Hi folks,
like many others we're using tools to detect known security
vulnerabilties in used software, and the table with false positives at
the SolrSecurity Confluence page is really helpful [1].
However, it seems at least the information about Guava is a bit
outdated. It states Guava is "only used in tests", so I wondered why
it's included in the production classpath. Turns out, Guava is used in
many production classes, for example in solr-core TimeRoutedAlias class [2].
I think it's still correct that there's no security issue wrt Guava in
Solr 8.11.1. Scanners only report low severity CVE-2020-8908 [3], which
would only apply if Guava's com.google.common.io.Files.createTempDir()
was used - but that method isn't used.
This wrong statement "only used in tests" leaves me a bit puzzled. I'm
wondering if I can trust the rest of that page. It would be great if the
table could be updated, at least for Guava.
Best,
Andreas
ps: I hope it's okay to write this to the users list. Please tell me if
I should rather use the security list for feedback on documented false
positives.
[1]
https://cwiki.apache.org/confluence/display/solr/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools
[2]
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/8.11.1/solr/core/src/java/org/apache/solr/cloud/api/collections/TimeRoutedAlias.java#L45
[3] https://nvd.nist.gov/vuln/detail/CVE-2020-8908
