[jira] [Commented] (SOLR-12617) Remove Commons BeanUtils as a dependency
[ https://issues.apache.org/jira/browse/SOLR-12617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16569714#comment-16569714 ] ASF subversion and git services commented on SOLR-12617: Commit 0b59b0ed1da4919a7ccd87dd2cbac1148ea64ff9 in lucene-solr's branch refs/heads/jira/http2 from [~varunthacker] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=0b59b0e ] SOLR-12617: remove beanutils license and notice files > Remove Commons BeanUtils as a dependency > > > Key: SOLR-12617 > URL: https://issues.apache.org/jira/browse/SOLR-12617 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Varun Thacker >Priority: Major > Fix For: master (8.0), 7.5 > > Attachments: SOLR-12617.patch > > > The BeanUtils library is a dependency in the velocity contrib module. > It is a compile time dependency but the velocity code that Solr uses doesn't > leverage any of this. > After removing the dependency Solr compiles just fine and the browse handler > also loads up correctly. > While chatting to [~ehatcher] offline he confirmed that the tests also pass > without this dependency. > The main motivation behind this is a long standing CVE against bean-utils > 1.8.3 ( > [https://nvd.nist.gov/vuln/detail/CVE-2014-0114#vulnCurrentDescriptionTitle] > ) which to my knowledge cannot be leveraged from how we use it in Solr . But > security scans still pick it up so if it's not being used we should simply > remove it. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-12617) Remove Commons BeanUtils as a dependency
[ https://issues.apache.org/jira/browse/SOLR-12617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16569713#comment-16569713 ] ASF subversion and git services commented on SOLR-12617: Commit e3cdb395a4009f118900397c8a2086620b436455 in lucene-solr's branch refs/heads/jira/http2 from [~varunthacker] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=e3cdb39 ] SOLR-12617: Remove Commons BeanUtils as a dependency > Remove Commons BeanUtils as a dependency > > > Key: SOLR-12617 > URL: https://issues.apache.org/jira/browse/SOLR-12617 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Varun Thacker >Priority: Major > Fix For: master (8.0), 7.5 > > Attachments: SOLR-12617.patch > > > The BeanUtils library is a dependency in the velocity contrib module. > It is a compile time dependency but the velocity code that Solr uses doesn't > leverage any of this. > After removing the dependency Solr compiles just fine and the browse handler > also loads up correctly. > While chatting to [~ehatcher] offline he confirmed that the tests also pass > without this dependency. > The main motivation behind this is a long standing CVE against bean-utils > 1.8.3 ( > [https://nvd.nist.gov/vuln/detail/CVE-2014-0114#vulnCurrentDescriptionTitle] > ) which to my knowledge cannot be leveraged from how we use it in Solr . But > security scans still pick it up so if it's not being used we should simply > remove it. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-12617) Remove Commons BeanUtils as a dependency
[ https://issues.apache.org/jira/browse/SOLR-12617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16568734#comment-16568734 ] ASF subversion and git services commented on SOLR-12617: Commit 79feed97088c736ecd546f8b59c8425c659579af in lucene-solr's branch refs/heads/branch_7x from [~varunthacker] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=79feed9 ] SOLR-12617: remove beanutils license and notice files (cherry picked from commit 0b59b0e) > Remove Commons BeanUtils as a dependency > > > Key: SOLR-12617 > URL: https://issues.apache.org/jira/browse/SOLR-12617 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Varun Thacker >Priority: Major > Fix For: master (8.0), 7.5 > > Attachments: SOLR-12617.patch > > > The BeanUtils library is a dependency in the velocity contrib module. > It is a compile time dependency but the velocity code that Solr uses doesn't > leverage any of this. > After removing the dependency Solr compiles just fine and the browse handler > also loads up correctly. > While chatting to [~ehatcher] offline he confirmed that the tests also pass > without this dependency. > The main motivation behind this is a long standing CVE against bean-utils > 1.8.3 ( > [https://nvd.nist.gov/vuln/detail/CVE-2014-0114#vulnCurrentDescriptionTitle] > ) which to my knowledge cannot be leveraged from how we use it in Solr . But > security scans still pick it up so if it's not being used we should simply > remove it. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-12617) Remove Commons BeanUtils as a dependency
