Page History

This is a license issue that is brought in due to inclusion of DMaap client.

False Positive - we are not using any DurationDeserializer or InstantDeserializer

This is a license issue that is brought in due to inclusion of Cambria client.

policy/

This is a license issue that is brought in from google.guava

There is an MIT license associated with it.

Request Integration team to upgrade guava

or

LF to override

drools-pdp

policy/drools-applications

policy/distribution

policy/engine

False Positive - flagged due to inclusion inheritance of policy/common

policy/drools-applications

pdp

policy/drools-applications

policy/distribution

policy/engine

policy/drools-pdp

This is both a security /and a license issue due to Drools v6.5.0.Final including and using this dependency.

Upgrading to 7.x version would not clear this issue and would result in multiple other license exceptions that are not clearable.

This is a security issue due to Drools v6.5.0.Final including this dependency.

Upgrading to 7.x version would not clear this issue and would result in multiple other new license exceptions that are not clearable.

This is a security issue due to Drools v6.5.0.Final including this dependency.

Upgrading to 7.x version would clear this issue, but would then consequently result in multiple other new license exceptions that are not clearable.

This

dependency is pulled in by org.apache.avro. We are using the latest version of Avro.

We are using Avro to deserialize events. Avro uses jackson-mapper-asl for its Json decoding. The schema for the events we are decoding is controlled in policy models and prevents executable code being specified. Therefore this vulnerability cannot be exploited

This is a license issue - LGPL. JBoss has a newer set of transaction code which has the same license issue.

This feature is unused in ONAP and is disabled.

This is a license issue - LGPL

This feature is unused in ONAP and is disabled.

This is a license issue - LGPL

This feature is unused in ONAP and is disabled.

Request LF to select correct license.

NOTE: LF requested ONAP to move to mariadb in Amsterdam release.

This dependency brings in the Jython (Python) interpreter for executing scripts written in Python under the control of Apex.

There are two vulnerabilities, both concerning adding extra modules to the Python libraries on a host running Python scripts under Jython.

• The setup.py and build_py.py files allow extra python packages to be installed on the host during the startup of Jython. This mechanism uses the setuptools mechanism to install those packages. That mechanism does not enforce path traversal restrictions, allowing malicious packages to access protected areas on the host.
• Jython uses packages installed with the python pip utility. Pip is vulnerable to Path Traversal attacks, malicious packages installed with pip can access protected areas on the host

The solution is to warn developers not to install malicious extra Python packages.

This dependency is pulled in by hibernate-core. We are using the latest release of Hibernate.

The XML schema of incoming events is controlled in Apex and arbitrary code even if it was injected cannot be executed.

False positive

The code is not using jackson in the manner described in the vulnerability.There are too many lines to list here

angularjs

angular

angular.min.js

angular-ui-grid.min.js

angular-sanitize

moment

moment

moment

moment

2 separate issues: