Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-12617

Remove Commons BeanUtils as a dependency

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 7.5, 8.0
    • None
    • None

    Description

      The BeanUtils library is a dependency in the velocity contrib module.

      It is a compile time dependency but the velocity code that Solr uses doesn't leverage any of this.

      After removing the dependency Solr compiles just fine and the browse handler also loads up correctly. 

      While chatting to ehatcher offline he confirmed that the tests also pass without this dependency.

      The main motivation behind this is a long standing CVE against bean-utils 1.8.3 ( https://nvd.nist.gov/vuln/detail/CVE-2014-0114#vulnCurrentDescriptionTitle ) which to my knowledge cannot be leveraged from how we use it in Solr . But security scans still pick it up so if it's not being used we should simply remove it.

      Attachments

        1. SOLR-12617.patch
          3 kB
          Varun Thacker

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. SOLR-13791 Remove remaining BeanUtils references

          • Major - Major loss of function.
          • Closed
          supercedes

          Bug - A problem which impairs or prevents the functions of the product. SOLR-9153 Update beanutils version to 1.9.2

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              varun Varun Thacker
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: