[jira] [Updated] (SOLR-16993) Update libraries in solr 8.11.2 and 9.3.0

[Rafael Rios Saavedra (Jira)]

     [ 
https://issues.apache.org/jira/browse/SOLR-16993?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Rafael Rios Saavedra updated SOLR-16993:
----------------------------------------
    Summary: Update libraries in solr 8.11.2 and 9.3.0  (was: Update components 
in solr 8.11.2 and 9.3.0)

> Update libraries in solr 8.11.2 and 9.3.0
> -----------------------------------------
>
>                 Key: SOLR-16993
>                 URL: https://issues.apache.org/jira/browse/SOLR-16993
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Rafael Rios Saavedra
>            Priority: Major
>
> Hi,
>   When running trivy scanner on the containers images of solr:8.11.2 and 
> 9.3.0 it reports that several libs should be updated because they are 
> affected by CVEs.
> - solr:8.11.2 CVEs: CVE-2023-33201, CVE-2023-36479, CVE-2023-40167"
> - solr:9.3.0 CVEs: CVE-2023-33201, CVE-2023-36479, CVE-2023-40167, 
> CVE-2023-42503
> {code}
> $ trivy image --vuln-type library solr:8.11.2
> 2023-09-22T14:05:26.132Z        INFO    Vulnerability scanning is enabled
> 2023-09-22T14:05:26.132Z        INFO    Secret scanning is enabled
> 2023-09-22T14:05:26.132Z        INFO    If your scanning is slow, please try 
> '--scanners vuln' to disable secret scanning
> 2023-09-22T14:05:26.132Z        INFO    Please see also 
> https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation
>  for faster secret detection
> 2023-09-22T14:05:28.409Z        INFO    JAR files found
> 2023-09-22T14:05:28.409Z        INFO    Analyzing JAR files takes a while...
> 2023-09-22T14:05:31.030Z        INFO    Number of language-specific files: 1
> 2023-09-22T14:05:31.031Z        INFO    Detecting jar vulnerabilities...
> 2023-09-22T14:05:31.035Z        WARN    maven constraint error 
> ([10.5-alpha0,10.5.3.0_1]): failed to new comparer: 2 errors occurred:
>         * improper constraint: [10.5-alpha0,10.5.3.0_1]
>         * improper requirements: []
> 2023-09-22T14:05:31.043Z        INFO    Table result includes only package 
> filenames. Use '--format json' option to get the full path to the package 
> file.
> Java (jar)
> ...
> list of CVEs and libs here (too long to post it here)
> ...
> {code}
> {code}
> $ trivy image --vuln-type library solr:9.3.0
> 2023-09-22T14:04:36.572Z        INFO    Vulnerability scanning is enabled
> 2023-09-22T14:04:36.572Z        INFO    Secret scanning is enabled
> 2023-09-22T14:04:36.572Z        INFO    If your scanning is slow, please try 
> '--scanners vuln' to disable secret scanning
> 2023-09-22T14:04:36.572Z        INFO    Please see also 
> https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation
>  for faster secret detection
> 2023-09-22T14:04:38.763Z        INFO    JAR files found
> 2023-09-22T14:04:38.764Z        INFO    Analyzing JAR files takes a while...
> 2023-09-22T14:04:43.393Z        INFO    Number of language-specific files: 1
> 2023-09-22T14:04:43.393Z        INFO    Detecting jar vulnerabilities...
> 2023-09-22T14:04:43.404Z        INFO    Table result includes only package 
> filenames. Use '--format json' option to get the full path to the package 
> file.
> Java (jar)
> ...
> list of CVEs and libs here (too long to post it here)
> ...
> {code}
> Could it be possible to upgrade those components ?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org