Hrishikesh Gadre created SOLR-11207:
---------------------------------------
Summary: Add OWASP dependency checker to detect security
vulnerabilities in third party libraries
Key: SOLR-11207
URL: https://issues.apache.org/jira/browse/SOLR-11207
Project: Solr
Issue Type: Task
Security Level: Public (Default Security Level. Issues are Public)
Affects Versions: 6.0
Reporter: Hrishikesh Gadre
Lucene/Solr project depends on number of third party libraries. Some of those
libraries contain security vulnerabilities. Upgrading to versions of those
libraries that have fixes for those vulnerabilities is a simple, critical step
we can take to improve the security of the system. But for that we need a tool
which can scan the Lucene/Solr dependencies and look up the security database
for known vulnerabilities.
I found that [OWASP
dependency-checker|https://jeremylong.github.io/DependencyCheck/dependency-check-ant/]
can be used for this purpose. It provides a ant task which we can include in
the Lucene/Solr build. We also need to figure out how (and when) to invoke this
dependency-checker. But this can be figured out once we complete the first step
of integrating this tool with the Lucene/Solr build system.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
