Varun Thacker created SOLR-12617:
------------------------------------
Summary: Remove Commons BeanUtils as a dependency
Key: SOLR-12617
URL: https://issues.apache.org/jira/browse/SOLR-12617
Project: Solr
Issue Type: Improvement
Security Level: Public (Default Security Level. Issues are Public)
Reporter: Varun Thacker
The BeanUtils library is a dependency in the velocity contrib module.
It is a compile time dependency but the velocity code that Solr uses doesn't
leverage any of this.
After removing the dependency Solr compiles just fine and the browse handler
also loads up correctly.
While chatting to [~ehatcher] offline he confirmed that the tests also pass
without this dependency.
The main motivation behind this is a long standing CVE against bean-utils 1.8.3
( [https://nvd.nist.gov/vuln/detail/CVE-2014-0114#vulnCurrentDescriptionTitle]
) which to my knowledge cannot be leveraged from how we use it in Solr . But
security scans still pick it up so if it's not being used we should simply
remove it.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
