka-bom/build.gradle.kts b/kafka-bom/build.gradle.kts index 709e394..da8deda 100644 --- a/kafka-bom/build.gradle.kts +++ b/kafka-bom/build.gradle.kts @@ -25,10 +25,10 @@ dependencies { api("org.apache.commons:commons-lang3:3.18.0") { because("CVE-2025-48924 is fixed in 3.18.0") } -// api("org.lz4:lz4-java:1.8.1") { -// because("[https://nvd.nist.gov/vuln/detail/CVE-2025-12183] in org.lz4:lz4-java:1.8.0") -// because("CVE-2025-12183 is fixed in 1.8.1") -// } + api("org.lz4:lz4-java:1.8.1") { + because("[https://nvd.nist.gov/vuln/detail/CVE-2025-12183] in org.lz4:lz4-java:1.8.0") + because("CVE-2025-12183 is fixed in 1.8.1") + } api("io.confluent:kafka-streams-avro-serde:$confluentVersion") api("io.confluent:kafka-protobuf-serializer:$confluentVersion") From 88bc64899b1b15ef9c1264e41d9870b155bef682 Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 20:38:50 +0530 Subject: [PATCH 03/18] run trivy scan on org.apache.kafka:kafka-clients:7.9.5-ccs --- .github/workflows/trivy-dependency-scan.yml | 50 +++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/trivy-dependency-scan.yml diff --git a/.github/workflows/trivy-dependency-scan.yml b/.github/workflows/trivy-dependency-scan.yml new file mode 100644 index 0000000..6897772 --- /dev/null +++ b/.github/workflows/trivy-dependency-scan.yml @@ -0,0 +1,50 @@ +name: Trivy Dependency Scan + +on: + schedule: + # Run daily at 2 AM UTC + - cron: '0 2 * * *' + workflow_dispatch: + pull_request: + paths: + - 'kafka-bom/build.gradle.kts' + - '.github/workflows/trivy-dependency-scan.yml' + +jobs: + scan-kafka-clients: + runs-on: ubuntu-22.04 + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Download Kafka Clients JAR + run: | + mkdir -p artifacts + curl -o artifacts/kafka-clients-7.9.5-ccs.jar \ + https://packages.confluent.io/maven/org/apache/kafka/kafka-clients/7.9.5-ccs/kafka-clients-7.9.5-ccs.jar + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: 'artifacts/kafka-clients-7.9.5-ccs.jar' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif' + + - name: Run Trivy vulnerability scanner (table output) + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: 'artifacts/kafka-clients-7.9.5-ccs.jar' + format: 'table' + severity: 'CRITICAL,HIGH' From 780aab643380da32a804ff12eca572b71ccec20d Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 20:45:17 +0530 Subject: [PATCH 04/18] update trivy action --- .github/workflows/trivy-dependency-scan.yml | 26 +++------------------ 1 file changed, 3 insertions(+), 23 deletions(-) diff --git a/.github/workflows/trivy-dependency-scan.yml b/.github/workflows/trivy-dependency-scan.yml index 6897772..91491b8 100644 --- a/.github/workflows/trivy-dependency-scan.yml +++ b/.github/workflows/trivy-dependency-scan.yml @@ -1,9 +1,6 @@ name: Trivy Dependency Scan on: - schedule: - # Run daily at 2 AM UTC - - cron: '0 2 * * *' workflow_dispatch: pull_request: paths: @@ -27,24 +24,7 @@ jobs: https://packages.confluent.io/maven/org/apache/kafka/kafka-clients/7.9.5-ccs/kafka-clients-7.9.5-ccs.jar - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: hypertrace/github-actions/trivy-image-scan@main with: - scan-type: 'fs' - scan-ref: 'artifacts/kafka-clients-7.9.5-ccs.jar' - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - - name: Upload Trivy results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-results.sarif' - - - name: Run Trivy vulnerability scanner (table output) - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - scan-ref: 'artifacts/kafka-clients-7.9.5-ccs.jar' - format: 'table' - severity: 'CRITICAL,HIGH' + image: artifacts/kafka-clients-7.9.5-ccs.jar + output-mode: github From 110b9c7c5c35e8aa45b7e0da32322e7a9445426a Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 20:51:09 +0530 Subject: [PATCH 05/18] update trivy action --- .github/workflows/trivy-dependency-scan.yml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/.github/workflows/trivy-dependency-scan.yml b/.github/workflows/trivy-dependency-scan.yml index 91491b8..3377824 100644 --- a/.github/workflows/trivy-dependency-scan.yml +++ b/.github/workflows/trivy-dependency-scan.yml @@ -19,12 +19,23 @@ jobs: - name: Download Kafka Clients JAR run: | - mkdir -p artifacts - curl -o artifacts/kafka-clients-7.9.5-ccs.jar \ + mkdir -p scan-context + curl -o scan-context/kafka-clients-7.9.5-ccs.jar \ https://packages.confluent.io/maven/org/apache/kafka/kafka-clients/7.9.5-ccs/kafka-clients-7.9.5-ccs.jar + - name: Create Dockerfile for scanning + run: | + cat > scan-context/Dockerfile < Date: Mon, 15 Dec 2025 20:55:58 +0530 Subject: [PATCH 06/18] update trivy action --- .github/workflows/trivy-dependency-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy-dependency-scan.yml b/.github/workflows/trivy-dependency-scan.yml index 3377824..4a74ea8 100644 --- a/.github/workflows/trivy-dependency-scan.yml +++ b/.github/workflows/trivy-dependency-scan.yml @@ -32,10 +32,10 @@ jobs: - name: Build Docker image run: | - docker build -t kafka-clients-scan:7.9.5-ccs scan-context + docker build -t kafka-clients-scan:latest scan-context - name: Run Trivy vulnerability scanner uses: hypertrace/github-actions/trivy-image-scan@main with: - image: kafka-clients-scan:7.9.5-ccs + image: kafka-clients-scan:latest output-mode: github From fda4ee14b29a3e1a1d7b410d82b4db5c3636392a Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 21:01:45 +0530 Subject: [PATCH 07/18] update trivy action --- .github/workflows/trivy-dependency-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy-dependency-scan.yml b/.github/workflows/trivy-dependency-scan.yml index 4a74ea8..884b3dd 100644 --- a/.github/workflows/trivy-dependency-scan.yml +++ b/.github/workflows/trivy-dependency-scan.yml @@ -32,7 +32,7 @@ jobs: - name: Build Docker image run: | - docker build -t kafka-clients-scan:latest scan-context + docker build -t kafka-clients-scan scan-context - name: Run Trivy vulnerability scanner uses: hypertrace/github-actions/trivy-image-scan@main From e3eb9f097c3a03e55b9f7dcd4b5463689204e03d Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 21:12:24 +0530 Subject: [PATCH 08/18] update trivy action --- .github/workflows/trivy-dependency-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy-dependency-scan.yml b/.github/workflows/trivy-dependency-scan.yml index 884b3dd..c8fe3fa 100644 --- a/.github/workflows/trivy-dependency-scan.yml +++ b/.github/workflows/trivy-dependency-scan.yml @@ -37,5 +37,5 @@ jobs: - name: Run Trivy vulnerability scanner uses: hypertrace/github-actions/trivy-image-scan@main with: - image: kafka-clients-scan:latest + image: kafka-clients-scan output-mode: github From 930a25a44f2746fb99b8ccbd2472efb4fe81b1a2 Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 21:17:09 +0530 Subject: [PATCH 09/18] update trivy action --- .github/workflows/trivy-dependency-scan.yml | 40 ++++++++++----------- 1 file changed, 18 insertions(+), 22 deletions(-) diff --git a/.github/workflows/trivy-dependency-scan.yml b/.github/workflows/trivy-dependency-scan.yml index c8fe3fa..1fc9e89 100644 --- a/.github/workflows/trivy-dependency-scan.yml +++ b/.github/workflows/trivy-dependency-scan.yml @@ -8,34 +8,30 @@ on: - '.github/workflows/trivy-dependency-scan.yml' jobs: - scan-kafka-clients: + build: runs-on: ubuntu-22.04 - permissions: - contents: read - security-events: write steps: - - name: Checkout code + # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation + - name: Check out code uses: actions/checkout@v4 + with: + ref: ${{github.event.pull_request.head.ref}} + repository: ${{github.event.pull_request.head.repo.full_name}} + fetch-depth: 0 - - name: Download Kafka Clients JAR - run: | - mkdir -p scan-context - curl -o scan-context/kafka-clients-7.9.5-ccs.jar \ - https://packages.confluent.io/maven/org/apache/kafka/kafka-clients/7.9.5-ccs/kafka-clients-7.9.5-ccs.jar - - - name: Create Dockerfile for scanning - run: | - cat > scan-context/Dockerfile < Date: Mon, 15 Dec 2025 21:17:19 +0530 Subject: [PATCH 10/18] update versions --- kafka-bom/build.gradle.kts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kafka-bom/build.gradle.kts b/kafka-bom/build.gradle.kts index da8deda..361b864 100644 --- a/kafka-bom/build.gradle.kts +++ b/kafka-bom/build.gradle.kts @@ -4,7 +4,7 @@ plugins { } -var confluentVersion = "7.7.0" +var confluentVersion = "7.9.5" var confluentCcsVersion = "$confluentVersion-ccs" var protobufVersion = "3.25.8" From 1e759faa1cdf89c7eb4613f6a8dfee17acb480c8 Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 22:46:47 +0530 Subject: [PATCH 11/18] update gradle to get dockerBuildImages --- kafka-streams-framework/build.gradle.kts | 1 + 1 file changed, 1 insertion(+) diff --git a/kafka-streams-framework/build.gradle.kts b/kafka-streams-framework/build.gradle.kts index cc9fd3d..ac88463 100644 --- a/kafka-streams-framework/build.gradle.kts +++ b/kafka-streams-framework/build.gradle.kts @@ -4,6 +4,7 @@ plugins { id("org.hypertrace.publish-plugin") id("org.hypertrace.jacoco-report-plugin") id("org.hypertrace.avro-plugin") + id("org.hypertrace.docker-java-application-plugin") } tasks.test { From e0a9a214b3ee9c3352119ece8d69fa0ce3d295cd Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 22:51:49 +0530 Subject: [PATCH 12/18] update gradle to get dockerBuildImages --- build.gradle.kts | 1 + 1 file changed, 1 insertion(+) diff --git a/build.gradle.kts b/build.gradle.kts index 5013857..b4d7dca 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -9,6 +9,7 @@ plugins { id("org.hypertrace.jacoco-report-plugin") version "0.3.0" apply false id("org.hypertrace.code-style-plugin") version "2.1.2" apply false id("org.owasp.dependencycheck") version "12.1.3" + id("org.hypertrace.docker-java-application-plugin") version "0.11.3" } subprojects { From a2cf016eab5fd321e15143b895408cf672d586e2 Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 22:54:16 +0530 Subject: [PATCH 13/18] update gradle to get dockerBuildImages --- build.gradle.kts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle.kts b/build.gradle.kts index b4d7dca..efe9db4 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -9,7 +9,7 @@ plugins { id("org.hypertrace.jacoco-report-plugin") version "0.3.0" apply false id("org.hypertrace.code-style-plugin") version "2.1.2" apply false id("org.owasp.dependencycheck") version "12.1.3" - id("org.hypertrace.docker-java-application-plugin") version "0.11.3" + id("org.hypertrace.docker-java-application-plugin") version "0.11.3" apply false } subprojects { From d4007354c12d7ce5026e1eea97382655f6a18bb2 Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 23:01:08 +0530 Subject: [PATCH 14/18] update constraint --- kafka-bom/build.gradle.kts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kafka-bom/build.gradle.kts b/kafka-bom/build.gradle.kts index 361b864..6139612 100644 --- a/kafka-bom/build.gradle.kts +++ b/kafka-bom/build.gradle.kts @@ -25,9 +25,9 @@ dependencies { api("org.apache.commons:commons-lang3:3.18.0") { because("CVE-2025-48924 is fixed in 3.18.0") } - api("org.lz4:lz4-java:1.8.1") { - because("[https://nvd.nist.gov/vuln/detail/CVE-2025-12183] in org.lz4:lz4-java:1.8.0") - because("CVE-2025-12183 is fixed in 1.8.1") + api("at.yawk.lz4:lz4-java:1.10.1") { + because("[https://nvd.nist.gov/vuln/detail/CVE-2025-66566] in at.yawk.lz4:lz4-java (lz4-java-1.8.1.jar)") + because("CVE-2025-66566 is fixed in 1.8.1") } api("io.confluent:kafka-streams-avro-serde:$confluentVersion") From fd1dbc954858d112917b57eed506a9265169bcd9 Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 23:05:57 +0530 Subject: [PATCH 15/18] update constraint --- build.gradle.kts | 2 +- kafka-bom/build.gradle.kts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build.gradle.kts b/build.gradle.kts index efe9db4..b47d8de 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -35,7 +35,7 @@ subprojects { // This resolution strategy tells Gradle to automatically select the highest version when this conflict occurs. configurations.all { resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") { - select("at.yawk.lz4:lz4-java:1.8.1") + select("at.yawk.lz4:lz4-java:1.10.1") because("Both org.lz4 and at.yawk.lz4 provide lz4-java due to Sonatype redirect") } } diff --git a/kafka-bom/build.gradle.kts b/kafka-bom/build.gradle.kts index 6139612..ed5650c 100644 --- a/kafka-bom/build.gradle.kts +++ b/kafka-bom/build.gradle.kts @@ -27,7 +27,7 @@ dependencies { } api("at.yawk.lz4:lz4-java:1.10.1") { because("[https://nvd.nist.gov/vuln/detail/CVE-2025-66566] in at.yawk.lz4:lz4-java (lz4-java-1.8.1.jar)") - because("CVE-2025-66566 is fixed in 1.8.1") + because("CVE-2025-66566 is fixed in 1.10.1") } api("io.confluent:kafka-streams-avro-serde:$confluentVersion") From f969bcf67d37fcaa56be5e9635538b70a3a71aeb Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 23:09:08 +0530 Subject: [PATCH 16/18] Revert "update constraint" This reverts commit fd1dbc954858d112917b57eed506a9265169bcd9. --- build.gradle.kts | 2 +- kafka-bom/build.gradle.kts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build.gradle.kts b/build.gradle.kts index b47d8de..efe9db4 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -35,7 +35,7 @@ subprojects { // This resolution strategy tells Gradle to automatically select the highest version when this conflict occurs. configurations.all { resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") { - select("at.yawk.lz4:lz4-java:1.10.1") + select("at.yawk.lz4:lz4-java:1.8.1") because("Both org.lz4 and at.yawk.lz4 provide lz4-java due to Sonatype redirect") } } diff --git a/kafka-bom/build.gradle.kts b/kafka-bom/build.gradle.kts index ed5650c..6139612 100644 --- a/kafka-bom/build.gradle.kts +++ b/kafka-bom/build.gradle.kts @@ -27,7 +27,7 @@ dependencies { } api("at.yawk.lz4:lz4-java:1.10.1") { because("[https://nvd.nist.gov/vuln/detail/CVE-2025-66566] in