...
Repository | Group/Artifact/Version | Impact Analysis | Action | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
appc | com.fasterxml.jackson.core/jackson-databind/2.8.4 | |||||||||||
appc | org.codehaus.jackson/jackson-mapper-asl/1.9.13 | There is no non vulnerable version of this component. False Positive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization This is a dependency indirectly from jackson-jaxrs. We do not use Jackson-mapper-asl directly and do not use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability from appc code. | No Action Required | |||||||||
appc | com.fasterxml.jackson.core/jackson-databind/2.8.9 | |||||||||||
appc | org.codehaus.jackson/jackson-mapper-asl/1.9.2 | There is no non vulnerable version of this component. False Positive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization This is a dependency indirectly from jersey-json. We do not use Jackson-mapper-asl directly and do not use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability from appc code. | No Action Required | |||||||||
appc | com.fasterxml.jackson.core/jackson-databind/2.8.1 | There is no non vulnerable version of this component. False Positive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization appc codes using ObjectMapper: | No Action Required | |||||||||
appc | com.fasterxml.jackson.core/jackson-databind/2.3.2 | There is no non vulnerable version of this component. False Postive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization appc codes using ObjectMapper: | No Action Required | |||||||||
appc | com.att.nsa/dmappClient/0.2.12 | org.onap.dmaap.messagerouter.dmaapclient has the 5 security vulnerabilities , out of these 4 security issues are related to the com.att.nsa:dmaapclient and another is related to the Jackson-core.jar, which we can’t fix as all the versions are vulnerable. DMaaP client is not using the jackson-core.jar, in such a way that it will cause the vulnerability. I don’t know why the vulnerabilities in component com.att.nsa:dmaapclient are showing under the component org.onap.dmaap.messagerouter.dmaapclient . I created a ticket #54030 with the LF , but I don’t get any response. Please refer the following link for more details. Let me know if you have any questions. |
| |||||||||
appc | comorg.fasterxmlapache.jacksonkaraf.core/jackson-core/2.3.2jaas/org.apache.karaf.jaas.modules/4.0.10 | False Positive Explanation
This is a dependency indirectly from odl. We do not use The following JIRA is tracking this issue:
| No action required | |||||||||
appc | com.fasterxml.jackson.core/jackson-core/2.3.2 | org.apache.karaf.jaas/org.apache.karaf.jaas.modules False Positive Explanation
appc doesn't use https://github.com/FasterXML/jackson-core/pull/322 appc codes using JsonParser/JasonProcessingExection/type.TypeReference: https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-common/ appc doesn't use https://github.com/FasterXML/jackson-core/pull/322 appc codes using JsonParser/JasonProcessingExection/type.TypeReference: https://gerrit.onap.org/r/gitweb?p=appc.git;a=tree;f=appc-config/appc-flow-controller/provider/src/main/java/org/onap/appc/flow/controller/nodeutil/JsonUtil.java;h=68460c525de553dff2f626cccb1c4de48b9b6b5f7e6f5ef8d000bd2037cb7405f43dc1eb0cebda50;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blobtree;f=appc-dgconfig/appc-dgflow-shared/appc-dg-mdsal-store/appc-dg-mdsal-bundlecontroller/provider/src/main/java/org/onap/appc/mdsalflow/implcontroller/MDSALStoreImpl.javanode;h=fcd315bf6be4f8756c13b1663f8424d57c9d7e8168460c525de553dff2f626cccb1c4de48b9b6b5f;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-dg/appc-dg-shared/appc-dg-mdsal-store/appc-dg-mdsal-netconfbundle/src/main/java/org/onap/appc/dgmdsal/netconf/impl/NetconfDBPluginImplMDSALStoreImpl.java;h=459ece9c1ead17a579895e344b15116e5bb1661afcd315bf6be4f8756c13b1663f8424d57c9d7e81;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-dg/appc-dg-shared/appc-dg-sshnetconf/src/main/java/org/onap/appc/dg/sshnetconf/impl/SshDBPluginImplNetconfDBPluginImpl.java;h=c3dfc61d6930120a22eb2f566b33cdbb683e40a0459ece9c1ead17a579895e344b15116e5bb1661a;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-dispatcherdg/appc-requestdg-handlershared/appc-requestdg-handler-coressh/src/main/java/org/onap/appc/messageadapterdg/ssh/impl/MessageAdapterImplSshDBPluginImpl.java;h=ecc7f729c76fa85d034e4def5cbf690543c6bcbbc3dfc61d6930120a22eb2f566b33cdbb683e40a0;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-dispatcher/appc-request-handler/appc-request-handler-core/src/main/java/org/onap/appc/requesthandlermessageadapter/convimpl/ConverterMessageAdapterImpl.java;h=5aac95a42bc230c5c7b7ea2fbbbf142bf0ea2df3ecc7f729c76fa85d034e4def5cbf690543c6bcbb;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-event-listenerdispatcher/appc-request-handler/appc-eventrequest-listenerhandler-bundlecore/src/main/java/org/onap/appc/listener/LCMrequesthandler/conv/Converter.java;h=6e303a5ff2cbb1269cca6a8dae8ccef4ca124d9b5aac95a42bc230c5c7b7ea2fbbbf142bf0ea2df3;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-event-listener/appc-event-listener-bundle/src/main/java/org/onap/appc/listener/LCM/implconv/WorkerImplConverter.java;h=acf6d8bccc2dceeca918429e047c05bc441498b16e303a5ff2cbb1269cca6a8dae8ccef4ca124d9b;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-event-inboundlistener/appc-designevent-listener-servicesbundle/provider/srcsrc/main/java/org/onap/appc/listener/designLCM/dbervicesimpl/DesignDBServiceWorkerImpl.java;h=83ef0f914873e21bfd6648e6d593b7a00fb5b10eacf6d8bccc2dceeca918429e047c05bc441498b1;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validatordbervices/ValidatorServiceDesignDBService.java;h=7ba518d212cf9176294850c44b9fb0ac180c524883ef0f914873e21bfd6648e6d593b7a00fb5b10e;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-oaminbound/appc-oamdesign-bundleservices/provider/src/main/java/org/onap/appc/oamdesign/messageadaptervalidator/ConverterValidatorService.java;h=152ffc9ccc20fd4aa464f24ab58ae8715fdb7d8f7ba518d212cf9176294850c44b9fb0ac180c5248;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-oam/appc-oam-bundle/src/main/java/org/onap/appc/oam/messageadapter/MessageAdapterConverter.java;h=91836cb406fd305588bc1a4d32e1a98964e4ddda152ffc9ccc20fd4aa464f24ab58ae8715fdb7d8f;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-sdc-listeneroam/appc-sdc-listeneroam-bundle/src/main/java/org/onap/appc/sdcoam/artifactsmessageadapter/helper/DependencyModelGeneratorMessageAdapter.java;h=62212d74ca2aab916281cd763783c1666a9d07ec91836cb406fd305588bc1a4d32e1a98964e4ddda;hb=117c7e7210f00da7011275be4347aae8d500002a https://gerrit.onap.org/r/gitweb?p=appc.git;a=blob;f=appc-sequencesdc-generatorlistener/appc-sequencesdc-generatorlistener-bundle/src/main/java/org/onap/appc/seqgen/dgplugin/impl/SequenceGeneratorPluginImpl.java;h=f99ca4cfb0ef3cea75074e19a0da89c55de6d6c3;hb=117c7e7210f00da7011275be4347aae8d500002a | No action required | appc | 4.0.10 False Positive Explanation The Apache httpcomponents component is vulnerable to Directory Traversal. The This is a dependency indirectly from odl. We do not use The following JIRA is tracking this issue:
server | ONAP JIRA | serverId | 425b2b0a-557c-3c0c-b515-579789cceedb | key | APPC-710 | No action required | |
appc | org.apache.httpcomponents/httpclient/4.5.2 | False Positive. Explanation The Apache httpcomponents component is vulnerable to Directory Traversal. The The application is vulnerable by using this component. This is a dependency indirectly from odl. We do not use The following JIRA is tracking this issue:
| Ultimately update must come from OpenDaylight project; APPC would pick it up when CCSDK picks it up. | |||||||||
appc | org.glassfish.grizzly/grizzly-http/2.3.28 | False Positive Library not used by APPC code directly, but is contains in cdp-pal library. The dependency comes from cdp-pal; however, this should not be a security concern as CDP-PAL/woorea does not host any urls for incoming GET requests and from what we read about the vulnerability it should not apply as grizzly-http is only used for outgoing calls. It is not used to allow incoming get requests. | Will follow-up with CDP-PAL to see if the version can be updated even though not a risk for APPC. | |||||||||
appc | com.fasterxml.jackson.core/jackson-core/2.8.1 | False Positive Please read the item above for artifact: jackson-databind-2.8.1, which is the same group: com.fasterxml.jackson.core | No action requiredappc | |||||||||
appc/cdt | com.fasterxml.jackson.core : jackson-databind : 2.9.6 | come with spring-boot-starter.jar:2.0.4.RELEASE this is the last version that we can upgrade. |