[ https://issues.apache.org/jira/browse/SOLR-12617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16568733#comment-16568733 ] ASF subversion and git services commented on SOLR-12617: Commit 0b59b0ed1da4919a7ccd87dd2cbac1148ea64ff9 in lucene-solr's branch refs/heads/master from [~varunthacker] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=0b59b0e ] SOLR-12617: remove beanutils license and notice files > Remove Commons BeanUtils as a dependency > > > Key: SOLR-12617 > URL: https://issues.apache.org/jira/browse/SOLR-12617 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Varun Thacker >Priority: Major > Fix For: master (8.0), 7.5 > > Attachments: SOLR-12617.patch > > > The BeanUtils library is a dependency in the velocity contrib module. > It is a compile time dependency but the velocity code that Solr uses doesn't > leverage any of this. > After removing the dependency Solr compiles just fine and the browse handler > also loads up correctly. > While chatting to [~ehatcher] offline he confirmed that the tests also pass > without this dependency. > The main motivation behind this is a long standing CVE against bean-utils > 1.8.3 ( > [https://nvd.nist.gov/vuln/detail/CVE-2014-0114#vulnCurrentDescriptionTitle] > ) which to my knowledge cannot be leveraged from how we use it in Solr . But > security scans still pick it up so if it's not being used we should simply > remove it. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-12617) Remove Commons BeanUtils as a dependency
[ https://issues.apache.org/jira/browse/SOLR-12617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16568726#comment-16568726 ] Varun Thacker commented on SOLR-12617: -- It should. I'll commit a fix right away. I thought {{ant jar-checksums}} would have removed the necessary files. Maybe it was the wrong ant target > Remove Commons BeanUtils as a dependency > > > Key: SOLR-12617 > URL: https://issues.apache.org/jira/browse/SOLR-12617 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Varun Thacker >Priority: Major > Fix For: master (8.0), 7.5 > > Attachments: SOLR-12617.patch > > > The BeanUtils library is a dependency in the velocity contrib module. > It is a compile time dependency but the velocity code that Solr uses doesn't > leverage any of this. > After removing the dependency Solr compiles just fine and the browse handler > also loads up correctly. > While chatting to [~ehatcher] offline he confirmed that the tests also pass > without this dependency. > The main motivation behind this is a long standing CVE against bean-utils > 1.8.3 ( > [https://nvd.nist.gov/vuln/detail/CVE-2014-0114#vulnCurrentDescriptionTitle] > ) which to my knowledge cannot be leveraged from how we use it in Solr . But > security scans still pick it up so if it's not being used we should simply > remove it. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-12617) Remove Commons BeanUtils as a dependency
[ https://issues.apache.org/jira/browse/SOLR-12617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16568723#comment-16568723 ] David Smiley commented on SOLR-12617: - Shouldn't the license & notice file be removed too? > Remove Commons BeanUtils as a dependency > > > Key: SOLR-12617 > URL: https://issues.apache.org/jira/browse/SOLR-12617 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Varun Thacker >Priority: Major > Fix For: master (8.0), 7.5 > > Attachments: SOLR-12617.patch > > > The BeanUtils library is a dependency in the velocity contrib module. > It is a compile time dependency but the velocity code that Solr uses doesn't > leverage any of this. > After removing the dependency Solr compiles just fine and the browse handler > also loads up correctly. > While chatting to [~ehatcher] offline he confirmed that the tests also pass > without this dependency. > The main motivation behind this is a long standing CVE against bean-utils > 1.8.3 ( > [https://nvd.nist.gov/vuln/detail/CVE-2014-0114#vulnCurrentDescriptionTitle] > ) which to my knowledge cannot be leveraged from how we use it in Solr . But > security scans still pick it up so if it's not being used we should simply > remove it. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-12617) Remove Commons BeanUtils as a dependency
