...
The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)
Repository | Group | Impact Analysis | Action | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
appc | org.codehaus.jackson | There is no non vulnerable version of this component. False Positive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization This is a dependency indirectly from jackson-jaxrs. We do not use Jackson-mapper-asl directly and do not use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability from appc code. | No Action Required | ||||||||
appc | org.codehaus.jackson | There is no non vulnerable version of this component. False Positive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization This is a dependency indirectly from jersey-json. We do not use Jackson-mapper-asl directly and do not use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability from appc code. | No Action Required | ||||||||
appc | com.fasterxml.jackson.core | There is no non vulnerable version of this component. False Positive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization appc codes using ObjectMapper: | No Action Required | ||||||||
appc | com.fasterxml.jackson.core | There is no non vulnerable version of this component. False Postive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization appc codes using ObjectMapper: | No Action Required | ||||||||
appc | com.fasterxml.jackson.core | False Positive Explanation
appc doesn't use https://github.com/FasterXML/jackson-core/pull/322 appc codes using JsonParser/JasonProcessingExection/type.TypeReference: | No action required | ||||||||
appc | org.apache.karaf.jaas | False Positive Explanation The Apache httpcomponents component is vulnerable to Directory Traversal. The This is a dependency indirectly from odl. We do not use The following JIRA is tracking this issue:
| No action required | ||||||||
appc | org.apache.httpcomponents | False Positive. Explanation The Apache httpcomponents component is vulnerable to Directory Traversal. The The application is vulnerable by using this component. This is a dependency indirectly from odl. We do not use The following JIRA is tracking this issue:
| Ultimately update must come from OpenDaylight project; APPC would pick it up when CCSDK picks it up. | ||||||||
appc | org.glassfish.grizzly | False Positive Library not used by APPC code directly, but is contains in cdp-pal library. The dependency comes from cdp-pal; however, this should not be a security concern as CDP-PAL/woorea does not host any urls for incoming GET requests and from what we read about the vulnerability it should not apply as grizzly-http is only used for outgoing calls. It is not used to allow incoming get requests. | Will follow-up with CDP-PAL to see if the version can be updated even though not a risk for APPC. | ||||||||
appc | com.fasterxml.jackson.core | False Positive Please read the item above for artifact: jackson-databind-2.8.1, which is the same group: com.fasterxml.jackson.core | No action required | ||||||||
appc | com.att.nsa: dmappClient:jar | org.onap.dmaap.messagerouter.dmaapclient has the 5 security vulnerabilities , out of these 4 security issues are related to the com.att.nsa:dmaapclient and another is related to the Jackson-core.jar, which we can’t fix as all the versions are vulnerable. DMaaP client is not using the jackson-core.jar, in such a way that it will cause the vulnerability. I don’t know why the vulnerabilities in component com.att.nsa:dmaapclient are showing under the component org.onap.dmaap.messagerouter.dmaapclient . I created a ticket #54030 with the LF , but I don’t get any response. Please refer the following link for more details. Let me know if you have any questions. |
appc/cdt | com.fasterxml.jackson.core : jackson-databind : 2.9.6 | come with spring-boot-starter.jar:2.0.4.RELEASE this is the last version that we can upgrade. |