From 4e5971dfad8fc1e04a3ff65624344c6764252e9b Mon Sep 17 00:00:00 2001
From: Alexey Zavialov <>
Date: Thu, 22 Feb 2024 00:30:33 +0300
Subject: [PATCH 1/8] CVE fixes, closes #133

---
 pom.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index 46a6b246a..997c90810 100644
--- a/pom.xml
+++ b/pom.xml
@@ -38,17 +38,17 @@
         <datasketches-java.version>3.1.0</datasketches-java.version>
         <groovy.version>3.0.13</groovy.version>
         <jackson.version>2.14.0</jackson.version>
-        <kafka-clients.version>3.5.0</kafka-clients.version>
+        <kafka-clients.version>3.5.2</kafka-clients.version>
         <org.mapstruct.version>1.5.5.Final</org.mapstruct.version>
         <org.projectlombok.version>1.18.30</org.projectlombok.version>
         <protobuf-java.version>3.23.3</protobuf-java.version>
         <scala-lang.library.version>2.13.9</scala-lang.library.version>
         <snakeyaml.version>2.0</snakeyaml.version>
-        <spring-boot.version>3.1.3</spring-boot.version>
+        <spring-boot.version>3.1.6</spring-boot.version>
         <serde-api.version>1.0.0</serde-api.version>
         <odd-oddrn-generator.version>0.1.17</odd-oddrn-generator.version>
         <odd-oddrn-client.version>0.1.39</odd-oddrn-client.version>
-        <org.json.version>20230227</org.json.version>
+        <org.json.version>20231013</org.json.version>
         <dev.cel.version>0.3.0</dev.cel.version>
         <guava.version>31.0.1-jre</guava.version>
 

From 4d210d17d13a8f77e3cba90afb1c23500d971313 Mon Sep 17 00:00:00 2001
From: Alexey Zavialov <>
Date: Sat, 2 Mar 2024 20:49:36 +0300
Subject: [PATCH 2/8] CVE fixes, closes #133

---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 997c90810..81d1f43eb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -32,7 +32,7 @@
         <antlr4-maven-plugin.version>4.12.0</antlr4-maven-plugin.version>
         <apache.commons.version>2.12.0</apache.commons.version>
         <assertj.version>3.25.3</assertj.version>
-        <avro.version>1.11.1</avro.version>
+        <avro.version>1.11.3</avro.version>
         <byte-buddy.version>1.12.19</byte-buddy.version>
         <confluent.version>7.4.0</confluent.version>
         <datasketches-java.version>3.1.0</datasketches-java.version>
@@ -44,7 +44,7 @@
         <protobuf-java.version>3.23.3</protobuf-java.version>
         <scala-lang.library.version>2.13.9</scala-lang.library.version>
         <snakeyaml.version>2.0</snakeyaml.version>
-        <spring-boot.version>3.1.6</spring-boot.version>
+        <spring-boot.version>3.1.9</spring-boot.version>
         <serde-api.version>1.0.0</serde-api.version>
         <odd-oddrn-generator.version>0.1.17</odd-oddrn-generator.version>
         <odd-oddrn-client.version>0.1.39</odd-oddrn-client.version>

From e8830fccd01f0567d9507a9d3b71eff788801d86 Mon Sep 17 00:00:00 2001
From: Alexey Zavialov <>
Date: Sat, 2 Mar 2024 21:39:16 +0300
Subject: [PATCH 3/8] CVE fixes, closes #133

---
 api/pom.xml | 21 +++++++++++++++++++++
 pom.xml     |  6 ++++--
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/api/pom.xml b/api/pom.xml
index 79dcba395..b72ceb387 100644
--- a/api/pom.xml
+++ b/api/pom.xml
@@ -253,6 +253,27 @@
             <groupId>dev.cel</groupId>
             <artifactId>cel</artifactId>
         </dependency>
+<!--        CVE fixes -->
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-classic</artifactId>
+            <version>${logback.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-core</artifactId>
+            <version>${logback.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>logging-interceptor</artifactId>
+            <version>${squareup.okhttp3.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>${commons.compress.version}</version>
+        </dependency>
 
