...
Repository | Group/Artifact/Version | Impact Analysis | Action | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
appc | com.fasterxml.jackson.core/jackson-databind/2.8.4 | ||||||||||||
appc | org.codehaus.jackson/jackson-mapper-asl/1.9.13 | There is no non vulnerable version of this component. False Positive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization This is a dependency indirectly from jackson-jaxrs. We do not use Jackson-mapper-asl directly and do not use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability from appc code. | No Action Required | ||||||||||
appc | com.fasterxml.jackson.core/jackson-databind/2.8.9 | ||||||||||||
appc | org.codehaus.jackson/jackson-mapper-asl/1.9.2 | There is no non vulnerable version of this component. False Positive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization This is a dependency indirectly from jersey-json. We do not use Jackson-mapper-asl directly and do not use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability from appc code. | No Action Required | ||||||||||
appc | com.fasterxml.jackson.core/jackson-databind/2.8.1 | There is no non vulnerable version of this component. False Positive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization appc codes using ObjectMapper: | No Action Required | ||||||||||
appc | com.fasterxml.jackson.core/jackson-databind/2.3.2 | There is no non vulnerable version of this component. False Postive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization appc codes using ObjectMapper: | No Action Required | ||||||||||
appc | com.fasterxmlatt.jackson.core/jackson-core/2.3.2nsa/dmappClient/0.2.12 | org.onap.dmaap.messagerouter.dmaapclient has the 5 security vulnerabilities , out of these 4 security issues are related to the com.att.nsa:dmaapclient and another is related to the Jackson-core.jar, which we can’t fix as all the versions are vulnerable. DMaaP client is not using the jackson-core.jar, in such a way that it will cause the vulnerability. I don’t know why the vulnerabilities in component com.att.nsa:dmaapclient are showing under the component org.onap.dmaap.messagerouter.dmaapclient . I created a ticket #54030 with the LF , but I don’t get any response. Please refer the following link for more details. Let me know if you have any questions. |
| ||||||||||
appc | com.fasterxml.jackson.core/jackson-core/2.3.2 | False Positive Explanation
appc doesn't use https://github.com/FasterXML/jackson-core/pull/322 appc codes using JsonParser/JasonProcessingExection/type.TypeReference: False Positive Explanation
appc doesn't use https://github.com/FasterXML/jackson-core/pull/322 appc codes using JsonParser/JasonProcessingExection/type.TypeReference: https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-dg/appc-dg-shared/appc-dg-ssh/common/src/main/java/org/onap/appc/dg/ssh/impl/SshDBPluginImplutil/JsonUtil.java;h=c3dfc61d6930120a22eb2f566b33cdbb683e40a07e6f5ef8d000bd2037cb7405f43dc1eb0cebda50;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blobtree;f=appc-dispatcherconfig/appc-requestflow-handler/appc-request-handler-corecontroller/provider/src/main/java/org/onap/appc/messageadapterflow/implcontroller/MessageAdapterImpl.javanode;h=ecc7f729c76fa85d034e4def5cbf690543c6bcbb68460c525de553dff2f626cccb1c4de48b9b6b5f;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-dg/appc-dispatcherdg-shared/appc-requestdg-mdsal-handlerstore/appc-requestdg-handlermdsal-corebundle/src/main/java/org/onap/appc/requesthandlermdsal/convimpl/ConverterMDSALStoreImpl.java;h=5aac95a42bc230c5c7b7ea2fbbbf142bf0ea2df3fcd315bf6be4f8756c13b1663f8424d57c9d7e81;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-dg/appc-eventdg-listenershared/appc-eventdg-listener-bundlenetconf/src/main/java/org/onap/appc/listenerdg/LCMnetconf/convimpl/ConverterNetconfDBPluginImpl.java;h=6e303a5ff2cbb1269cca6a8dae8ccef4ca124d9b459ece9c1ead17a579895e344b15116e5bb1661a;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-event-listenerdg/appc-dg-shared/appc-eventdg-listener-bundlessh/src/main/java/org/onap/appc/listenerdg/LCMssh/impl/WorkerImplSshDBPluginImpl.java;h=acf6d8bccc2dceeca918429e047c05bc441498b1c3dfc61d6930120a22eb2f566b33cdbb683e40a0;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-inbounddispatcher/appc-designrequest-services/provider/srchandler/appc-request-handler-core/src/main/java/org/onap/appc/designmessageadapter/dbervicesimpl/DesignDBServiceMessageAdapterImpl.java;h=83ef0f914873e21bfd6648e6d593b7a00fb5b10eecc7f729c76fa85d034e4def5cbf690543c6bcbb;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-inbounddispatcher/appc-designrequest-services/providerhandler/appc-request-handler-core/src/main/java/org/onap/appc/designrequesthandler/validatorconv/ValidatorServiceConverter.java;h=7ba518d212cf9176294850c44b9fb0ac180c52485aac95a42bc230c5c7b7ea2fbbbf142bf0ea2df3;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-event-oamlistener/appc-event-oamlistener-bundle/src/main/java/org/onap/appc/listener/oamLCM/messageadapterconv/Converter.java;h=152ffc9ccc20fd4aa464f24ab58ae8715fdb7d8f6e303a5ff2cbb1269cca6a8dae8ccef4ca124d9b;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-event-oamlistener/appc-event-oamlistener-bundle/src/main/java/org/onap/appc/oamlistener/LCM/messageadapterimpl/MessageAdapterWorkerImpl.java;h=91836cb406fd305588bc1a4d32e1a98964e4dddaacf6d8bccc2dceeca918429e047c05bc441498b1;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-sdc-listenerinbound/appc-sdc-listener-bundledesign-services/provider/src/main/java/org/onap/appc/sdcdesign/artifactsdbervices/helper/DependencyModelGeneratorDesignDBService.java;h=62212d74ca2aab916281cd763783c1666a9d07ec83ef0f914873e21bfd6648e6d593b7a00fb5b10e;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-sequence-generatorinbound/appc-sequence-generator-bundledesign-services/provider/src/main/java/org/onap/appc/seqgendesign/dgpluginvalidator/impl/SequenceGeneratorPluginImplValidatorService.java;h=f99ca4cfb0ef3cea75074e19a0da89c55de6d6c37ba518d212cf9176294850c44b9fb0ac180c5248;hb=117c7e7210f00da7011275be4347aae8d500002a | No action required | appc | org.apache.karaf.jaas/org.apache.karaf.jaas.modules/4.0.10 | False Positive Explanation The Apache httpcomponents component is vulnerable to Directory Traversal. The This is a dependency indirectly from odl. We do not use The following JIRA is tracking this issue:
server | ONAP JIRA | serverId | 425b2b0a-557c-3c0c-b515-579789cceedb | key | APPC-710 | No action required | |
appc | org.apache.httpcomponents/httpclient.apache.karaf.jaas/org.apache.karaf.jaas.modules/4.50.210 | False Positive. Explanation The Apache httpcomponents component is vulnerable to Directory Traversal. The This is a dependency indirectly from odl. We do not use The following JIRA is tracking this issue:
| No action requiredUltimately update must come from OpenDaylight project; APPC would pick it up when CCSDK picks it up. | ||||||||||
appc | org.glassfishapache.grizzlyhttpcomponents/grizzly-httphttpclient/24.35.282 | False Positive Library not used by APPC code directly, but is contains in cdp-pal library. The dependency comes from cdp-pal; however, this should not be a security concern as CDP-PAL/woorea does not host any urls for incoming GET requests and from what we read about the vulnerability it should not apply as grizzly-http is only used for outgoing calls. It is not used to allow incoming get requests. Will follow-up with CDP-PAL to see if the version can be updated even though not a risk for APPC. | |||||||||||
appc | com.fasterxml.jackson.core/jackson-core/2.8.1 | False Positive Please read the item above for artifact: jackson-databind-2.8.1, which is the same group: com.fasterxml.jackson.core | No action required | ||||||||||
. Explanation The Apache httpcomponents component is vulnerable to Directory Traversal. The The application is vulnerable by using this component. This is a dependency indirectly from odl. We do not use The following JIRA is tracking this issue:
| Ultimately update must come from OpenDaylight project; APPC would pick it up when CCSDK picks it up. | ||||||||||||
appc | org.glassfish.grizzly/grizzly-http/2.3.28 | False Positive Library not used by APPC code directly, but is contains in cdp-pal library. The dependency comes from cdp-pal; however, this should not be a security concern as CDP-PAL/woorea does not host any urls for incoming GET requests and from what we read about the vulnerability it should not apply as grizzly-http is only used for outgoing calls. It is not used to allow incoming get requests. | Will follow-up with CDP-PAL to see if the version can be updated even though not a risk for APPC. | ||||||||||
appc | com.fasterxml.jackson.core/jackson-core/2.8.1 | False Positive Please read the item above for artifact: jackson-databind-2.8.1, which is the same group: com.fasterxml.jackson.core | No action required | ||||||||||
appc | appc | com.att.nsa/dmappClient/0.2.12 | org.onap.dmaap.messagerouter.dmaapclient has the 5 security vulnerabilities , out of these 4 security issues are related to the com.att.nsa:dmaapclient and another is related to the Jackson-core.jar, which we can’t fix as all the versions are vulnerable. DMaaP client is not using the jackson-core.jar, in such a way that it will cause the vulnerability. I don’t know why the vulnerabilities in component com.att.nsa:dmaapclient are showing under the component org.onap.dmaap.messagerouter.dmaapclient . I created a ticket #54030 with the LF , but I don’t get any response. Please refer the following link for more details. Let me know if you have any questions. https://wiki.onap.org/pages/viewpage.action?pageId=28379799 https://jira.onap.org/browse/APPC-1176 | ||||||||||
appc/cdt | com.fasterxml.jackson.core : jackson-databind : 2.9.6 | come with spring-boot-starter.jar:2.0.4.RELEASE this is the last version that we can upgrade. |