On 2019/01/04 18:27:42 Gus Heck wrote: > Hi Bob, > > Wrt licensing keep in mind that multi licensed software allows you to > choose which license you are using the software under. Also there's some > good detail on the Apache policy here: > > https://www.apache.org/legal/resolved.html#what-can-we-not-include-in-an-asf-project-category-x > > One has to be careful with license scanners, often they have very > conservative settings. I had to spend untold hours getting jfrog's license > plugin to select the correct license and hunting down missing licenses when > I finally sorted out licensing for JesterJ. (though MANY fewer hours than > if I had done this by hand!) > > On Fri, Jan 4, 2019, 11:17 AM Bob Hathaway <[email protected] wrote: > > > The most important feature of any software running today is that it can be > > run at all. Security vulnerabilities can preclude software from running in > > enterprise environments. Today software must be free of critical and severe > > security vulnerabilities or they can't be run at all from Information > > Security policies. Enterprises today run security scan software to check > > for security and licensing vulnerabilities because today most organizations > > are using open source software where this has become most relevant. > > Forrester has a good summary on the need for software composition analysis > > tools which virtually all enterprises run today befor allowing software to > > run in production environments: > > > > https://www.blackducksoftware.com/sites/default/files/images/Downloads/Reports/USA/ForresterWave-Rpt.pdf > > > > Solr version 6.5 passes security scans showing no critical security > > issues. Solr version 7 fails security scans with over a dozen critical and > > severe security vulnerabilities for Solr version from 7.1. Then we ran > > scans against the latest Solr version 7.6 which failed as well. Most of > > the issues are due to using old libraries including the JSON Jackson > > framework, Dom 4j and Xerces and should be easy to bring up to date. Only > > the latest version of SimpleXML has severe security vulnerabilities. Derby > > leads the most severe security violations at Level 9.1 by using an out of > > date version. > > > > What good is software or any features if enterprises can't run them? > > Today software cybersecurity is a top priority and risk for enterprises. > > Solr version 6.5 is very old exposing the zookeeper backend from the SolrJ > > client which is a differentiating capability. > > > > Is security and remediation a priority for SolrJ? I believe this should be > > a top feature to allow SolrJ to continue providing search features to > > enterprises and a security roadmap and plan to keep Solr secure and usable > > by continually adapting and improving in the ever changing security > > landscape and ecosystem. The Darby vulnerability issue CVE-2015-1832 was a > > passing medium Level 6.2 issue in CVSS 2.0 last year but is the most > > critical issue with Solr 7.6 at Level 9.1 in this year's CVSS 3.0. These > > changes need to be tracked and updates and fixes incorporated into new Solr > > versions. > > https://nvd.nist.gov/vuln/detail/CVE-2015-1832 > > > > On Thu, Jan 3, 2019 at 12:19 PM Bob Hathaway <[email protected]> wrote: > > > > > Critical and Severe security vulnerabilities against Solr v7.1. Many of > > > these appear to be from old open source framework versions. > > > > > > *9* CVE-2017-7525 com.fasterxml.jackson.core : jackson-databind : 2.5.4 > > > Open > > > > > > CVE-2016-1000031 commons-fileupload : commons-fileupload : 1.3.2 Open > > > > > > CVE-2015-1832 org.apache.derby : derby : 10.9.1.0 Open > > > > > > CVE-2017-7525 org.codehaus.jackson : jackson-mapper-asl : 1.9.13 Open > > > > > > CVE-2017-7657 org.eclipse.jetty : jetty-http : 9.3.20.v20170531 Open > > > > > > CVE-2017-7658 org.eclipse.jetty : jetty-http : 9.3.20.v20170531 Open > > > > > > CVE-2017-1000190 org.simpleframework : simple-xml : 2.7.1 Open > > > > > > *7* sonatype-2016-0397 com.fasterxml.jackson.core : jackson-core : 2.5.4 > > > Open > > > > > > sonatype-2017-0355 com.fasterxml.jackson.core : jackson-core : 2.5.4 > > > Open > > > > > > CVE-2014-0114 commons-beanutils : commons-beanutils : 1.8.3 Open > > > > > > CVE-2018-1000632 dom4j : dom4j : 1.6.1 Open > > > > > > CVE-2018-8009 org.apache.hadoop : hadoop-common : 2.7.4 Open > > > > > > CVE-2017-12626 org.apache.poi : poi : 3.17-beta1 Open > > > > > > CVE-2017-12626 org.apache.poi : poi-scratchpad : 3.17-beta1 Open > > > > > > CVE-2018-1308 org.apache.solr : solr-dataimporthandler : 7.1.0 Open > > > > > > CVE-2016-4434 org.apache.tika : tika-core : 1.16 Open > > > > > > CVE-2018-11761 org.apache.tika : tika-core : 1.16 Open > > > > > > CVE-2016-1000338 org.bouncycastle : bcprov-jdk15 : 1.45 Open > > > > > > CVE-2016-1000343 org.bouncycastle : bcprov-jdk15 : 1.45 Open > > > > > > CVE-2018-1000180 org.bouncycastle : bcprov-jdk15 : 1.45 Open > > > > > > CVE-2017-7656 org.eclipse.jetty : jetty-http : 9.3.20.v20170531 Open > > > > > > CVE-2012-0881 xerces : xercesImpl : 2.9.1 Open > > > > > > CVE-2013-4002 xerces : xercesImpl : 2.9.1 Open > > > > > > On Thu, Jan 3, 2019 at 12:15 PM Bob Hathaway <[email protected]> > > wrote: > > > > > >> We want to use SOLR v7 but Sonatype scans past v6.5 show dozens of > > >> critical and severe security issues and dozens of licensing issues. The > > >> critical security violations using Sonatype are inline and are indexed > > with > > >> codes from the National Vulnerability Database, > > >> > > >> Are there recommended steps for running Solr 7 in secure enterprises > > >> specifically infosec remediation over Sonatype Application Composition > > >> Reports? > > >> > > >> Are there plans to make Solr more secure in v7 or v8? > > >> > > >> I'm new to the Solr User forum and suggests are welcome. > > >> > > >> > > >> Sonatype Application Composition Reports > > >> Of Solr - 7.6.0, Build Scanned On Thu Jan 03 2019 at 14:49:49 > > >> Using Scanner 1.56.0-01 > > >> > > >> [image: image.png] > > >> > > >> [image: image.png] > > >> > > >> [image: image.png] > > >> > > >> Security Issues > > >> Threat Level Problem Code Component Status > > >> 9 CVE-2015-1832 org.apache.derby : derby : 10.9.1.0 Open > > >> CVE-2017-7525 org.codehaus.jackson : jackson-mapper-asl : 1.9.13 Open > > >> CVE-2017-1000 > > >> 190 > > >> org.simpleframework : simple-xml : 2.7.1 Open > > >> 8 CVE-2018-1471 > > >> 8 > > >> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open > > >> CVE-2018-1471 > > >> 9 > > >> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open > > >> sonatype-2017- > > >> 0312 > > >> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open > > >> 7 CVE-2018-1472 > > >> 0 > > >> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open > > >> CVE-2018-1472 > > >> 1 > > >> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open > > >> CVE-2018-1000 > > >> 632 > > >> dom4j : dom4j : 1.6.1 Open > > >> CVE-2018-8009 org.apache.hadoop : hadoop-common : 2.7.4 Open > > >> CVE-2012-0881 xerces : xercesImpl : 2.9.1 Open > > >> CVE-2013-4002 xerces : xercesImpl : 2.9.1 Open > > >> > > >> > > >> License Analysis > > >> License Threat Component Status > > >> MPL-1.1, GPL-2.0+ or > > >> LGPL-2.1+ or MPL-1.1 > > >> com.googlecode.juniversalchardet : juniversalchardet : 1.0.3 Open > > >> Apache-2.0, AFL-2.1 or > > >> GPL-2.0+ > > >> org.ccil.cowan.tagsoup : tagsoup : 1.2.1 Open > > >> Not Declared, Not > > >> Supported > > >> d3 2.9.6 Open > > >> BSD-3-Clause, Adobe com.adobe.xmp : xmpcore : 5.1.3 Open > > >> Apache-2.0, No Source > > >> License > > >> com.cybozu.labs : langdetect : 1.1-20120112 Open > > >> Apache-2.0, No Source > > >> License > > >> com.fasterxml.jackson.core : jackson-annotations : 2.9.6 Open > > >> Apache-2.0, No Source > > >> License > > >> com.fasterxml.jackson.core : jackson-core : 2.9.6 Open > > >> Apache-2.0, No Source > > >> License > > >> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open > > >> Apache-2.0, No Source > > >> License > > >> com.fasterxml.jackson.dataformat : jackson-dataformat-smile : 2.9.6 Open > > >> Apache-2.0, EPL-1.0, MIT com.googlecode.mp4parser : isoparser : 1.1.22 > > >> Open > > >> Not Provided, No Source > > >> License > > >> com.ibm.icu : icu4j : 62.1 Open > > >> Apache-2.0, LGPL-3.0+ com.pff : java-libpst : 0.8.1 Open > > >> Apache-2.0, No Source > > >> License > > >> com.rometools : rome-utils : 1.5.1 Open > > >> CDDL-1.1 or GPL-2.0- > > >> CPE > > >> com.sun.mail : gimap : 1.5.1 Open > > >> CDDL-1.1 or GPL-2.0- > > >> CPE > > >> com.sun.mail : javax.mail : 1.5.1 Open > > >> Not Declared, > > >> Apache-1.1, Sun-IP > > >> dom4j : dom4j : 1.6.1 Open > > >> MIT, No Source License info.ganglia.gmetric4j : gmetric4j : 1.0.7 Open > > >> Apache-2.0, No Source > > >> License > > >> io.dropwizard.metrics : metrics-ganglia : 3.2.6 Open > > >> Apache-2.0, No Source > > >> License > > >> io.dropwizard.metrics : metrics-graphite : 3.2.6 Open > > >> Apache-2.0, No Source > > >> License > > >> io.dropwizard.metrics : metrics-jetty9 : 3.2.6 Open > > >> Apache-2.0, No Source > > >> License > > >> io.dropwizard.metrics : metrics-jvm : 3.2.6 Open > > >> Apache-2.0, No Source > > >> License > > >> io.prometheus : simpleclient_common : 0.2.0 Open > > >> Apache-2.0, No Source > > >> License > > >> io.prometheus : simpleclient_httpserver : 0.2.0 Open > > >> CDDL-1.0, CDDL-1.1 or > > >> GPL-2.0-CPE > > >> javax.activation : activation : 1.1.1 Open > > >> CDDL-1.0 or GPL-2.0- > > >> CPE, Apache-2.0, > > >> CDDL-1.1 or GPL-2.0- > > >> CPE > > >> javax.servlet > > >> > > > > > >
