[jira] [Commented] (SOLR-11207) Add OWASP dependency checker to detect security vulnerabilities in third party libraries

Thu, 22 Nov 2018 11:08:52 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-11207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16696201#comment-16696201
 ] 

Andy Hind commented on SOLR-11207:
----------------------------------

Is there still interest in adding this improvement? It was pretty straight 
forward to add the ant task. The tool has support to record vulnerabilities 
that do not affect the product (false positives). Expect a patch shortly ... 
Should we split this into SOLR and Lucene?

> Add OWASP dependency checker to detect security vulnerabilities in third 
> party libraries
> ----------------------------------------------------------------------------------------
>
>                 Key: SOLR-11207
>                 URL: https://issues.apache.org/jira/browse/SOLR-11207
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Build
>    Affects Versions: 6.0
>            Reporter: Hrishikesh Gadre
>            Priority: Major
>
> Lucene/Solr project depends on number of third party libraries. Some of those 
> libraries contain security vulnerabilities. Upgrading to versions of those 
> libraries that have fixes for those vulnerabilities is a simple, critical 
> step we can take to improve the security of the system. But for that we need 
> a tool which can scan the Lucene/Solr dependencies and look up the security 
> database for known vulnerabilities.
> I found that [OWASP 
> dependency-checker|https://jeremylong.github.io/DependencyCheck/dependency-check-ant/]
>  can be used for this purpose. It provides a ant task which we can include in 
> the Lucene/Solr build. We also need to figure out how (and when) to invoke 
> this dependency-checker. But this can be figured out once we complete the 
> first step of integrating this tool with the Lucene/Solr build system.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to