This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
...
False Positive - we are not using the Jackson code in the manner that exposes the vulnerability.
...
Request exception
...
False Positive - we are not using the Jackson code in the manner that exposes the vulnerability.
There is no use of BeanDeserializerFactory class in artifact "dcae-analytics-model". Hence we believe that this vulnerability report is a false positive.
No Action (same version as R2)
...
False Positive
There is no use of either UTF8StreamJsonParser or ReaderBasedJsonParser class in artifact "dcae-analytics-model".
No Action (same version as R2)
...
Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library.
At the moment we haven't got any workaround.
...
Request exception
...
False Positive
Vulnerable artifacts are used only in following cases:
- CSIT robot testsuites (hv-collector-dcae-app-simulator, hv-collector-xnf-simulator) which obviously does not pose a threat
- Healthcheck mechanism which ignores client requests and uses ( by dependency to hv-collector-utils ) jackson to create response.
Other modules affected are component-level-tests and coverage report which also are not used in production environment.
Request exception
...
False Positive
The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here.
...
Request exception
...
False Positive
According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive.
...
Request exception
...
False Positive
There is no use of BeanDeserializerFactory class in snmpmapper. Hence we believe that this vulnerability report is a false positive.
Request exception
...
Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library.
Request exception
...
Added 10/29 - Request exception
Jira server ONAP JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 425b2b0a-557c-3c0c-b515-579789cceedb key DCAEGEN2-927
...
Added 10/29 - Request exception
Jira server ONAP JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 425b2b0a-557c-3c0c-b515-579789cceedb key DCAEGEN2-926
...
Newer non vulnerable version available (5.1.0.RELEASE)
Upgrade to newer version
| Jira | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
Added 10/29 - Request exception
Jira server ONAP JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 425b2b0a-557c-3c0c-b515-579789cceedb key DCAEGEN2-927
...
spring-security-web:5.0.6.RELEASE flagged
No non-vulnerable version available.
...
Upgrade to newer version available
| Jira | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
Refer - R4 DCAE Security/Vulnerability - Full Content