[
https://issues.apache.org/jira/browse/SOLR-15855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17464722#comment-17464722
]
Shawn Heisey commented on SOLR-15855:
-------------------------------------
The test framework and its dependencies are never executed by Solr. It is only
ever executed by running tests in the source code, and when that happens, it is
the build system that does it. The build system is gradle for the main branch
that will become version 9.0.0, or ant for all versions older than that. The
test framework is included with the solr download so it is available for users
that want to create their own tests for Solr. I'm not sure we should include
the test framework with the binary runtime download. The vast majority of
users will never utilize it and it's a source for false positives from security
scanners.
In order for htrace to be executed, Solr must be configured to use HDFS for
index storage. Most users do not do this. Solr itself will not use this jar,
it is required by the hadoop jars that Solr uses to incorporate HDFS support.
Unless you are using HDFS, I think you can delete the htrace jar.
> CVEs in shadowed dependencies
> -----------------------------
>
> Key: SOLR-15855
> URL: https://issues.apache.org/jira/browse/SOLR-15855
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 8.11.1
> Reporter: Chris Adams
> Priority: Major
>
> Our Solr deployments had a number of CVEs flagged due to shadowed
> dependencies in some non-core components:
> * htrace-core4 pulls in jackson-databind, and hasn't been updated in many
> years since the project shut down around 2016. This leaves around 50 critical
> CVEs — although it's not clear whether any of these are actually exploitable
> in the Solr configuration it will generate a lot of noise for Solr users in
> security-conscious environments.
> This doesn't appear to be a hard dependency for Solr in normal use but I see
> that the HBase project has a plan to replace it with a shim:
> https://issues.apache.org/jira/browse/HBASE-24802
> * The test framework pulls in junit4-ant which has an old simple-xml
> vulnerable to
> [CVE-2017-1000190|https://nvd.nist.gov/vuln/detail/CVE-2017-1000190]:
> /opt/solr-8.11.1/dist/test-framework/lib/junit4-ant-2.7.2.jar
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
