I am using Lucee 6.2.2.91 and it fails on vulnerability scan. Complaining about org.lucee.tika-core-1.28.4. It recommend upgrading to 3.2.2 at least.
Don’t forget to tell us about your stack!
OS: UNIX
Java Version: 17
Tomcat Version: 11
Lucee Version: 6.2.2.91
Did you search here before posting?
We’re experiencing the same problem on our customers’ servers. Could someone please write a short tutorial on how to fix it in Lucee v5 and v6?
Specifically like:
‘delete this file in the Lucee core and replace it with this one’.
There are several .jar files on the TIKA website; which one should we use???
https://dev.lucee.org/t/how-to-retrieve-video-dimensions-with-lucee-coldfusion/9230 explains how to install the full Tika if you want to use Tika to retrieve the content and metadata from various file types including Office documents, PDF etc.
The post is a bit old, but the principle applies to Tika 3.2.2. As Zackster said, the bundled Tika 1.28.4 is not the full Tika. However, it does include the core facades for the Tika API but won’t give the results that you get with the full Tika.
As Zacster also said. The bundled Tika 1.28.4 isn’t vulnerable, only the full Tika up to 3.2.1. If you don’t use the full Tika then no action is required and the scan is a false positive.
If you upgrade from say 3.2.1 to 3.2.2, then at http://127.0.0.1:8888/lucee/admin/index.cfm?action=info.bundle you may see the old deleted version and have to clear the cache found at C:\Lucee\tomcat\lucee-server\felix-cache (depending on your installation) and restart the Lucee service.
Lucee will only use the exact tika version defined in the core manifest
But I appreciate the frustration this causes
I know I’m gonna sound like a broken record here and nobody seems to care, we really need companies using Lucee to step up and support the platform they run their business on.
My focus is on keeping everything running, so I’m not across who is sponsoring Lucee, if you already are, great, fantastic, thank you.
I’m focused on the development side, but I know pretty much every company charges their clients for work, factoring into budgets a bit of support for Lucee would make a difference
We need and love your support, it’s cheaper and more productive for companies sponsoring Lucee than spending hours dealing with clients asking questions
Consider it a badge of honour!
Can it be removed from core, so it does not get scanned?
I tried to delete the Tika .jar with these steps:
After restart of the Lucee Service the jar file is back in the bundles folder. Why? Did I miss something?
As I said