rmoff opened a new issue, #16288: URL: https://github.com/apache/iceberg/issues/16288
## Summary The Kafka Connect runtime distribution bundles `org.bouncycastle:bcprov-jdk18on:1.82`, which is affected by [CVE-2026-5598](https://www.tenable.com/cve/CVE-2026-5598) (HIGH). All Bouncy Castle versions 1.71 through 1.83 are affected; the fix is 1.84. Iceberg already declares the desired version — `gradle/libs.versions.toml` pins `bouncycastle = "1.84"` — but that pin is only wired up in `testImplementation` scope. The runtime classpath of `kafka-connect-runtime` instead resolves to 1.82 via a transitive dependency. ## Reproducing Build the Kafka Connect runtime distribution and scan with Trivy: ```bash ./gradlew :iceberg-kafka-connect:iceberg-kafka-connect-runtime:distZip -x test -x integrationTest unzip -q kafka-connect/kafka-connect-runtime/build/distributions/iceberg-kafka-connect-runtime-*.zip -d /tmp/iceberg-kc-scan trivy rootfs /tmp/iceberg-kc-scan/iceberg-kafka-connect-runtime-*/lib/ -s HIGH,CRITICAL --scanners vuln ``` Also reported by the Kafka Connect CVE Scan workflow added in [#15430](https://github.com/apache/iceberg/pull/15430); see, for example, [this run](https://github.com/apache/iceberg/actions/runs/25673357835/job/75364306106?pr=15430). The bundled version is also visible in `kafka-connect/kafka-connect-runtime/runtime-deps.txt`: ``` org.bouncycastle:bcprov-jdk18on:1.82 ``` --- > [!NOTE] > This analysis was performed with the assistance of Claude Opus 4.7 (Anthropic). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