[ https://issues.apache.org/jira/browse/SOLR-12617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16568502#comment-16568502 ] ASF subversion and git services commented on SOLR-12617: Commit 61db4ab8acc33c0cb8a649629a5e67405bea in lucene-solr's branch refs/heads/branch_7x from [~varunthacker] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=61db4ab ] SOLR-12617: Remove Commons BeanUtils as a dependency (cherry picked from commit e3cdb39) > Remove Commons BeanUtils as a dependency > > > Key: SOLR-12617 > URL: https://issues.apache.org/jira/browse/SOLR-12617 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Varun Thacker >Priority: Major > Fix For: master (8.0), 7.5 > > Attachments: SOLR-12617.patch > > > The BeanUtils library is a dependency in the velocity contrib module. > It is a compile time dependency but the velocity code that Solr uses doesn't > leverage any of this. > After removing the dependency Solr compiles just fine and the browse handler > also loads up correctly. > While chatting to [~ehatcher] offline he confirmed that the tests also pass > without this dependency. > The main motivation behind this is a long standing CVE against bean-utils > 1.8.3 ( > [https://nvd.nist.gov/vuln/detail/CVE-2014-0114#vulnCurrentDescriptionTitle] > ) which to my knowledge cannot be leveraged from how we use it in Solr . But > security scans still pick it up so if it's not being used we should simply > remove it. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-12617) Remove Commons BeanUtils as a dependency
[ https://issues.apache.org/jira/browse/SOLR-12617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16568482#comment-16568482 ] ASF subversion and git services commented on SOLR-12617: Commit e3cdb395a4009f118900397c8a2086620b436455 in lucene-solr's branch refs/heads/master from [~varunthacker] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=e3cdb39 ] SOLR-12617: Remove Commons BeanUtils as a dependency > Remove Commons BeanUtils as a dependency > > > Key: SOLR-12617 > URL: https://issues.apache.org/jira/browse/SOLR-12617 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Varun Thacker >Priority: Major > Fix For: master (8.0), 7.5 > > Attachments: SOLR-12617.patch > > > The BeanUtils library is a dependency in the velocity contrib module. > It is a compile time dependency but the velocity code that Solr uses doesn't > leverage any of this. > After removing the dependency Solr compiles just fine and the browse handler > also loads up correctly. > While chatting to [~ehatcher] offline he confirmed that the tests also pass > without this dependency. > The main motivation behind this is a long standing CVE against bean-utils > 1.8.3 ( > [https://nvd.nist.gov/vuln/detail/CVE-2014-0114#vulnCurrentDescriptionTitle] > ) which to my knowledge cannot be leveraged from how we use it in Solr . But > security scans still pick it up so if it's not being used we should simply > remove it. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-12617) Remove Commons BeanUtils as a dependency
[ https://issues.apache.org/jira/browse/SOLR-12617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16567760#comment-16567760 ] Varun Thacker commented on SOLR-12617: -- After the patch , [http://localhost:8983/solr/techproducts/browse] works just fine. If there are no objections I'll commit this tomorrow > Remove Commons BeanUtils as a dependency > > > Key: SOLR-12617 > URL: https://issues.apache.org/jira/browse/SOLR-12617 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Varun Thacker >Priority: Major > Fix For: master (8.0), 7.5 > > Attachments: SOLR-12617.patch > > > The BeanUtils library is a dependency in the velocity contrib module. > It is a compile time dependency but the velocity code that Solr uses doesn't > leverage any of this. > After removing the dependency Solr compiles just fine and the browse handler > also loads up correctly. > While chatting to [~ehatcher] offline he confirmed that the tests also pass > without this dependency. > The main motivation behind this is a long standing CVE against bean-utils > 1.8.3 ( > [https://nvd.nist.gov/vuln/detail/CVE-2014-0114#vulnCurrentDescriptionTitle] > ) which to my knowledge cannot be leveraged from how we use it in Solr . But > security scans still pick it up so if it's not being used we should simply > remove it. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org