...
Repository | Group | Impact Analysis | Action | ||||||
---|---|---|---|---|---|---|---|---|---|
policy/common | com.fasterxml.jackson.core | False Positive - we are not using the Jackson code in the manner that exposes the vulnerability. | Request exception | ||||||
policy/common | javax.jms | This is a license issue that is brought in due to inclusion of DMaap client. | Request exception | com.fasterxml.jackson.datatype | False Positive - we are not using any DurationDeserializer or InstantDeserializer | policy/common | org.json | This is a license issue that is brought in due to inclusion of Cambria client. | Request exception |
policy/ common | org.checkerframework | This is a license issue that is brought in from google.guava | Request Integration team to upgrade guava | drools-pdp policy/drools-applications policy/distribution policy/engine | com.fasterxml.jackson.core | False Positive - flagged due to inclusion inheritance of policy/common | Request exception | ||
policy/drools-applications | javax.jms | This is a license issue that is brought in due to inclusion of DMaap client. | Request exception | ||||||
policy/drools-applications | org.json | This is a license issue that is brought in due to inclusion of Cambria client. | Request exception | ||||||
pdp policy/drools-applications | com.att.research.xacml | False positive - MIT license should be acceptable | Request exception | ||||||
policy/drools-applications | org.checkerframework | This is a license issue that is brought in from google.guava | Request Integration team to upgrade guava | ||||||
policy/drools-applications | xml-apis | False positive - Apache 2.0 license should be acceptable | Request LF to select correct license | ||||||
policy/distribution policy/engine | policy/drools-pdp | com.fasterxml.jackson.coredatatype | False Positive - flagged due to inclusion inheritance of policy/common | Request exception | policy/drools-pdp | javax.jms | This is a license issue that is brought in due to inclusion of DMaap client. | Request exception | |
policy/drools-pdporg.json | This is a license issue that is brought in due to inclusion of Cambria client. | Request exception | policy/drools-pdp | dom4j | This is both a security /and a license issue due to Drools v6.5.0.Final including and using this dependency. Upgrading to 7.x version would not clear this issue and would result in multiple other license exceptions that are not clearable. | Request exception | |||
policy/drools-pdp | jsoup | This is a security issue due to Drools v6.5.0.Final including this dependency. Upgrading to 7.x version would not clear this issue and would result in multiple other new license exceptions that are not clearable. | Request exception | ||||||
policy/drools-pdp | ant | This is a security issue due to Drools v6.5.0.Final including this dependency. Upgrading to 7.x version would clear this issue, but would then consequently result in multiple other new license exceptions that are not clearable. | Request exception | ||||||
policy/droolsapex-pdp | org.checkerframework.codehaus.jackson.jackson-mapper-asl | This is a license issue that is brought in from google.guava | Request Integration team to upgrade guava | dependency is pulled in by org.apache.avro. We are using the latest version of Avro. We are using Avro to deserialize events. Avro uses jackson-mapper-asl for its Json decoding. The schema for the events we are decoding is controlled in policy models and prevents executable code being specified. Therefore this vulnerability cannot be exploited | policy/drools-pdp | jboss.jta | This is a license issue - LGPL. JBoss has a newer set of transaction code which has the same license issue. This feature is unused in ONAP and is disabled. | Request exception | |
policy/droolsapex-pdp | hibernate-core | This is a license issue - LGPL This feature is unused in ONAP and is disabled. | Request exception | ||||||
policy/drools-pdp | hibernate-commons-annotations | This is a license issue - LGPL This feature is unused in ONAP and is disabled. | Request exception | ||||||
policy/drools-pdp | mariadb | False positive - BSD3 license | Request LF to select correct license. NOTE: LF requested ONAP to move to mariadb in Amsterdam release. | ||||||
org.python.jython-standalone.2.7.1 | This dependency brings in the Jython (Python) interpreter for executing scripts written in Python under the control of Apex. There are two vulnerabilities, both concerning adding extra modules to the Python libraries on a host running Python scripts under Jython.
The solution is to warn developers not to install malicious extra Python packages. | Request Exception The apex-pdp documentation for the Jython plugin is updated to warn developers that they must ensure that extra python packages they add at install time with PIP or using the setup.py/build_py.py mechanisms must be checked and certified by them as not being malicious. | |||||||
policy/apex-pdp | dom4j | This dependency is pulled in by hibernate-core. We are using the latest release of Hibernate. The XML schema of incoming events is controlled in Apex and arbitrary code even if it was injected cannot be executed. | Request exception POLICY-1510 - Investigate Apex dom4j OPEN | ||||||
policy/apex-pdp | org.apache.zookeeper | Liam Fallon - can you take a quick look at the impact? | Request exception | ||||||
policy/engine | commons-fileupload | policy/engine | com.sword-group.bizdock.lib | Flagged due to inclusion of ONAP Portal SDK | Request exception | ||||
policy/engine | org.apache.tomcat | The declared and effective license are Apache 2.0, the CLM is incorrectly reporting a problem. | bootstrap | Flagged due to inclusion of ONAP Portal SDK | Request exceptionRequest LF to select correct license. | ||||
policy/engine | com.fasterxml.jackson.core | False positive The code is not using jackson in the manner described in the vulnerability.There are too many lines to list here | Request exception | ||||||
policy/engine | org.springframework | One version is flagged due to inclusion of ONAP Portal SDK. | Request exception | ||||||
policy/engine | org.springframework | We will upgrade other versions not related to ONAP Portal SDK. Possible together, needs investigation. | |||||||
policy/engine | bouncycastle | Flagged due to inclusion of ONAP Portal SDK | Request exception | ||||||
policy/engine | com.mchange | Flagged due to inclusion of ONAP Portal SDK | Request exception | ||||||
policy/engine | angularjs angular angular.min.js angular-ui-grid.min.jsjs angular-sanitize | Flagged due to inclusion of ONAP Portal SDK | Request exception | ||||||
policy/engine | ng-formio-grid | Flagged due to inclusion of ONAP Portal SDK | Request exception | ||||||
policy/engine | wicket-util | Flagged due to inclusion of ONAP Portal SDK | Request exception | ||||||
policy/engine | moment moment | Flagged due to inclusion of ONAP Portal SDK | Request exception | ||||||
policy/engine | xerces | Flagged due to inclusion of ONAP Portal SDK | Request exception | ||||||
policy/engine | commons-beanutils | Flagged due to inclusion of ONAP Portal SDK | Request exception | ||||||
policy/distribution | com.fasterxml.jackson.core | engine | esapi | 2 separate issues: 1) Flagged due to inclusion of ONAP SDC Portal SDK | Request exception | ||||
policy/engine | antisamy | 2) Flagged due to inclusion of policy/commonONAP Portal SDK | Request exception | ||||||
policy/distributionengine | javax.jms | jquery | Flagged This is a license issue that is brought in due to inclusion of DMaap client.ONAP Portal SDK | Request exception | |||||
policy/distribution | org.json | engine | commons-fileupload | Flagged This is a license issue that is brought in due to inclusion of Cambria client.ONAP Portal SDK | Request exception | ||||
policy/distribution | org. | checkerframeworkThis is a license issue that is brought in from google.guava | Request Integration team to upgrade guavaspringframework | Flagged due to inheritance from policy/engine which has dependency on ONAP Portal SDK | Request exception |
Sample of CLM Report