[jira] [Commented] (SOLR-9459) Upgrade dependencies

Wed, 22 Dec 2021 12:46:06 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-9459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17464052#comment-17464052
 ] 

David Smiley commented on SOLR-9459:
------------------------------------

I'm sympathetic to your frustration Uwe; I share it. I keep telling people that 
Solr isn't vulnerable and I don't think they care; they just see a JAR that has 
been declared vulnerable by their scanner. And I can't fault the scanner; it's 
just a tool that can't have insights into usage of dependencies the way us 
humans do.

Industry wide, there appears to be a missing ability for projects to declare 
false-positive CVEs on their transitive dependencies – basically a machine 
readable version [of our table in the 
wiki|https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools].
 And then of course scanners would have to adopt it for it to be useful. I'm 
skeptical scanner vendors would be motivated to adopt it (one of [~ctargett]'s 
insights). Definite chicken & egg problem.

> Upgrade dependencies
> --------------------
>
>                 Key: SOLR-9459
>                 URL: https://issues.apache.org/jira/browse/SOLR-9459
>             Project: Solr
>          Issue Type: Improvement
>            Reporter: Petar Tahchiev
>            Priority: Major
>         Attachments: commons-lang3.patch
>
>
> Hello,
> my project has more than 400 dependencies and I'm trying to ban the usage of 
> {{commons-collecrtions}} and {{commons-lang}} in favor of 
> {{org.apache.commons:commons-collection4}} and 
> {{org.apache.commons:commons-lang3}}. Unfortunately out of the 400 
> dependencies *only* solr is still using the old {{collections}} and {{lang}} 
> dependencies which are more than 6 years old.
> Is there a specific reason for that? Can you please update to the latest 
> versions:
> http://repo1.maven.org/maven2/org/apache/commons/commons-lang3/
> http://repo1.maven.org/maven2/org/apache/commons/commons-collections4/
> http://repo1.maven.org/maven2/org/apache/commons/commons-configuration2/
> http://repo1.maven.org/maven2/org/apache/commons/commons-io/



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to