Old dependencies vulnerabilities affecting querqy-5.4.lucene.900.0 (latest version up to date)

[AkechiShiro]

Hi, is there anyone that checked whether any dependencies of Querqy were vulnerable lately to CVEs ? I found that the latest version Querqy 5.4.lucene900.0 jar file with dependencies from Maven is vulnerable to 2 CVEs using OWASP dependency checker.

How should I proceed so that vulnerable libraries may be updated ?

For information, here is where Querqy is listed as vulnerable to a CVE in json-smart-v1 I believe : https://mvnrepository.com/artifact/org.querqy/querqy-solr/5.4.lucene900.0

Feel free to let me know if I should also send the report that list another vulnerability in the dependencies.

[renekrie]

Thank you @AkechiShiro.

Let me check this specific issue - we are having Querqy scanned automatically for security issues but we are sometimes limited in what we can update by the Solr/Lucene dependency. json-smart has been a troublemaker in the past. It is referenced by json-path and as far as I remember, Solr can just exclude json-smart (or not use it as an optional dependency) but we need to provide it as the classes from json-path that we are using have a dependency to it. (But this might all be outdated info in Solr 9)

[AkechiShiro]

Thanks for your reactivity ! I will give a try again to scan for CVEs, if I find any affecting dependencies, I'll open up a new issue