     </dependencies>
 
diff --git a/pom.xml b/pom.xml
index 8f9481131..09291b02c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -51,11 +51,13 @@
         <org.json.version>20231013</org.json.version>
         <dev.cel.version>0.3.0</dev.cel.version>
         <guava.version>33.0.0-jre</guava.version>
-
+        <commons.compress.version>1.26.0</commons.compress.version>
+        <logback.version>1.4.12</logback.version>
+        <squareup.okhttp3.version>4.12.0</squareup.okhttp3.version>
         <!-- Test dependency versions -->
         <junit.version>5.9.1</junit.version>
         <mockito.version>5.3.1</mockito.version>
-        <okhttp3.mockwebserver.version>4.10.0</okhttp3.mockwebserver.version>
+        <okhttp3.mockwebserver.version>4.12.0</okhttp3.mockwebserver.version>
         <testcontainers.version>1.19.5</testcontainers.version>
 
         <!-- Frontend dependency versions -->

From e0512feb46f1739c18fd176a550a992bbe0bb821 Mon Sep 17 00:00:00 2001
From: Alexey Zavialov <>
Date: Sun, 3 Mar 2024 23:02:56 +0300
Subject: [PATCH 4/8] CVE fixes, closes #133

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 09291b02c..e87a2c074 100644
--- a/pom.xml
+++ b/pom.xml
@@ -34,7 +34,7 @@
         <assertj.version>3.25.3</assertj.version>
         <avro.version>1.11.3</avro.version>
         <byte-buddy.version>1.12.19</byte-buddy.version>
-        <confluent.version>7.4.0</confluent.version>
+        <confluent.version>7.4.4</confluent.version>
         <datasketches-java.version>3.1.0</datasketches-java.version>
         <groovy.version>3.0.13</groovy.version>
         <jackson.version>2.14.0</jackson.version>

From 52c67b3b8ead5ac5b6479f39963c084d33614675 Mon Sep 17 00:00:00 2001
From: Alexey Zavialov <>
Date: Mon, 4 Mar 2024 00:15:45 +0300
Subject: [PATCH 5/8] CVE fixes, closes #133

---
 api/Dockerfile                            | 2 +-
 documentation/compose/postgres/Dockerfile | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/api/Dockerfile b/api/Dockerfile
index 463ce22f3..422c020de 100644
--- a/api/Dockerfile
+++ b/api/Dockerfile
@@ -1,5 +1,5 @@
 #FROM azul/zulu-openjdk-alpine:17-jre-headless
-FROM azul/zulu-openjdk-alpine@sha256:a36679ac0d28cb835e2a8c00e1e0d95509c6c51c5081c7782b85edb1f37a771a
+FROM azul/zulu-openjdk-alpine@sha256:d59f1266db40341318e563fd76c21b2880ffa5d371f0c097c29d33f89c3a0010
 
 RUN apk add --no-cache \
     # snappy codec
diff --git a/documentation/compose/postgres/Dockerfile b/documentation/compose/postgres/Dockerfile
index c737c43a7..0723a3f33 100644
--- a/documentation/compose/postgres/Dockerfile
+++ b/documentation/compose/postgres/Dockerfile
@@ -2,8 +2,6 @@ ARG image
 
 FROM ${image}
 
-MAINTAINER Kafbat Team
-
-ADD data.sql /docker-entrypoint-initdb.d
+COPY data.sql /docker-entrypoint-initdb.d
 
 EXPOSE 5432

From e2cde5b470b03b18403ac863e84e643e5ae7c078 Mon Sep 17 00:00:00 2001
From: Roman Zabaluev <gpg@haarolean.dev>
Date: Thu, 7 Mar 2024 20:03:25 +0700
Subject: [PATCH 6/8] Update CVE checks workflow name

---
 .github/workflows/cve.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cve.yml b/.github/workflows/cve.yml
index d53913521..2a8bfbc59 100644
--- a/.github/workflows/cve.yml
+++ b/.github/workflows/cve.yml
@@ -1,4 +1,4 @@
-name: CVE checks docker main
+name: "Infra: CVE checks"
 on:
   workflow_dispatch:
   schedule:

From 043df7b8ac148dff991c6c2a5406018293e88dcd Mon Sep 17 00:00:00 2001
From: Alexey Zavialov <>
Date: Tue, 12 Mar 2024 01:35:54 +0300
Subject: [PATCH 7/8] CVE fixes, closes #133

