-
Task
-
Resolution: Fixed
-
Neutral
-
None
-
-
Empty show more show less
-
Empty show more show less
-
DevX 48
-
2
-
Yes
Solr was added to nightly CVE scan on jenkins.
https://jenkins.magnolia-cms.com/job/internal/job/nightly-cve-scan/job/master/ and "CVE scanning for solr-search-provider/release/6.1"
In the latest build there are reports which needs to be investigated
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.4.4:check (default-cli) on project magnolia-solr-search-provider:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities:
[ERROR]
[ERROR] commons-compress-1.22.jar: CVE-2023-42503(5.5)
[ERROR] http2-client-9.4.51.v20230217.jar: CVE-2023-36479(4.3), CVE-2023-40167(5.3), CVE-2023-41900(4.3)
[ERROR] jetty-io-9.4.51.v20230217.jar: CVE-2023-36479(4.3), CVE-2023-40167(5.3), CVE-2023-41900(4.3)
[ERROR] snappy-java-1.1.10.1.jar: CVE-2023-43642(7.5)
[ERROR]
Suggestion:
commons-compress: can be update to 1.24 follow https://commons.apache.org/proper/commons-compress/security.html
jetty-io + http2-client: can be updated to 9.4.52.v20230823 follow https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.52.v20230823
SNAPPY-JAVA: can be updated to 1.1.10.4 release follow https://nvd.nist.gov/vuln/detail/CVE-2023-43642
Acceptance criteria
1.
|
Implement | Closed | Anh Vu | |||||||||
2.
|
Review | Closed | Oanh Thai Hoang | |||||||||
3.
|
piQA | Closed | Oanh Thai Hoang |
|
||||||||
4.
|
QA | Closed | Chuong Doan Huy |