[
https://issues.apache.org/jira/browse/SOLR-16993?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Høydahl resolved SOLR-16993.
--------------------------------
Resolution: Information Provided
Hi. We upgrade libs continously. Many upgrades scheduled for 9.4 already, see
e.g. [https://github.com/apache/solr/commits?author=solrbot] . There are also
several proposed for upgrade here: https://github.com/apache/solr/pulls/solrbot
If you have a particular vulnerable library that you are concerned about, that
is not scheduled for the 9.4 release, feel free to open a Jira and/or Pull
Request for that particular upgrade.
I'm closing this as there is no action to take, and the project does not accept
raw trivy scan outputs as a "bug", see https://solr.apache.org/security.html
> Update libraries in solr 8.11.2 and 9.3.0
> -----------------------------------------
>
> Key: SOLR-16993
> URL: https://issues.apache.org/jira/browse/SOLR-16993
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Rafael Rios Saavedra
> Priority: Major
>
> Hi,
> When running trivy scanner on the containers images of solr:8.11.2 and
> 9.3.0 it reports that several libs should be updated because they are
> affected by CVEs.
> - solr:8.11.2 CVEs: CVE-2023-33201, CVE-2023-36479, CVE-2023-40167"
> - solr:9.3.0 CVEs: CVE-2023-33201, CVE-2023-36479, CVE-2023-40167,
> CVE-2023-42503
> {code}
> $ trivy image --vuln-type library solr:8.11.2
> 2023-09-22T14:05:26.132Z INFO Vulnerability scanning is enabled
> 2023-09-22T14:05:26.132Z INFO Secret scanning is enabled
> 2023-09-22T14:05:26.132Z INFO If your scanning is slow, please try
> '--scanners vuln' to disable secret scanning
> 2023-09-22T14:05:26.132Z INFO Please see also
> https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation
> for faster secret detection
> 2023-09-22T14:05:28.409Z INFO JAR files found
> 2023-09-22T14:05:28.409Z INFO Analyzing JAR files takes a while...
> 2023-09-22T14:05:31.030Z INFO Number of language-specific files: 1
> 2023-09-22T14:05:31.031Z INFO Detecting jar vulnerabilities...
> 2023-09-22T14:05:31.035Z WARN maven constraint error
> ([10.5-alpha0,10.5.3.0_1]): failed to new comparer: 2 errors occurred:
> * improper constraint: [10.5-alpha0,10.5.3.0_1]
> * improper requirements: []
> 2023-09-22T14:05:31.043Z INFO Table result includes only package
> filenames. Use '--format json' option to get the full path to the package
> file.
> Java (jar)
> ...
> list of CVEs and libs here (too long to post it here)
> ...
> {code}
> {code}
> $ trivy image --vuln-type library solr:9.3.0
> 2023-09-22T14:04:36.572Z INFO Vulnerability scanning is enabled
> 2023-09-22T14:04:36.572Z INFO Secret scanning is enabled
> 2023-09-22T14:04:36.572Z INFO If your scanning is slow, please try
> '--scanners vuln' to disable secret scanning
> 2023-09-22T14:04:36.572Z INFO Please see also
> https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation
> for faster secret detection
> 2023-09-22T14:04:38.763Z INFO JAR files found
> 2023-09-22T14:04:38.764Z INFO Analyzing JAR files takes a while...
> 2023-09-22T14:04:43.393Z INFO Number of language-specific files: 1
> 2023-09-22T14:04:43.393Z INFO Detecting jar vulnerabilities...
> 2023-09-22T14:04:43.404Z INFO Table result includes only package
> filenames. Use '--format json' option to get the full path to the package
> file.
> Java (jar)
> ...
> list of CVEs and libs here (too long to post it here)
> ...
> {code}
> Could it be possible to upgrade those components ?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
