rest-utils uses some vulnerable dependencies

[pavel-sbor]

Description
I checked confluent kafka 6.1.1 distribution with WhiteSource and find out that some libraries have vulnerabilities.
Here they are:

• jetty-io-9.4.38.v20210224.jar has CVE-2021-28165 vulnerability. The way to fix it is to upgrade to org.eclipse.jetty:jetty-io:9.4.39 or org.eclipse.jetty:jetty-io:10.0.2 or org.eclipse.jetty:jetty-io:11.0.2
• jersey-common-2.31.jar has CVE-2021-28168 vulnerability. The way to fix it is to upgrade to org.glassfish.jersey.core:jersey-common:2.34
• jetty-webapp-9.4.38.v20210224.jar has CVE-2021-28164 vulnerability. The way to fix it is to upgrade to org.eclipse.jetty:jetty-webapp:9.4.39
• jetty-server-9.4.38.v20210224.jar has CVE-2021-28164 vulnerability. The way to fix it is to upgrade to org.eclipse.jetty:jetty-webapp:9.4.39
• guava-28.1-jre.jar has CVE-2020-8908 vulnerability. The way to fix it is to upgrade to version 30

To Reproduce
Download Confluent Kafka 6.1.1 distribution (for example curl -O http://packages.confluent.io/archive/6.1/confluent-community-6.1.1.tar.gz)
Open share/java/rest-utils folder in it and find jars, listed above.
Check that these jars with corresponding versions are mentioned in corresponding vulnerability description (for example, on https://nvd.nist.gov/vuln/detail/CVE-2021-28168 jersey-common 2.31 is mentioned in "Known Affected Software Configurations" list)

Expected behavior

• jetty-io upgraded to 9.4.39 or higher
• jersey-common upgraded to 2.34 or higher
• jetty-webapp upgraded to 9.4.39 or higher
• jetty-server upgraded to jetty-webapp:9.4.39 or higher
• guava upgraded to version 30 or higher

Actual behaviour

• jetty-io is 9.4.38
• jersey-common is 2.31
• jetty-webapp is 9.4.38
• jetty-server is 9.4.38
• guava is 28.1-jre

[OneCricketeer]

#188

[janjwerner-confluent]

Pavel
Thank you for raising this issue. The CVEs have been addressed. We recommend using the latest release 6.1.7 ([https://packages.confluent.io/archive/6.2/confluent-community-6.1.7.zip]