[MGNLEESOLR-219] CVE reports discovered by nightly cve scan Created: 28/Sep/23 Updated: 23/Oct/23 Resolved: 11/Oct/23 |
|
| Status: | Closed |
| Project: | Solr Search Provider |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 6.1.7 |
| Type: | Task | Priority: | Neutral |
| Reporter: | Oanh Thai Hoang | Assignee: | Anh Vu |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | security | ||
| Σ Remaining Estimate: | 0d | Remaining Estimate: | 0d |
| Σ Time Spent: | 4d 2.75h | Time Spent: | 3d 6.75h |
| Σ Original Estimate: | Not Specified | Original Estimate: | Not Specified |
| Sub-Tasks: |
|
|||||||||||||||||||||||||
| Template: |
|
|||||||||||||||||||||||||
| Acceptance criteria: |
Empty
|
|||||||||||||||||||||||||
| Task DoR: |
Empty
|
|||||||||||||||||||||||||
| Epic Link: | DevX Bucket | |||||||||||||||||||||||||
| Sprint: | DevX 48 | |||||||||||||||||||||||||
| Story Points: | 2 | |||||||||||||||||||||||||
| Team: | ||||||||||||||||||||||||||
| Work Started: | ||||||||||||||||||||||||||
| Approved: |
Yes
|
| Description |
|
Solr was added to nightly CVE scan on jenkins. https://jenkins.magnolia-cms.com/job/internal/job/nightly-cve-scan/job/master/ and "CVE scanning for solr-search-provider/release/6.1" In the latest build there are reports which needs to be investigated
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.4.4:check (default-cli) on project magnolia-solr-search-provider:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities:
[ERROR]
[ERROR] commons-compress-1.22.jar: CVE-2023-42503(5.5)
[ERROR] http2-client-9.4.51.v20230217.jar: CVE-2023-36479(4.3), CVE-2023-40167(5.3), CVE-2023-41900(4.3)
[ERROR] jetty-io-9.4.51.v20230217.jar: CVE-2023-36479(4.3), CVE-2023-40167(5.3), CVE-2023-41900(4.3)
[ERROR] snappy-java-1.1.10.1.jar: CVE-2023-43642(7.5)
[ERROR]
Suggestion: commons-compress: can be update to 1.24 follow https://commons.apache.org/proper/commons-compress/security.html jetty-io + http2-client: can be updated to 9.4.52.v20230823 follow https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.52.v20230823 SNAPPY-JAVA: can be updated to 1.1.10.4 release follow https://nvd.nist.gov/vuln/detail/CVE-2023-43642 |