The v0.3.1 patch release of Creek is now publicly available on Maven Central.
This small patch contains a few dependency updates to fix some security vulnerabilities in dependencies. Nothing really worth calling out as being fixed, as its mostly stuff that wouldn’t affect their use in Creek.
However, I will call out a few of the remaining ‘vulnerabilities’ in Creek dependencies.
Snake YAML’s Deserialization of Untrusted Data
At the time of writing, this was marked with
Critical priority. However, if you read up on the
you’ll see the vulnerability is that the deserializer allows instantiation or arbitrary types, and this
can lead to remote code execution if you’re parsing YAML from an untrustworthy source, e.g. text submitted
from a form on a website.
This is not an issue for Creek, as all YAML being deserialized is from a trusted source, i.e. you, the user, running Creek system tests written in YAML.
SnakeYaml isn’t used directly by Creek. Creek makes use of it via Jackson. Fixing this (none) issue in Creek is not currently possible.
Jackson core’s Uncontrolled Resource Consumption
At the time of writing, this is marked with
High priority. However, if you
read up on this vulnerability, this is also about parsing
data from untrustworthy source.
This is not an issue for Creek, as all data being deserialized is from a trusted source, i.e. you, the user, running Creek system tests written in YAML.
There is already a fix in Jackson. Creek will update to
of Jackson when it is released.
Kafka Stream’s divide by zero
This seems to be a vulnerability detected by SonaType OSS Index scanning a PR that fixed a potential divide-by-zero issue. The PR was never merged, hence the vulnerability report. However, from the PR comments it looks as though this issue is unlikely, or even impossible, to be hit.
An issue has been raised to track a potential fix.
Creek will be updated should a fix become available.
As for continuing work on Creek: my focus is currently elsewhere for the next month or two, but I will get to those tutorials soon, and will post when I do!