You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Andreas Hubold <an...@coremedia.com.INVALID> on 2022/05/24 08:02:14 UTC
SolrSecurity Confluence page about Guava usage
Hi folks,
like many others we're using tools to detect known security
vulnerabilties in used software, and the table with false positives at
the SolrSecurity Confluence page is really helpful [1].
However, it seems at least the information about Guava is a bit
outdated. It states Guava is "only used in tests", so I wondered why
it's included in the production classpath. Turns out, Guava is used in
many production classes, for example in solr-core TimeRoutedAlias class [2].
I think it's still correct that there's no security issue wrt Guava in
Solr 8.11.1. Scanners only report low severity CVE-2020-8908 [3], which
would only apply if Guava's com.google.common.io.Files.createTempDir()
was used - but that method isn't used.
This wrong statement "only used in tests" leaves me a bit puzzled. I'm
wondering if I can trust the rest of that page. It would be great if the
table could be updated, at least for Guava.
Best,
Andreas
ps: I hope it's okay to write this to the users list. Please tell me if
I should rather use the security list for feedback on documented false
positives.
[1]
https://cwiki.apache.org/confluence/display/solr/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools
[2]
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/8.11.1/solr/core/src/java/org/apache/solr/cloud/api/collections/TimeRoutedAlias.java#L45
[3] https://nvd.nist.gov/vuln/detail/CVE-2020-8908