SolrSecurity Confluence page about Guava usage

[Andreas Hubold <an...@coremedia.com.INVALID>]

Hi folks,

like many others we're using tools to detect known security 
vulnerabilties in used software, and the table with false positives at 
the SolrSecurity Confluence page is really helpful [1].

However, it seems at least the information about Guava is a bit 
outdated. It states Guava is "only used in tests", so I wondered why 
it's included in the production classpath. Turns out, Guava is used in 
many production classes, for example in solr-core TimeRoutedAlias class [2].

I think it's still correct that there's no security issue wrt Guava in 
Solr 8.11.1. Scanners only report low severity CVE-2020-8908 [3], which 
would only apply if Guava's com.google.common.io.Files.createTempDir() 
was used - but that method isn't used.

This wrong statement "only used in tests" leaves me a bit puzzled. I'm 
wondering if I can trust the rest of that page. It would be great if the 
table could be updated, at least for Guava.

Best,
Andreas

ps: I hope it's okay to write this to the users list. Please tell me if 
I should rather use the security list for feedback on documented false 
positives.

[1] 
https://cwiki.apache.org/confluence/display/solr/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools
[2] 
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/8.11.1/solr/core/src/java/org/apache/solr/cloud/api/collections/TimeRoutedAlias.java#L45
[3] https://nvd.nist.gov/vuln/detail/CVE-2020-8908