[SOLR-12617] Remove Commons BeanUtils as a dependency - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 7.5, 8.0
Component/s: None
Labels:
None

Description

The BeanUtils library is a dependency in the velocity contrib module.

It is a compile time dependency but the velocity code that Solr uses doesn't leverage any of this.

After removing the dependency Solr compiles just fine and the browse handler also loads up correctly.

While chatting to Erik Hatcher offline he confirmed that the tests also pass without this dependency.

The main motivation behind this is a long standing CVE against bean-utils 1.8.3 ( https://nvd.nist.gov/vuln/detail/CVE-2014-0114#vulnCurrentDescriptionTitle ) which to my knowledge cannot be leveraged from how we use it in Solr . But security scans still pick it up so if it's not being used we should simply remove it.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending

Attachments

SOLR-12617.patch
03/Aug/18 04:37
3 kB
Varun Thacker

Issue Links

relates to

SOLR-13791 Remove remaining BeanUtils references

Resolved

supercedes

SOLR-9153 Update beanutils version to 1.9.2

Resolved

Activity

People

Assignee:

Unassigned

Reporter:

Varun Thacker

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

Dates

Created:

03/Aug/18 02:02

Updated:

21/Nov/19 00:42

Resolved:

03/Aug/18 17:37