CVE: Reduced failure level to high (#1599)

germanosin · Copilot · web-flow · commit 38ed2916620d · 2025-12-30T17:46:10.000+01:00
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/cve_checks.yml b/.github/workflows/cve_checks.yml
@@ -71,6 +71,7 @@ jobs:
         uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # https://github.com/aquasecurity/trivy-action/releases/tag/0.33.1
         with:
           image-ref: "ghcr.io/kafbat/kafka-ui:latest"
+          severity: "CRITICAL,HIGH"
           format: "table"
           exit-code: "1"
 
diff --git a/api/build.gradle b/api/build.gradle
@@ -7,6 +7,16 @@ plugins {
     alias(libs.plugins.spring.dependency.management)
 }
 
+configurations.all {
+    resolutionStrategy {
+        capabilitiesResolution {
+            withCapability("org.lz4:lz4-java") {
+                select(libs.lz4.yawk.get().toString())
+            }
+        }
+    }
+}
+
 
 import com.bmuschko.gradle.docker.tasks.image.DockerBuildImage
 
@@ -30,7 +40,10 @@ dependencies {
 
     implementation libs.spring.security.ldap
 
-    implementation libs.kafka.clients
+    implementation (libs.kafka.clients) {
+        // TODO: Remove once client would fix CVE
+        exclude group: "org.lz4", module: "lz4-java"
+    }
 
     implementation libs.apache.avro
     implementation libs.apache.commons
@@ -74,10 +87,12 @@ dependencies {
     // CVE Fixes
     implementation libs.apache.commons.compress
     implementation libs.okhttp3.logging.intercepter
+    implementation libs.lz4.yawk
 
     implementation libs.modelcontextprotocol.spring.webflux
     implementation libs.victools.jsonschema.generator
 
+
     // Google Managed Service for Kafka IAM support
     implementation (libs.google.managed.kafka.login.handler) {
         exclude group: 'com.google.oauth-client', module: 'google-oauth-client'
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -140,3 +140,6 @@ lucene-queryparser = {module = 'org.apache.lucene:lucene-queryparser', version.r
 lucene-analysis-common = {module = 'org.apache.lucene:lucene-analysis-common', version.ref = 'lucene'}
 
 fastcsv = {module = 'de.siegmar:fastcsv', version = '4.1.0'}
+
+# CVE-2025-12183 fix
+lz4-yawk = {module = 'at.yawk.lz4:lz4-java', version = '1.10.1'}
