Rafael Rios Saavedra created SOLR-16993:
-------------------------------------------
Summary: Update components in solr 8.11.2 and 9.3.0
Key: SOLR-16993
URL: https://issues.apache.org/jira/browse/SOLR-16993
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Reporter: Rafael Rios Saavedra
Hi,
When running trivy scanner on the containers images of solr:8.11.2 and 9.3.0
it reports that several libs should be updated because they are affected by
CVEs.
- solr:8.11.2 CVEs: CVE-2023-33201, CVE-2023-36479, CVE-2023-40167"
- solr:9.3.0 CVEs: CVE-2023-33201, CVE-2023-36479, CVE-2023-40167,
CVE-2023-42503
{code}
$ trivy image --vuln-type library solr:8.11.2
2023-09-22T14:05:26.132Z INFO Vulnerability scanning is enabled
2023-09-22T14:05:26.132Z INFO Secret scanning is enabled
2023-09-22T14:05:26.132Z INFO If your scanning is slow, please try
'--scanners vuln' to disable secret scanning
2023-09-22T14:05:26.132Z INFO Please see also
https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation
for faster secret detection
2023-09-22T14:05:28.409Z INFO JAR files found
2023-09-22T14:05:28.409Z INFO Analyzing JAR files takes a while...
2023-09-22T14:05:31.030Z INFO Number of language-specific files: 1
2023-09-22T14:05:31.031Z INFO Detecting jar vulnerabilities...
2023-09-22T14:05:31.035Z WARN maven constraint error
([10.5-alpha0,10.5.3.0_1]): failed to new comparer: 2 errors occurred:
* improper constraint: [10.5-alpha0,10.5.3.0_1]
* improper requirements: []
2023-09-22T14:05:31.043Z INFO Table result includes only package
filenames. Use '--format json' option to get the full path to the package file.
Java (jar)
...
list of CVEs and libs here (too long to post it here)
...
{code}
{code}
$ trivy image --vuln-type library solr:9.3.0
2023-09-22T14:04:36.572Z INFO Vulnerability scanning is enabled
2023-09-22T14:04:36.572Z INFO Secret scanning is enabled
2023-09-22T14:04:36.572Z INFO If your scanning is slow, please try
'--scanners vuln' to disable secret scanning
2023-09-22T14:04:36.572Z INFO Please see also
https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation
for faster secret detection
2023-09-22T14:04:38.763Z INFO JAR files found
2023-09-22T14:04:38.764Z INFO Analyzing JAR files takes a while...
2023-09-22T14:04:43.393Z INFO Number of language-specific files: 1
2023-09-22T14:04:43.393Z INFO Detecting jar vulnerabilities...
2023-09-22T14:04:43.404Z INFO Table result includes only package
filenames. Use '--format json' option to get the full path to the package file.
Java (jar)
...
list of CVEs and libs here (too long to post it here)
...
{code}
Could it be possible to upgrade those components ?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
