Hi, We regularly get questions asking whether Solr is affected by vulnerabilities that were disclosed for a dependency. With all the recent enthusiasm around vulnerability scanning and SBOM's, I think we can expect the number of such questions to rise.
Solr already does a great job of collecting known false positives at https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools . I think it would be interesting to experiment with sharing this information in a machine-readable way. I've been reading up and experimenting a bit, and it's clear that it is early days, and a lot of work still needs to be done in the wider ecosystem: there are various SBOM/VEX file formats, and even within a format most tools rely on their own dialect. That said, I've had some success generating a VEX file from the table on the Solr wiki, attached. When I create an SBOM for solr 9.0.0 with the gradle org.cyclonedx.bom plugin, load it into the OWASP dependencytrack tool, and when I apply the VEX indeed it filters out some of the reported CVE's and marks the Calcite problem (CVE-2022-39135) as 'exploitable' - so that's at least a start. I would be interested in pointing people with questions about vulnerability scanner results to that, and working with them to gain experience on what we can do to make this useful. I would be happy to maintain a VEX file for Solr, be the contact point for feedback and questions on how to use it, etc. It doesn't look like the wiki allows file uploads, perhaps we could include it in the solr-site repo? We could also expand the "Solr and Vulnerability Scanning Tools" section on the wiki, explaining in more detail what to do when their CVE scanning tool flags a problem in Solr. I'd also be happy to propose a first draft of such a paragraph. Curious to hear your thoughts! Kind regards, Arnout
solr.vex.json
Description: application/json
--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org For additional commands, e-mail: dev-h...@solr.apache.org
