sonatype-lift[bot] commented on code in PR #945: URL: https://github.com/apache/solr/pull/945#discussion_r922465868
########## solr/solrj/core/build.gradle: ########## @@ -0,0 +1,95 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +apply plugin: 'java-library' + +description = 'SolrJ - Solr Java Client - Core' + +dependencies { + // Spotbugs Annotations are only needed for old findbugs + // annotation usage like in Zookeeper during compilation time. + // It is not included in the release so exclude from checks. + compileOnly 'com.github.spotbugs:spotbugs-annotations' + permitUnusedDeclared 'com.github.spotbugs:spotbugs-annotations' + // Exclude these from jar validation and license checks. + configurations.jarValidation { + exclude group: "com.github.spotbugs", module: "spotbugs-annotations" + } + + implementation 'org.slf4j:slf4j-api' + runtimeOnly 'org.slf4j:jcl-over-slf4j' + + implementation 'org.apache.commons:commons-math3' + + api 'org.eclipse.jetty.http2:http2-client' + implementation 'org.eclipse.jetty.http2:http2-http-client-transport' Review Comment: *Moderate Vulnerability:* ### pkg:maven/org.eclipse.jetty.http2/[email protected] 0 Critical, 0 Severe, 2 Moderate, 0 Unknown vulnerabilities have been found across 2 dependencies <details> <summary><b>Components</b></summary><br/> <ul> <details> <summary><b>pkg:maven/org.eclipse.jetty/[email protected]</b></summary> <ul> <details> <summary><b>MODERATE Vulnerabilities (1)</b></summary><br/> <ul> > #### [CVE-2022-2047] CWE-20: Improper Input Validation > In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. > > **CVSS Score:** 2.7 > > **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N > > **CWE:** CWE-20 </ul> </details> </ul> </details> <details> <summary><b>pkg:maven/org.eclipse.jetty/[email protected]</b></summary> <ul> <details> <summary><b>MODERATE Vulnerabilities (1)</b></summary><br/> <ul> > #### [CVE-2022-2047] CWE-20: Improper Input Validation > In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. > > **CVSS Score:** 2.7 > > **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N > > **CWE:** CWE-20 </ul> </details> </ul> </details> </ul> </details> Reply with *"**@sonatype-lift help**"* for info about LiftBot commands. Reply with *"**@sonatype-lift ignore**"* to tell LiftBot to leave out the above finding from this PR. Reply with *"**@sonatype-lift ignoreall**"* to tell LiftBot to leave out all the findings from this PR and from the status bar in Github. When talking to LiftBot, you need to **refresh** the page to see its response. [Click here](https://help.sonatype.com/lift/talking-to-lift) to get to know more about LiftBot commands. --- Was this a good recommendation? [ [🙁 Not relevant](https://www.sonatype.com/lift-comment-rating?comment=298878570&lift_comment_rating=1) ] - [ [😕 Won't fix](https://www.sonatype.com/lift-comment-rating?comment=298878570&lift_comment_rating=2) ] - [ [😑 Not critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=298878570&lift_comment_rating=3) ] - [ [🙂 Critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=298878570&lift_comment_rating=4) ] - [ [😊 Critical, fixing now](https://www.sonatype.com/lift-comment-rating?comment=298878570&lift_comment_rating=5) ] ########## solr/solrj/core/build.gradle: ########## @@ -0,0 +1,95 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +apply plugin: 'java-library' + +description = 'SolrJ - Solr Java Client - Core' + +dependencies { + // Spotbugs Annotations are only needed for old findbugs + // annotation usage like in Zookeeper during compilation time. + // It is not included in the release so exclude from checks. + compileOnly 'com.github.spotbugs:spotbugs-annotations' + permitUnusedDeclared 'com.github.spotbugs:spotbugs-annotations' + // Exclude these from jar validation and license checks. + configurations.jarValidation { + exclude group: "com.github.spotbugs", module: "spotbugs-annotations" + } + + implementation 'org.slf4j:slf4j-api' + runtimeOnly 'org.slf4j:jcl-over-slf4j' + + implementation 'org.apache.commons:commons-math3' + + api 'org.eclipse.jetty.http2:http2-client' + implementation 'org.eclipse.jetty.http2:http2-http-client-transport' + implementation 'org.eclipse.jetty:jetty-http' + implementation 'org.eclipse.jetty:jetty-client' Review Comment: *Moderate Vulnerability:* ### pkg:maven/org.eclipse.jetty/[email protected] 0 Critical, 0 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies <details> <summary><b>Components</b></summary><br/> <ul> <details> <summary><b>pkg:maven/org.eclipse.jetty/[email protected]</b></summary> <ul> <details> <summary><b>MODERATE Vulnerabilities (1)</b></summary><br/> <ul> > #### [CVE-2022-2047] CWE-20: Improper Input Validation > In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. > > **CVSS Score:** 2.7 > > **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N > > **CWE:** CWE-20 </ul> </details> </ul> </details> </ul> </details> Reply with *"**@sonatype-lift help**"* for info about LiftBot commands. Reply with *"**@sonatype-lift ignore**"* to tell LiftBot to leave out the above finding from this PR. Reply with *"**@sonatype-lift ignoreall**"* to tell LiftBot to leave out all the findings from this PR and from the status bar in Github. When talking to LiftBot, you need to **refresh** the page to see its response. [Click here](https://help.sonatype.com/lift/talking-to-lift) to get to know more about LiftBot commands. --- Was this a good recommendation? [ [🙁 Not relevant](https://www.sonatype.com/lift-comment-rating?comment=298878572&lift_comment_rating=1) ] - [ [😕 Won't fix](https://www.sonatype.com/lift-comment-rating?comment=298878572&lift_comment_rating=2) ] - [ [😑 Not critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=298878572&lift_comment_rating=3) ] - [ [🙂 Critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=298878572&lift_comment_rating=4) ] - [ [😊 Critical, fixing now](https://www.sonatype.com/lift-comment-rating?comment=298878572&lift_comment_rating=5) ] ########## solr/solrj/core/build.gradle: ########## @@ -0,0 +1,95 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +apply plugin: 'java-library' + +description = 'SolrJ - Solr Java Client - Core' + +dependencies { + // Spotbugs Annotations are only needed for old findbugs + // annotation usage like in Zookeeper during compilation time. + // It is not included in the release so exclude from checks. + compileOnly 'com.github.spotbugs:spotbugs-annotations' + permitUnusedDeclared 'com.github.spotbugs:spotbugs-annotations' + // Exclude these from jar validation and license checks. + configurations.jarValidation { + exclude group: "com.github.spotbugs", module: "spotbugs-annotations" + } + + implementation 'org.slf4j:slf4j-api' + runtimeOnly 'org.slf4j:jcl-over-slf4j' + + implementation 'org.apache.commons:commons-math3' + + api 'org.eclipse.jetty.http2:http2-client' Review Comment: *Moderate Vulnerability:* ### pkg:maven/org.eclipse.jetty.http2/[email protected] 0 Critical, 0 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies <details> <summary><b>Components</b></summary><br/> <ul> <details> <summary><b>pkg:maven/org.eclipse.jetty/[email protected]</b></summary> <ul> <details> <summary><b>MODERATE Vulnerabilities (1)</b></summary><br/> <ul> > #### [CVE-2022-2047] CWE-20: Improper Input Validation > In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. > > **CVSS Score:** 2.7 > > **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N > > **CWE:** CWE-20 </ul> </details> </ul> </details> </ul> </details> Reply with *"**@sonatype-lift help**"* for info about LiftBot commands. Reply with *"**@sonatype-lift ignore**"* to tell LiftBot to leave out the above finding from this PR. Reply with *"**@sonatype-lift ignoreall**"* to tell LiftBot to leave out all the findings from this PR and from the status bar in Github. When talking to LiftBot, you need to **refresh** the page to see its response. [Click here](https://help.sonatype.com/lift/talking-to-lift) to get to know more about LiftBot commands. --- Was this a good recommendation? [ [🙁 Not relevant](https://www.sonatype.com/lift-comment-rating?comment=298878569&lift_comment_rating=1) ] - [ [😕 Won't fix](https://www.sonatype.com/lift-comment-rating?comment=298878569&lift_comment_rating=2) ] - [ [😑 Not critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=298878569&lift_comment_rating=3) ] - [ [🙂 Critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=298878569&lift_comment_rating=4) ] - [ [😊 Critical, fixing now](https://www.sonatype.com/lift-comment-rating?comment=298878569&lift_comment_rating=5) ] ########## solr/solrj/core/build.gradle: ########## @@ -0,0 +1,95 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +apply plugin: 'java-library' + +description = 'SolrJ - Solr Java Client - Core' + +dependencies { + // Spotbugs Annotations are only needed for old findbugs + // annotation usage like in Zookeeper during compilation time. + // It is not included in the release so exclude from checks. + compileOnly 'com.github.spotbugs:spotbugs-annotations' + permitUnusedDeclared 'com.github.spotbugs:spotbugs-annotations' + // Exclude these from jar validation and license checks. + configurations.jarValidation { + exclude group: "com.github.spotbugs", module: "spotbugs-annotations" + } + + implementation 'org.slf4j:slf4j-api' + runtimeOnly 'org.slf4j:jcl-over-slf4j' + + implementation 'org.apache.commons:commons-math3' + + api 'org.eclipse.jetty.http2:http2-client' + implementation 'org.eclipse.jetty.http2:http2-http-client-transport' + implementation 'org.eclipse.jetty:jetty-http' Review Comment: *Moderate Vulnerability:* ### pkg:maven/org.eclipse.jetty/[email protected] 0 Critical, 0 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies <details> <summary><b>Components</b></summary><br/> <ul> <details> <summary><b>pkg:maven/org.eclipse.jetty/[email protected]</b></summary> <ul> <details> <summary><b>MODERATE Vulnerabilities (1)</b></summary><br/> <ul> > #### [CVE-2022-2047] CWE-20: Improper Input Validation > In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. > > **CVSS Score:** 2.7 > > **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N > > **CWE:** CWE-20 </ul> </details> </ul> </details> </ul> </details> Reply with *"**@sonatype-lift help**"* for info about LiftBot commands. Reply with *"**@sonatype-lift ignore**"* to tell LiftBot to leave out the above finding from this PR. Reply with *"**@sonatype-lift ignoreall**"* to tell LiftBot to leave out all the findings from this PR and from the status bar in Github. When talking to LiftBot, you need to **refresh** the page to see its response. [Click here](https://help.sonatype.com/lift/talking-to-lift) to get to know more about LiftBot commands. --- Was this a good recommendation? [ [🙁 Not relevant](https://www.sonatype.com/lift-comment-rating?comment=298878571&lift_comment_rating=1) ] - [ [😕 Won't fix](https://www.sonatype.com/lift-comment-rating?comment=298878571&lift_comment_rating=2) ] - [ [😑 Not critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=298878571&lift_comment_rating=3) ] - [ [🙂 Critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=298878571&lift_comment_rating=4) ] - [ [😊 Critical, fixing now](https://www.sonatype.com/lift-comment-rating?comment=298878571&lift_comment_rating=5) ] -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
