We want to use SOLR v7 but Sonatype scans past v6.5 show dozens of critical
and severe security issues and dozens of licensing issues. The critical
security violations using Sonatype are inline and are indexed with codes
from the National Vulnerability Database,

Are there recommended steps for running Solr 7 in secure enterprises
specifically infosec remediation over Sonatype Application Composition
Reports?

Are there plans to make Solr more secure in v7 or v8?

I'm new to the Solr User forum and suggests are welcome.
Sonatype Application Composition Reports
Of Solr - 7.6.0, Build Scanned On Thu Jan 03 2019 at 14:49:49
Using Scanner 1.56.0-01

[image: image.png]

[image: image.png]

[image: image.png]

Security Issues
Threat Level Problem Code Component Status
9 CVE-2015-1832 org.apache.derby : derby : 10.9.1.0 Open
CVE-2017-7525 org.codehaus.jackson : jackson-mapper-asl : 1.9.13 Open
CVE-2017-1000
190
org.simpleframework : simple-xml : 2.7.1 Open
8 CVE-2018-1471
8
com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
CVE-2018-1471
9
com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
sonatype-2017-
0312
com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
7 CVE-2018-1472
0
com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
CVE-2018-1472
1
com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
CVE-2018-1000
632
dom4j : dom4j : 1.6.1 Open
CVE-2018-8009 org.apache.hadoop : hadoop-common : 2.7.4 Open
CVE-2012-0881 xerces : xercesImpl : 2.9.1 Open
CVE-2013-4002 xerces : xercesImpl : 2.9.1 Open
License Analysis
License Threat Component Status
MPL-1.1, GPL-2.0+ or
LGPL-2.1+ or MPL-1.1
com.googlecode.juniversalchardet : juniversalchardet : 1.0.3 Open
Apache-2.0, AFL-2.1 or
GPL-2.0+
org.ccil.cowan.tagsoup : tagsoup : 1.2.1 Open
Not Declared, Not
Supported
d3 2.9.6 Open
BSD-3-Clause, Adobe com.adobe.xmp : xmpcore : 5.1.3 Open
Apache-2.0, No Source
License
com.cybozu.labs : langdetect : 1.1-20120112 Open
Apache-2.0, No Source
License
com.fasterxml.jackson.core : jackson-annotations : 2.9.6 Open
Apache-2.0, No Source
License
com.fasterxml.jackson.core : jackson-core : 2.9.6 Open
Apache-2.0, No Source
License
com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
Apache-2.0, No Source
License
com.fasterxml.jackson.dataformat : jackson-dataformat-smile : 2.9.6 Open
Apache-2.0, EPL-1.0, MIT com.googlecode.mp4parser : isoparser : 1.1.22 Open
Not Provided, No Source
License
com.ibm.icu : icu4j : 62.1 Open
Apache-2.0, LGPL-3.0+ com.pff : java-libpst : 0.8.1 Open
Apache-2.0, No Source
License
com.rometools : rome-utils : 1.5.1 Open
CDDL-1.1 or GPL-2.0-
CPE
com.sun.mail : gimap : 1.5.1 Open
CDDL-1.1 or GPL-2.0-
CPE
com.sun.mail : javax.mail : 1.5.1 Open
Not Declared,
Apache-1.1, Sun-IP
dom4j : dom4j : 1.6.1 Open
MIT, No Source License info.ganglia.gmetric4j : gmetric4j : 1.0.7 Open
Apache-2.0, No Source
License
io.dropwizard.metrics : metrics-ganglia : 3.2.6 Open
Apache-2.0, No Source
License
io.dropwizard.metrics : metrics-graphite : 3.2.6 Open
Apache-2.0, No Source
License
io.dropwizard.metrics : metrics-jetty9 : 3.2.6 Open
Apache-2.0, No Source
License
io.dropwizard.metrics : metrics-jvm : 3.2.6 Open
Apache-2.0, No Source
License
io.prometheus : simpleclient_common : 0.2.0 Open
Apache-2.0, No Source
License
io.prometheus : simpleclient_httpserver : 0.2.0 Open
CDDL-1.0, CDDL-1.1 or
GPL-2.0-CPE
javax.activation : activation : 1.1.1 Open
CDDL-1.0 or GPL-2.0-
CPE, Apache-2.0,
CDDL-1.1 or GPL-2.0-
CPE
javax.servlet