Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade Apache Lucene to resolve vulnerability for consumers #1408

Open
ciscoo opened this issue Jan 17, 2024 · 8 comments
Open

Upgrade Apache Lucene to resolve vulnerability for consumers #1408

ciscoo opened this issue Jan 17, 2024 · 8 comments

Comments

@ciscoo
Copy link

ciscoo commented Jan 17, 2024

Currently, this project uses 7.5.0 of Apache Lucene: https://github.com/stanfordnlp/CoreNLP/blob/main/pom.xml#L77

As a result, the following vulnerability is introduced into projects:

We use Sonartype IQ Server (NexusIQ) to scan for vulnerabilites in our dependencies and that is how this was flagged.

As a workaround, we upgrade the dependencies:

[versions]
lucene = "9.8.0"
configurations.configureEach {
    resolutionStrategy {
        dependencySubstitution {
            substitute(module("org.apache.lucene:lucene-analyzers-common"))
                    .using(module("org.apache.lucene:lucene-analysis-common:${libs.versions.lucene.get()}"))
                    .because("Module was renamed in 9.x release")
        }
        eachDependency {
            if (requested.group == "org.apache.lucene") {
                useVersion(libs.versions.lucene.get())
                because("""
                Resolves IQ issue.
                There does not exist a BOM either https://github.com/apache/lucene/issues/11422, so bump all
                lucene dependencies to keep them in sync rather than the single one.
            """.trimIndent())
            }
        }
    }
}

But as you can see, this adds quite a bit of ceremony.

It would be better if CoreNLP can upgrade Apache Lucene so that the above would not be needed.

@AngledLuffa
Copy link
Contributor

AngledLuffa commented Jan 17, 2024 via email

@ciscoo
Copy link
Author

ciscoo commented Jan 18, 2024

It was the minimum non-vulnerable version. I help maintain some projects internally and I'm not familiar enough with the project. So I opted for the minimum allowed version by our internal Sonar IQ server.

@AngledLuffa
Copy link
Contributor

AngledLuffa commented Jan 18, 2024 via email

@ciscoo
Copy link
Author

ciscoo commented Jan 18, 2024

Does that publish a snapshot somewhere such as Maven Central? If so, I can try it out Thursday. Otherwise I'd need to wait until a release is made.

@AngledLuffa
Copy link
Contributor

Actually, I'm not sure I can update all the way to 9.9.1 w/o breaking Java 1.8 compatibility. Let me check which versions would actually work with Java 1.8, then hopefully there's one which has the necessary patch in it.

@AngledLuffa
Copy link
Contributor

Honestly I think we're screwed here. The earliest version of Lucene which has this fix is 9.8.0, and it also targets 11. I'll bring it up with my PI in terms of possibly switching to Java 11 in the future.

@ciscoo
Copy link
Author

ciscoo commented Jan 31, 2024

Right, most of the Java ecosystem is moving towards targeting more modern versions of Java.

@AngledLuffa
Copy link
Contributor

#1429

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants