search

Norconex / crawlers

Norconex Crawlers (or spiders) are flexible web and filesystem crawlers for collecting, parsing, and manipulating data from the web or filesystem to various data repositories such as search engines.
https://opensource.norconex.com/crawlers
Apache License 2.0
173 stars 66 forks source link

Norconex components #883

Closed rukiataliu closed 1 week ago

rukiataliu commented 3 months ago

We are using Norconex as our webcrawler and we discovered that version 3.0.2 has components with vulnerabilities, please see below.

1) ICU4j 4.6 2) Jackson-databind 2.8.9

Is there a plan to upgrade these components to a newer less vulnerable versions.

Thanks

sakanaosama commented 2 months ago

In relation to the webcrawler version 3.0.2, both libraries are utilized in Norconex-commons-lang v2. Furthermore, the upcoming web-crawler version 4 will adopt the new Norconex-commons-lang v3.

  1. Despite Norconex-commons-lang v3 (the upcoming webcrawler v4) still employing ICU4j 4.6, necessary to mention that the vulnerability associated with version 4.6 pertains to remote access, a feature neither utilized by Norconex-commons-lang v2 nor v3. Consequently, both versions of Norconex-commons-lang are considered safe.

  2. The upgrade from Jackson-databind 2.8.9 to version 2.16.1 is implemented in the new Norconex-commons-lang v3 (upcoming webcrawler v4).

-Ryan Ng

rukiataliu commented 2 months ago

Thanks a lot Ryan! Do you know when this v4 will be available?Thanks Sent from my iPhoneOn Feb 26, 2024, at 5:58 PM, Ryan Ng @.***> wrote: In relation to the webcrawler version 3.0.2, both libraries are utilized in Norconex-commons-lang v2. Furthermore, the upcoming web-crawler version 4 will adopt the new Norconex-commons-lang v3.

Despite Norconex-commons-lang v3 (the upcoming webcrawler v4) still employing ICU4j 4.6, necessary to mention that the vulnerability associated with version 4.6 pertains to remote access, a feature neither utilized by Norconex-commons-lang v2 nor v3. Consequently, both versions of Norconex-commons-lang are considered safe.

The upgrade from Jackson-databind 2.8.9 to version 2.16.1 is implemented in the new Norconex-commons-lang v3 (upcoming webcrawler v4).

-Ryan Ng

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

sakanaosama commented 2 months ago

We don't have a set date for the v4 release yet. Stay updated by subscribing to our website, and following us on Facebook or LinkedIn for the latest updates. Once it's ready, we'll announce it on our public channels.

stale[bot] commented 2 weeks ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.