---
 api/pom.xml                                         | 13 ++++++++-----
 .../kafbat/ui/serdes/builtin/ProtobufFileSerde.java |  7 ++++++-
 documentation/compose/postgres/Dockerfile           |  2 ++
 3 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/api/pom.xml b/api/pom.xml
index b72ceb387..c945dcc37 100644
--- a/api/pom.xml
+++ b/api/pom.xml
@@ -253,26 +253,29 @@
             <groupId>dev.cel</groupId>
             <artifactId>cel</artifactId>
         </dependency>
-<!--        CVE fixes -->
+        <!--        CVE fixes -->
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>
-            <version>${logback.version}</version>
+            <version>1.4.12</version>
         </dependency>
+        <!--        CVE fixes -->
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-core</artifactId>
-            <version>${logback.version}</version>
+            <version>1.4.12</version>
         </dependency>
+        <!--        CVE fixes -->
         <dependency>
             <groupId>com.squareup.okhttp3</groupId>
             <artifactId>logging-interceptor</artifactId>
-            <version>${squareup.okhttp3.version}</version>
+            <version>4.12.0</version>
         </dependency>
+        <!--        CVE fixes -->
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-compress</artifactId>
-            <version>${commons.compress.version}</version>
+            <version>1.26.0</version>
         </dependency>
 
     </dependencies>
diff --git a/api/src/main/java/io/kafbat/ui/serdes/builtin/ProtobufFileSerde.java b/api/src/main/java/io/kafbat/ui/serdes/builtin/ProtobufFileSerde.java
index 371002696..e2fc105b9 100644
--- a/api/src/main/java/io/kafbat/ui/serdes/builtin/ProtobufFileSerde.java
+++ b/api/src/main/java/io/kafbat/ui/serdes/builtin/ProtobufFileSerde.java
@@ -365,7 +365,8 @@ private Map<String, ProtoFile> knownProtoFiles() {
           loadKnownProtoFile("google/protobuf/struct.proto", StructProto.getDescriptor()),
           loadKnownProtoFile("google/protobuf/timestamp.proto", TimestampProto.getDescriptor()),
           loadKnownProtoFile("google/protobuf/type.proto", TypeProto.getDescriptor()),
-          loadKnownProtoFile("google/protobuf/wrappers.proto", WrappersProto.getDescriptor())
+          loadKnownProtoFile("google/protobuf/wrappers.proto", WrappersProto.getDescriptor()),
+          loadKnownProtoFile("wire/extensions.proto")
       ).collect(Collectors.toMap(p -> p.getLocation().getPath(), p -> p));
     }
 
@@ -382,6 +383,10 @@ private ProtoFile loadKnownProtoFile(String path, Descriptors.FileDescriptor fil
       return ProtoFile.Companion.get(ProtoParser.Companion.parse(Location.get(path), protoFileString));
     }
 
+    private ProtoFile loadKnownProtoFile(String path) {
+      return ProtoFile.Companion.get(ProtoFileElement.empty(path));
+    }
+
     private Loader createFilesLoader(Map<String, ProtoFile> files) {
       return new Loader() {
         @Override
diff --git a/documentation/compose/postgres/Dockerfile b/documentation/compose/postgres/Dockerfile
index 0723a3f33..399a9dbe3 100644
--- a/documentation/compose/postgres/Dockerfile
+++ b/documentation/compose/postgres/Dockerfile
@@ -2,6 +2,8 @@ ARG image
 
 FROM ${image}
 
+LABEL maintainer="Kafbat Team"
+
 COPY data.sql /docker-entrypoint-initdb.d
 
 EXPOSE 5432

From a46c9145b4f206a047defa96cc5d1276895694d5 Mon Sep 17 00:00:00 2001
From: Roman Zabaluev <gpg@haarolean.dev>
Date: Sun, 17 Mar 2024 02:55:28 +0700
Subject: [PATCH 8/8] Remove unused props

---
 pom.xml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index e87a2c074..26eeaf215 100644
--- a/pom.xml
+++ b/pom.xml
@@ -51,9 +51,6 @@
         <org.json.version>20231013</org.json.version>
         <dev.cel.version>0.3.0</dev.cel.version>
         <guava.version>33.0.0-jre</guava.version>
-        <commons.compress.version>1.26.0</commons.compress.version>
-        <logback.version>1.4.12</logback.version>
-        <squareup.okhttp3.version>4.12.0</squareup.okhttp3.version>
         <!-- Test dependency versions -->
         <junit.version>5.9.1</junit.version>
         <mockito.version>5.3.1</mockito.version>