Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.

The following table is addressing 2 different scenarios:

  • Confirmation of a vulnerability including an action
  • False Positive

The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)


RepositoryGroupImpact AnalysisAction
aaf-authz

AAF has no vulnerable third party packages in the AAF tool repo.


aaf-cadicommons.beanutils

False Positive - this jar is used by Shiro, not by CADI code, and is thus a problem with Shiro, not AAF or CADI


None - Shiro needs to fix
aaf-cadiorg.apache.shiro

False Positive - this jar is used by Shiro, not by CADI code, and is thus a problem with Shiro, not AAF or CADI



There is a new Jar available, 1.4.0, which appears promising. However, checked with clients which use OpenDaylight. They cannot use 1.4.0 at this time. (4/2/2019)


...