lucene old version in wlidfly keeps popping up in customers security audits

[Guy Katz]

hi all;

several customers using security audit tools came up with lucene 5.5 as a potential security risk.

we are using wildfly 23 but I have noticed that even the lates wildfly still uses 5.5.

in my application I am not using any lucene features. I am not sure what sort of internal use wildfly has for this in any.

can someone recommend some creative way of bypassing this hurdle?

can this be removed alltogether? (assuming I dont use it and wildfly doesnt need it)

can this be upgraded manualy? (i assume version 8 is not a drop in replacement but maybe)
any help would be appreciated.

thanks!

[Brian Stansberry]

Lucene is used by Hibernate Search. WildFly only uses Hibernate Search if your application has a persistence unit whose properties include a 'wildfly.jpa.hibernate.search.module' property specifying the org.hibernate.search.orm module, or if there is not such property but your one or more of your application classes uses the org.hibernate.search.annotations.Indexed annotation. If neither is the case your should be able to remove the org.apache.lucene modules and the org.hibernate.search modules.  Test first though; I'm writing this based on looking at code and my general understanding of how this integration works.

I don't believe upgrading the Lucene artifact will work.

Note that in the past I've seen scanner reports of problems with Lucene 5.5.5 but when I've investigated they have been false positives; i.e being flagged for things that are actually fixed. I don't know if that is the case with what you are being told, and I  recognize that even if it is that may not be an adequate answer to your customers, who might just want no longer see the item flagged by their tool.

[Guy Katz]

thanks Brian!!

this seems to have done the trick

thanks for the ellaborate explanation!

cheers.