Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-11207

Add OWASP dependency checker to detect security vulnerabilities in third party libraries

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.0
    • Fix Version/s: main (9.0)
    • Component/s: Build
    • Labels:
      None

      Description

      Lucene/Solr project depends on number of third party libraries. Some of those libraries contain security vulnerabilities. Upgrading to versions of those libraries that have fixes for those vulnerabilities is a simple, critical step we can take to improve the security of the system. But for that we need a tool which can scan the Lucene/Solr dependencies and look up the security database for known vulnerabilities.

      I found that OWASP dependency-checker can be used for this purpose. It provides a ant task which we can include in the Lucene/Solr build. We also need to figure out how (and when) to invoke this dependency-checker. But this can be figured out once we complete the first step of integrating this tool with the Lucene/Solr build system.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                janhoy Jan H√łydahl
                Reporter:
                hgadre Hrishikesh Gadre
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 3h 20m
                  3h 20m