-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade Apache Lucene to resolve vulnerability for consumers #1408
Comments
Some reason you chose 9.8 instead of a 9.9 version?
|
It was the minimum non-vulnerable version. I help maintain some projects internally and I'm not familiar enough with the project. So I opted for the minimum allowed version by our internal Sonar IQ server. |
Gotcha. Well, 9.9.1 exists, so I made a push which upgrades to that
version. If you're able to use the dev branch, that should suffice, and if
not, I'll look into making a patched CoreNLP release sometime soon
|
Does that publish a snapshot somewhere such as Maven Central? If so, I can try it out Thursday. Otherwise I'd need to wait until a release is made. |
Actually, I'm not sure I can update all the way to 9.9.1 w/o breaking Java 1.8 compatibility. Let me check which versions would actually work with Java 1.8, then hopefully there's one which has the necessary patch in it. |
Honestly I think we're screwed here. The earliest version of Lucene which has this fix is 9.8.0, and it also targets 11. I'll bring it up with my PI in terms of possibly switching to Java 11 in the future. |
Right, most of the Java ecosystem is moving towards targeting more modern versions of Java. |
Currently, this project uses 7.5.0 of Apache Lucene: https://github.com/stanfordnlp/CoreNLP/blob/main/pom.xml#L77
As a result, the following vulnerability is introduced into projects:
We use Sonartype IQ Server (NexusIQ) to scan for vulnerabilites in our dependencies and that is how this was flagged.
As a workaround, we upgrade the dependencies:
But as you can see, this adds quite a bit of ceremony.
It would be better if CoreNLP can upgrade Apache Lucene so that the above would not be needed.
The text was updated successfully, but these errors were encountered: