Tools / starrocks / Security

Security Deep Dive

starrocks

Security posture and CVE patch evidence from tracked releases.

Back to Tool

6 high-severity dependency CVEs affects 4.0.10.

Review the dependency vulnerabilities below.

Versions by Severity

CVEs are attributed to tracked releases published before the patch release.

14 versions tracked

Version	Published	C	H	M	L	KEV	Notes
4.0.10	2026-05-09	—	—	—	—	—	Latest Patches CVE-2017-12615 Patches CVE-2017-12617 Patches CVE-2020-1938 Patches CVE-2021-44228 Patches CVE-2021-45046 Patches CVE-2023-44487 Patches CVE-2025-24813
4.1.0	2026-04-21	4	3	—	—	KEV 7	—
4.0.9	2026-04-17	4	3	—	—	KEV 7	—
3.5.15	2026-03-30	4	3	—	—	KEV 7	—
4.0.8	2026-03-26	4	3	—	—	KEV 7	—
3.5.14	2026-03-05	4	3	—	—	KEV 7	—
4.0.6	2026-02-16	4	3	—	—	KEV 7	—
3.5.13	2026-02-13	4	3	—	—	KEV 7	—
4.0.5	2026-02-04	4	3	—	—	KEV 7	—
3.3.22	2026-01-27	4	3	—	—	KEV 7	—
3.5.12	2026-01-22	4	3	—	—	KEV 7	—
4.0.4	2026-01-16	4	3	—	—	KEV 7	—
3.4.10	2026-01-14	4	3	—	—	KEV 7	—
3.5.11	2026-01-06	4	3	—	—	KEV 7	—

— Signed — SLSA — SBOM ✓ Security policy Weekly cadence · 7d median Active maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present

Signed releases Unknown

Latest release artifact signature Latest release

—

SLSA provenance Unknown

Attestation predicate level Latest release

—

SBOM published Unknown

GitHub SBOM API Latest release

—

SECURITY.md Present

GitHub repository metadata Repository policy

Checked: 22d ago

Release cadence: weekly Present

7d median over recent releases Release history

Latest release: 25d ago

Maintainer active Present

Recent commit activity Repository

Last commit: 1d ago

Checksums (SHA256SUMS) Not active yet

SHA256SUMS or equivalent Release asset

Latest release: 25d ago

GitHub Actions attestation Not active yet

actions/attest-build-provenance Workflow file

Latest release: 25d ago

Signing assets Not active yet

.sig, .crt, cosign.pub, or similar Release asset

Latest release: 25d ago

0.5/10 Security Score

Dependency Exposure 17 transitive dependency CVEs found in the latest SBOM.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.00 / 0.5

Max EPSS 0.945

freshness

1.00 / 1.0

1d stale

scorecard

2.00 / 4.0

⚠ Estimated — not yet collected

cve health

0.00 / 2.5

No open CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

-1.50 / 1.5

KEV exposure detected

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: available

Release responsiveness

release responsiveness

10.0

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 47c/143h

Provenance trust

provenance trust

5.0

40%

scorecard score: estimated openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 1d

Operational risk

operational risk

0.0

10%

kev exposure: detected epss max: 0.945

How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100

0 Transitive critical CVEs

0 KEV-transitive CVEs

61% Dependency freshness

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

CVE Patch History

Tracks CVEs that were addressed in tagged releases. Shorter gap between disclosure and patch = faster response. EPSS = predicted probability of exploitation in next 30 days (FIRST.org); colored at ≥90%ile and ≥50%ile.

CVEs Patched by Year

Critical High Medium Low

2026

CVE	Severity	EPSS	Disclosed	Fixed in	Days to fix	vs Ecosystem Median	KEV
CVE-2017-12615	HIGH	99%ile	—	4.0.10	—	—	KEV
CVE-2017-12617	HIGH	99%ile	—	4.0.10	—	—	KEV
CVE-2020-1938	CRITICAL	99%ile	—	4.0.10	—	—	KEV
CVE-2021-44228	CRITICAL	99%ile	—	4.0.10	—	—	KEV
CVE-2021-45046	CRITICAL	99%ile	—	4.0.10	—	—	KEV
CVE-2023-44487	HIGH	99%ile	—	4.0.10	—	—	KEV
CVE-2025-24813	CRITICAL	99%ile	—	4.0.10	—	—	KEV

KEV = CISA Known Exploited Vulnerabilities catalog — actively exploited in the wild.

Dependency Vulnerabilities

1804 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

High

Medium

Low

Unknown

Still affecting latest (17) All (276)

High 6 Medium 10 Low 1

CVE	Severity	KEV	Dependency	Affected version	Cleared in release
CVE-2025-55163	high	—	io.grpc:grpc-netty-shaded	1.63.0	4.0.10
CVE-2026-24400	high	—	org.assertj:assertj-core	3.18.1	4.0.10
CVE-2026-35554	high	—	org.apache.kafka:kafka-clients	3.9.1	4.0.10
CVE-2026-43869	high	—	org.apache.thrift:libthrift	0.22.0	4.0.10
CVE-2026-6321	high	—	fast-uri	3.1.0	4.0.10
CVE-2026-6322	high	—	fast-uri	3.1.0	4.0.10
CVE-2025-48924	medium	—	commons-lang:commons-lang	2.6	4.0.10
CVE-2025-48924	medium	—	org.apache.commons:commons-lang3	3.3.2	4.0.10
CVE-2025-68161	medium	—	org.apache.logging.log4j:log4j-core	2.17.1	4.0.10
CVE-2026-33558	medium	—	org.apache.kafka:kafka-clients	3.9.1	4.0.10
CVE-2026-34477	medium	—	org.apache.logging.log4j:log4j-core	2.17.1	4.0.10
CVE-2026-34478	medium	—	org.apache.logging.log4j:log4j-core	2.23.1	4.0.10
CVE-2026-34479	medium	—	org.apache.logging.log4j:log4j-1.2-api	2.19.0	4.0.10
CVE-2026-34480	medium	—	org.apache.logging.log4j:log4j-core	2.17.1	4.0.10
CVE-2026-34481	medium	—	org.apache.logging.log4j:log4j-layout-template-json	2.19.0	4.0.10
GHSA-72hv-8253-57qq	medium	—	com.fasterxml.jackson.core:jackson-core	2.15.0	4.0.10
CVE-2025-46392	low	—	commons-configuration:commons-configuration	1.6	4.0.10

Showing 17 of 276