Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-12617

Remove Commons BeanUtils as a dependency

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.5, 8.0
    • Component/s: None
    • Labels:
      None

      Description

      The BeanUtils library is a dependency in the velocity contrib module.

      It is a compile time dependency but the velocity code that Solr uses doesn't leverage any of this.

      After removing the dependency Solr compiles just fine and the browse handler also loads up correctly. 

      While chatting to Erik Hatcher offline he confirmed that the tests also pass without this dependency.

      The main motivation behind this is a long standing CVE against bean-utils 1.8.3 ( https://nvd.nist.gov/vuln/detail/CVE-2014-0114#vulnCurrentDescriptionTitle ) which to my knowledge cannot be leveraged from how we use it in Solr . But security scans still pick it up so if it's not being used we should simply remove it.

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              varun Varun Thacker

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment