ppkarwasz commented on PR #3502: URL: https://github.com/apache/solr/pull/3502#issuecomment-3234237720
> With the configuration you shared, the total dependency count is down to 138 (from 518 under the Maven ecosystem). Dependabot alerts have also dropped to 4 from 21. Does this reduction also cover Solr modules? No, the configuration I provided only covers the `server` folder of the distribution. By a quick count: - **138** is *exactly* the number of JARs in `server`, so that part matches up. - `modules` should contribute around **305** JARs. - `cross-dc-manager` adds about **40** JARs. - `prometheus-exporter` adds about **5** JARs. So in total, we should expect roughly **488** JARs across all shipped components. > That said, I’m only seeing 1 high and 1 moderate vulnerability, whereas you mentioned there should be at least half a dozen—so we might still be missing some then. I should also try to generate SBOM on tar.gz to see the difference against the one which we can export from the Github. I may have overstated it a little, but there are at least these open issues: - [SOLR-17826](https://issues.apache.org/jira/browse/SOLR-17826) — Netty vulnerability (pending analysis). - [SOLR-17822](https://issues.apache.org/jira/browse/SOLR-17822) — Commons Lang vulnerability (not exploitable; see apache/solr-site#152). - [SOLR-17833](https://issues.apache.org/jira/browse/SOLR-17833) — Protobuf vulnerability (pending analysis). I also have a script ready that can automatically submit these to JIRA. I’ve held off running it so far, because I want to first clean up the dependency graph in my fork, otherwise I will be creating JIRA issues for irrelevant build-time dependencies. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
