[GitHub] [solr] sonatype-lift[bot] commented on a change in pull request #349: Dependency tune-up of solr-core

GitBox Thu, 21 Oct 2021 16:21:38 -0700


sonatype-lift[bot] commented on a change in pull request #349:
URL: https://github.com/apache/solr/pull/349#discussion_r734108078




##########
File path: solr/contrib/prometheus-exporter/build.gradle
##########
@@ -22,6 +22,8 @@ description = 'Prometheus exporter for exposing metrics from 
Solr using Metrics
 
 dependencies {
   implementation project(':solr:solrj')
+  implementation 'org.slf4j:slf4j-api'
+  implementation('org.apache.zookeeper:zookeeper') { transitive = false } // 
ideally remove ZK dep

Review comment:
       *Severe OSS Vulnerability:*
   ### pkg:maven/org.apache.zookeeper/[email protected]
   0 Critical, 2 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found 
across 1 dependencies
   
   <details>
     <summary><b>Components</b></summary><br/>
     <ul>
         <details>
           
<summary><b>pkg:maven/org.apache.zookeeper/[email protected]</b></summary>
           <ul>
     <details>
       <summary><b>SEVERE Vulnerabilities (2)</b></summary><br/>
   <ul>
   <details>
               <summary>CVE-2021-28164</summary>
   
   > #### [CVE-2021-28164] In Eclipse Jetty 9.4.37.v20210219 to 
9.4.38.v20210224, the default compliance mo...
   > In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default 
compliance mode allows requests with URIs that contain %2e or %2e%2e segments 
to access protected resources within the WEB-INF directory. For example a 
request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can 
reveal sensitive information regarding the implementation of a web application.
   >
   > **CVSS Score:** 5.3
   >
   > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
   
   </details>
   <details>
               <summary>CVE-2021-34429</summary>
   
   > #### [CVE-2021-34429] For Eclipse Jetty versions 9.4.37-9.4.42, 
10.0.1-10.0.5 & 11.0.1-11.0.5, URIs ca...
   > For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 &amp; 
11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the 
content of the WEB-INF directory and/or bypass some security constraints. This 
is a variation of the vulnerability reported in 
CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
   >
   > **CVSS Score:** 5.3
   >
   > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
   
   </details>
   </ul>
       </details>
           </ul>
         </details>
     </ul>
   </details>
   (at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with 
`help` or `ignore`)

##########
File path: solr/test-framework/build.gradle
##########
@@ -26,10 +26,17 @@ dependencies {
   api "org.apache.lucene:lucene-test-framework"
   api "org.apache.lucene:lucene-analysis-common"
 
-  api 'org.apache.logging.log4j:log4j-core'
-  api 'io.opentracing:opentracing-mock'
+  implementation('org.apache.zookeeper:zookeeper', {

Review comment:
       *Severe OSS Vulnerability:*
   ### pkg:maven/org.apache.zookeeper/[email protected]
   0 Critical, 2 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found 
across 1 dependencies
   
   <details>
     <summary><b>Components</b></summary><br/>
     <ul>
         <details>
           
<summary><b>pkg:maven/org.apache.zookeeper/[email protected]</b></summary>
           <ul>
     <details>
       <summary><b>SEVERE Vulnerabilities (2)</b></summary><br/>
   <ul>
   <details>
               <summary>CVE-2021-28164</summary>
   
   > #### [CVE-2021-28164] In Eclipse Jetty 9.4.37.v20210219 to 
9.4.38.v20210224, the default compliance mo...
   > In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default 
compliance mode allows requests with URIs that contain %2e or %2e%2e segments 
to access protected resources within the WEB-INF directory. For example a 
request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can 
reveal sensitive information regarding the implementation of a web application.
   >
   > **CVSS Score:** 5.3
   >
   > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
   
   </details>
   <details>
               <summary>CVE-2021-34429</summary>
   
   > #### [CVE-2021-34429] For Eclipse Jetty versions 9.4.37-9.4.42, 
10.0.1-10.0.5 & 11.0.1-11.0.5, URIs ca...
   > For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 &amp; 
11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the 
content of the WEB-INF directory and/or bypass some security constraints. This 
is a variation of the vulnerability reported in 
CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
   >
   > **CVSS Score:** 5.3
   >
   > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
   
   </details>
   </ul>
       </details>
           </ul>
         </details>
     </ul>
   </details>
   (at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with 
`help` or `ignore`)




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[GitHub] [solr] sonatype-lift[bot] commented on a change in pull request #349: Dependency tune-up of solr-core

Reply via email to