[MGNLEESOLR-219] CVE reports discovered by nightly cve scan Created: 28/Sep/23  Updated: 23/Oct/23  Resolved: 11/Oct/23

Status: Closed
Project: Solr Search Provider
Component/s: None
Affects Version/s: None
Fix Version/s: 6.1.7

Type: Task Priority: Neutral
Reporter: Oanh Thai Hoang Assignee: Anh Vu
Resolution: Fixed Votes: 0
Labels: security
Σ Remaining Estimate: 0d Remaining Estimate: 0d
Σ Time Spent: 4d 2.75h Time Spent: 3d 6.75h
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Sub-Tasks:
Key
Summary
Type
Status
Assignee
MGNLEESOLR-220 Implement Sub-task Closed Anh Vu  
MGNLEESOLR-221 Review Sub-task Closed Oanh Thai Hoang  
MGNLEESOLR-222 piQA Sub-task Closed Oanh Thai Hoang  
MGNLEESOLR-223 QA Sub-task Closed Chuong Doan Huy  
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Epic Link: DevX Bucket
Sprint: DevX 48
Story Points: 2
Team: DeveloperX
Work Started:
Approved:
Yes

 Description   

Solr was added to nightly CVE scan on jenkins.

https://jenkins.magnolia-cms.com/job/internal/job/nightly-cve-scan/job/master/ and "CVE scanning for solr-search-provider/release/6.1"

In the latest build there are reports which needs to be investigated

 

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.4.4:check (default-cli) on project magnolia-solr-search-provider: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities: 
[ERROR] 
[ERROR] commons-compress-1.22.jar: CVE-2023-42503(5.5)
[ERROR] http2-client-9.4.51.v20230217.jar: CVE-2023-36479(4.3), CVE-2023-40167(5.3), CVE-2023-41900(4.3)
[ERROR] jetty-io-9.4.51.v20230217.jar: CVE-2023-36479(4.3), CVE-2023-40167(5.3), CVE-2023-41900(4.3)
[ERROR] snappy-java-1.1.10.1.jar: CVE-2023-43642(7.5)
[ERROR]  

 

Suggestion:

commons-compress: can be update to 1.24 follow https://commons.apache.org/proper/commons-compress/security.html

jetty-io + http2-client: can be updated to 9.4.52.v20230823 follow https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.52.v20230823

SNAPPY-JAVA: can be updated to 1.1.10.4 release follow https://nvd.nist.gov/vuln/detail/CVE-2023-43642


Generated at Mon Feb 12 11:01:14 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.