We want to use SOLR v7 but Sonatype scans past v6.5 show dozens of critical and severe security issues and dozens of licensing issues. The critical security violations using Sonatype are inline and are indexed with codes from the National Vulnerability Database,
Are there recommended steps for running Solr 7 in secure enterprises specifically infosec remediation over Sonatype Application Composition Reports? Are there plans to make Solr more secure in v7 or v8? I'm new to the Solr User forum and suggests are welcome. Sonatype Application Composition Reports Of Solr - 7.6.0, Build Scanned On Thu Jan 03 2019 at 14:49:49 Using Scanner 1.56.0-01 [image: image.png] [image: image.png] [image: image.png] Security Issues Threat Level Problem Code Component Status 9 CVE-2015-1832 org.apache.derby : derby : 10.9.1.0 Open CVE-2017-7525 org.codehaus.jackson : jackson-mapper-asl : 1.9.13 Open CVE-2017-1000 190 org.simpleframework : simple-xml : 2.7.1 Open 8 CVE-2018-1471 8 com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open CVE-2018-1471 9 com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open sonatype-2017- 0312 com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open 7 CVE-2018-1472 0 com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open CVE-2018-1472 1 com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open CVE-2018-1000 632 dom4j : dom4j : 1.6.1 Open CVE-2018-8009 org.apache.hadoop : hadoop-common : 2.7.4 Open CVE-2012-0881 xerces : xercesImpl : 2.9.1 Open CVE-2013-4002 xerces : xercesImpl : 2.9.1 Open License Analysis License Threat Component Status MPL-1.1, GPL-2.0+ or LGPL-2.1+ or MPL-1.1 com.googlecode.juniversalchardet : juniversalchardet : 1.0.3 Open Apache-2.0, AFL-2.1 or GPL-2.0+ org.ccil.cowan.tagsoup : tagsoup : 1.2.1 Open Not Declared, Not Supported d3 2.9.6 Open BSD-3-Clause, Adobe com.adobe.xmp : xmpcore : 5.1.3 Open Apache-2.0, No Source License com.cybozu.labs : langdetect : 1.1-20120112 Open Apache-2.0, No Source License com.fasterxml.jackson.core : jackson-annotations : 2.9.6 Open Apache-2.0, No Source License com.fasterxml.jackson.core : jackson-core : 2.9.6 Open Apache-2.0, No Source License com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open Apache-2.0, No Source License com.fasterxml.jackson.dataformat : jackson-dataformat-smile : 2.9.6 Open Apache-2.0, EPL-1.0, MIT com.googlecode.mp4parser : isoparser : 1.1.22 Open Not Provided, No Source License com.ibm.icu : icu4j : 62.1 Open Apache-2.0, LGPL-3.0+ com.pff : java-libpst : 0.8.1 Open Apache-2.0, No Source License com.rometools : rome-utils : 1.5.1 Open CDDL-1.1 or GPL-2.0- CPE com.sun.mail : gimap : 1.5.1 Open CDDL-1.1 or GPL-2.0- CPE com.sun.mail : javax.mail : 1.5.1 Open Not Declared, Apache-1.1, Sun-IP dom4j : dom4j : 1.6.1 Open MIT, No Source License info.ganglia.gmetric4j : gmetric4j : 1.0.7 Open Apache-2.0, No Source License io.dropwizard.metrics : metrics-ganglia : 3.2.6 Open Apache-2.0, No Source License io.dropwizard.metrics : metrics-graphite : 3.2.6 Open Apache-2.0, No Source License io.dropwizard.metrics : metrics-jetty9 : 3.2.6 Open Apache-2.0, No Source License io.dropwizard.metrics : metrics-jvm : 3.2.6 Open Apache-2.0, No Source License io.prometheus : simpleclient_common : 0.2.0 Open Apache-2.0, No Source License io.prometheus : simpleclient_httpserver : 0.2.0 Open CDDL-1.0, CDDL-1.1 or GPL-2.0-CPE javax.activation : activation : 1.1.1 Open CDDL-1.0 or GPL-2.0- CPE, Apache-2.0, CDDL-1.1 or GPL-2.0- CPE javax.servlet
