Re: Update Tika 2.9.1 on Ubuntu 18.04

Mon, 27 Nov 2023 11:29:28 -0800 

Hi,
Add this to the file tika-parent/pom.xml, after the H2 segment below (the new stuff starts with the CVE-2023-39913 line), and keep 3.4.1. 


            <!-- used only in tests and in tika-eval, and this problem 
requires the use of the console.

https://github.com/h2database/h2database/issues/1294 -->
            <exclude>
                <groupId>com.h2database</groupId>
                <artifactId>h2</artifactId>
                <version>2.2.224</version>
            </exclude>
            <!-- CVE-2023-39913: Uima is used because ctakes is used in the

            natural language process module. Serialization is only on 
data that is configured in
            tika-config.xml. We don't think we'd be vulnerable to 
crafted user input. -->

            <coordinate>
                <groupId>org.apache.uima</groupId>
                <artifactId>uimaj-core</artifactId>
                <version>3.4.1</version>
            </coordinate>


Tilman

On 27.11.2023 13:58, Simone Gabbriellini wrote:

Hello,


I am trying to build Tika 2.9.1 on my ubuntu 18.04 and I received this 
error:


[ERROR] Failed to execute goal
org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit
(audit-dependencies) on project tika-parser-nlp-module: Detected 1
vulnerable components:
[ERROR] org.apache.uima:uimaj-core:jar:3.4.1:provided;
https://ossindex.sonatype.org/component/pkg:maven/org.apache.uima/[email protected]?utm_source=3Dossindex-client&utm_medium=3Dintegration&utm_content3D1.8.1
[ERROR]     * [CVE-2023-39913] CWE-20: Improper Input Validation (8.8);
https://ossindex.sonatype.org/vulnerability/CVE-2023-39913?component-type=3Dmaven&component-name=3Dorg.apache.uima%2Fuimaj-core&utm_source=3Dossindex-client&utm_medium=3Dintegration&utm_content=3D1.8.1
[ERROR]=20
[ERROR] Excluded coordinates:
[ERROR]   - xerces:xercesImpl:2.12.2


I have however updated uimaj to version 3.5.0, but it looks like `mvn 
clean install` is not picking that up and keeps reporting that error, 
so I am wondering if I need to make other update to some config file 
or something… Idk, should I remove uimaj 3.4.1 from my system?



I am now installing using `mvn clean install -Dossindex.skip`, 
but wanted to be sure that the new uimaj 3.5.0 version will be linked 
properly…


Thank you,
Simone
























					Reply via email to