...
Repository | Group/Artifact/Version | Impact Analysis | Action | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
appc | com.fasterxml.jackson.core/jackson-databind/2.8.4 | ||||||||||
appc | org.codehaus.jackson/jackson-mapper-asl/1.9.13 | There is no non vulnerable version of this component. False Positive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization This is a dependency indirectly from jackson-jaxrs. We do not use Jackson-mapper-asl directly and do not use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability from appc code. | No Action Required | ||||||||
appc | com.fasterxml.jackson.core/jackson-databind/2.8.9 | ||||||||||
appc | org.codehaus.jackson/jackson-mapper-asl/1.9.2 | There is no non vulnerable version of this component. False Positive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization This is a dependency indirectly from jersey-json. We do not use Jackson-mapper-asl directly and do not use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability from appc code. | No Action Required | ||||||||
appc | com.fasterxml.jackson.core/jackson-databind/2.8.1 | There is no non vulnerable version of this component. False Positive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization appc codes using ObjectMapper: | No Action Required | ||||||||
appc | com.fasterxml.jackson.core/jackson-databind/2.3.2 | There is no non vulnerable version of this component. False Postive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. appc doesn't invoke this method, and a concrete java type is explicitly specified when deserializing the JSON objects, so this vulnerability issue has no impact on appc. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization appc codes using ObjectMapper: | No Action Required | ||||||||
appc | com.att.nsa/dmappClient/0.2.12 | org.onap.dmaap.messagerouter.dmaapclient has the 5 security vulnerabilities , out of these 4 security issues are related to the com.att.nsa:dmaapclient and another is related to the Jackson-core.jar, which we can’t fix as all the versions are vulnerable. DMaaP client is not using the jackson-core.jar, in such a way that it will cause the vulnerability. I don’t know why the vulnerabilities in component com.att.nsa:dmaapclient are showing under the component org.onap.dmaap.messagerouter.dmaapclient . I created a ticket #54030 with the LF , but I don’t get any response. Please refer the following link for more details. Let me know if you have any questions. |
| ||||||||
appc | org.apache.karaf.jaas/org.apache.karaf.jaas.modules/4.0.10 | False Positive Explanation The Apache httpcomponents component is vulnerable to Directory Traversal. The This is a dependency indirectly from odl. We do not use Indirect from org.onap.ccsdk.sli.core:dblib-provider:jar:0.3.0-SNAPSHOT | |||||||||
appc | com.fasterxml.jackson.core/jackson-core/2.3.2 | False Positive Explanation
appc doesn't use https://github.com/FasterXML/jackson-core/pull/322 appc codes using JsonParser/JasonProcessingExection/type.TypeReference: | No action required | ||||||||
appc | org.apache.httpcomponents/httpclient/4.5.2 | False Positive. Explanation The Apache httpcomponents component is vulnerable to Directory Traversal. The The application is vulnerable by using this component. This is a dependency indirectly from odl. We do not use The following JIRA is tracking this issue:
| Ultimately update must come from OpenDaylight project; APPC would pick it up when CCSDK picks it up. | ||||||||
appc | org.apache.httpcomponents/httpclient/4.5.1 | from CDP-PAL | |||||||||
appc | org.apache.httpcomponents/httpclient/4.3.5 | org.apache.maven.wagon:wagon-http:jar:2.10:test [INFO] | +- org.opendaylight.odlparent:karaf-util:jar:3.1.3:test [INFO] | | \- org.apache.maven.wagon:wagon-http:jar:2.10:test [INFO] | | +- org.apache.maven.wagon:wagon-http-shared:jar:2.10:test [INFO] | | | +- org.jsoup:jsoup:jar:1.7.2:test [INFO] | | | \- commons-lang:commons-lang:jar:2.6:test [INFO] | | +- org.apache.httpcomponents:httpclient:jar:4.3.5:test [INFO] | | | \- commons-codec:commons-codec:jar:1.11:test [INFO] | | +- org.apache.httpcomponents:httpcore:jar:4.3.2:test [INFO] | | \- org.apache.maven.wagon:wagon-provider-api:jar:2.10:test [INFO] | | \- org.codehaus.plexus:plexus-utils:jar:3.0.15:test | |||||||||
appc | org.glassfish.grizzly/grizzly-http/2.3.28 | False Positive Library not used by APPC code directly, but is contains in cdp-pal library. The dependency comes from cdp-pal; however, this should not be a security concern as CDP-PAL/woorea does not host any urls for incoming GET requests and from what we read about the vulnerability it should not apply as grizzly-http is only used for outgoing calls. It is not used to allow incoming get requests. | Will follow-up with CDP-PAL to see if the version can be updated even though not a risk for APPC. | ||||||||
appc/cdt | com.fasterxml.jackson.core : jackson-databind : 2.9.6 | come with spring-boot-starter.jar:2.0.4.RELEASE this is the last version that we can upgrade. | |||||||||
appc/deployment | com.fasterxml.jackson.core : jackson-databind : 2.9.6 |