at.yawk.lz4:lz4-java (lz4-java-1.8.1.jar)") - because("CVE-2025-66566 is fixed in 1.10.1") + because("CVE-2025-66566 is fixed in 1.8.1") } api("io.confluent:kafka-streams-avro-serde:$confluentVersion") From bf7ac0d444b713e9bc3a964c46583028415a02b9 Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 23:09:16 +0530 Subject: [PATCH 17/18] Revert "update constraint" This reverts commit d4007354c12d7ce5026e1eea97382655f6a18bb2. --- kafka-bom/build.gradle.kts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kafka-bom/build.gradle.kts b/kafka-bom/build.gradle.kts index 6139612..361b864 100644 --- a/kafka-bom/build.gradle.kts +++ b/kafka-bom/build.gradle.kts @@ -25,9 +25,9 @@ dependencies { api("org.apache.commons:commons-lang3:3.18.0") { because("CVE-2025-48924 is fixed in 3.18.0") } - api("at.yawk.lz4:lz4-java:1.10.1") { - because("[https://nvd.nist.gov/vuln/detail/CVE-2025-66566] in at.yawk.lz4:lz4-java (lz4-java-1.8.1.jar)") - because("CVE-2025-66566 is fixed in 1.8.1") + api("org.lz4:lz4-java:1.8.1") { + because("[https://nvd.nist.gov/vuln/detail/CVE-2025-12183] in org.lz4:lz4-java:1.8.0") + because("CVE-2025-12183 is fixed in 1.8.1") } api("io.confluent:kafka-streams-avro-serde:$confluentVersion") From c06e7d2f0fc0e590c1bc5b18e33c6a4338b8cbba Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Mon, 15 Dec 2025 23:31:33 +0530 Subject: [PATCH 18/18] give-up? --- build.gradle.kts | 13 ++++++------- kafka-bom/build.gradle.kts | 5 ----- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/build.gradle.kts b/build.gradle.kts index efe9db4..ed6c2d5 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -29,14 +29,13 @@ subprojects { } } - // Handle lz4-java redirect capability conflict: - // Sonatype added a redirect from org.lz4:lz4-java:1.8.1 -> at.yawk.lz4:lz4-java:1.8.1 to address CVE-2025-12183. - // Both artifacts declare the same capability, causing a conflict when upgrading from Kafka's org.lz4:lz4-java:1.8.0. - // This resolution strategy tells Gradle to automatically select the highest version when this conflict occurs. + // Replace org.lz4:lz4-java with at.yawk.lz4:lz4-java to handle Sonatype relocation + // This MUST be in each consuming repo - BOMs cannot enforce this automatically configurations.all { - resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") { - select("at.yawk.lz4:lz4-java:1.8.1") - because("Both org.lz4 and at.yawk.lz4 provide lz4-java due to Sonatype redirect") + resolutionStrategy.dependencySubstitution { + substitute(module("org.lz4:lz4-java")) + .using(module("at.yawk.lz4:lz4-java:1.10.1")) + .because("org.lz4:lz4-java has been relocated to at.yawk.lz4:lz4-java to fix CVE-2025-12183") } } } diff --git a/kafka-bom/build.gradle.kts b/kafka-bom/build.gradle.kts index 361b864..dc4c48b 100644 --- a/kafka-bom/build.gradle.kts +++ b/kafka-bom/build.gradle.kts @@ -3,7 +3,6 @@ plugins { id("org.hypertrace.publish-plugin") } - var confluentVersion = "7.9.5" var confluentCcsVersion = "$confluentVersion-ccs" var protobufVersion = "3.25.8" @@ -25,10 +24,6 @@ dependencies { api("org.apache.commons:commons-lang3:3.18.0") { because("CVE-2025-48924 is fixed in 3.18.0") } - api("org.lz4:lz4-java:1.8.1") { - because("[https://nvd.nist.gov/vuln/detail/CVE-2025-12183] in org.lz4:lz4-java:1.8.0") - because("CVE-2025-12183 is fixed in 1.8.1") - } api("io.confluent:kafka-streams-avro-serde:$confluentVersion") api("io.confluent:kafka-protobuf-serializer:$confluentVersion")