Update M2E (Vulnerability in Apache Lucene 8.9) #2085

siakhooi · 2022-05-11T06:44:47Z

Hi,

There is a vulnerability report on apache lucene 8.9 and request us to upgrade to 8.10.
opensearch-project/OpenSearch#687
https://issues.apache.org/jira/browse/LUCENE-9981

tracing from our codes, into redhat.java (vscode plugin) that contains a file called
org.eclipse.m2e.maven.indexer_1.18.1.20211011-2139.jar
that contains lucene-*-5.5.5.jar

further trace found that it is coming from
http://download.eclipse.org/jdtls/snapshots/jdt-language-server-latest.tar.gz

Will this issue be fixed? any help are very much appreciated! thank you.

Path:
redhat.java\extension\server\plugins\org.eclipse.m2e.maven.indexer_1.18.1.20211011-2139.jar
redhat.java\extension\server\plugins\org.eclipse.m2e.maven.indexer_1.18.1.20211011-2139.jar\jars\lucene-analyzers-common-5.5.5.jar
redhat.java\extension\server\plugins\org.eclipse.m2e.maven.indexer_1.18.1.20211011-2139.jar\jars\lucene-backward-codecs-5.5.5.jar
redhat.java\extension\server\plugins\org.eclipse.m2e.maven.indexer_1.18.1.20211011-2139.jar\jars\lucene-core-5.5.5.jar
redhat.java\extension\server\plugins\org.eclipse.m2e.maven.indexer_1.18.1.20211011-2139.jar\jars\lucene-highlighter-5.5.5.jar
redhat.java\extension\server\plugins\org.eclipse.m2e.maven.indexer_1.18.1.20211011-2139.jar\jars\lucene-join-5.5.5.jar
redhat.java\extension\server\plugins\org.eclipse.m2e.maven.indexer_1.18.1.20211011-2139.jar\jars\lucene-memory-5.5.5.jar
redhat.java\extension\server\plugins\org.eclipse.m2e.maven.indexer_1.18.1.20211011-2139.jar\jars\lucene-queries-5.5.5.jar
redhat.java\extension\server\plugins\org.eclipse.m2e.maven.indexer_1.18.1.20211011-2139.jar\jars\lucene-queryparser-5.5.5.jar
redhat.java\extension\server\plugins\org.eclipse.m2e.maven.indexer_1.18.1.20211011-2139.jar\jars\lucene-sandbox-5.5.5.jar

rgrunber · 2022-05-12T22:45:25Z

I know that m2e eliminated a lot of stuff related to the m2e.maven.indexer recently so maybe there's a chance that if we update JDT-LS to use a more recent version, it will simply be eliminated. @mickaelistria , is this the case ?

mickaelistria · 2022-05-13T08:14:51Z

Indeed, m2e 2.0 won't contain indexer anymore and should be released in about 2 weeks. When JDT-LS bumps to this new version, Apache Lucene won't be here any more.

rgrunber · 2022-05-18T14:32:45Z

As mentioned by @fbricon , we're going to be doing this eventually, but given that there are likely breaking changes, this will take some time to get right.

rgrunber added the dependencies Pull requests that update a dependency file label May 12, 2022

rgrunber mentioned this issue May 13, 2022

Support publishing pre-release versions redhat-developer/vscode-java#2285

Closed

rgrunber changed the title ~~Vulnerability in Apache Lucene 8.9~~ Update M2E (Vulnerability in Apache Lucene 8.9) May 13, 2022

snjeza self-assigned this May 18, 2022

snjeza mentioned this issue May 20, 2022

Update M2E to 2.0.0 (Vulnerability in Apache Lucene 8.9) #2096

Merged

rgrunber added this to the Early June 2022 milestone Jun 1, 2022

rgrunber closed this as completed in #2096 Jun 1, 2022

rgrunber mentioned this issue Jul 6, 2022

Update Jenkinsfile to use Java 17 redhat-developer/quarkus-ls#669

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update M2E (Vulnerability in Apache Lucene 8.9) #2085

Update M2E (Vulnerability in Apache Lucene 8.9) #2085

siakhooi commented May 11, 2022

rgrunber commented May 12, 2022

mickaelistria commented May 13, 2022

rgrunber commented May 18, 2022

Update M2E (Vulnerability in Apache Lucene 8.9) #2085

Update M2E (Vulnerability in Apache Lucene 8.9) #2085

Comments

siakhooi commented May 11, 2022

rgrunber commented May 12, 2022

mickaelistria commented May 13, 2022

rgrunber commented May 18, 2022