Versions Compared

Old Version 2

changes.mady.by.user Amy Zwarico

Saved on

compared with

New Version Current

changes.mady.by.user Amy Zwarico

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.


RepositoryGroupImpact AnalysisAction

logging-analytics

pomba-aai-context-builder

pomba-context-aggregator

pomba-network-discovery-context-builder

pomba-sdc-context-builder

pomba-sdnc-context-builder

com.fasterxml.jackson.core

false positive - we don't use this part of the library

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-826


will fix in dublin - as no version of jackson is safe

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-826

logging-analyticscom.fasterxml.jackson.core
false positive - we don't use this part of the library

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-833

will fix in dublin - as no version of jackson is safe

Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-833

pomba-audit-commoncom.fasterxml.jackson.corefalse positive - we don't use this part of the library

will fix in dublin - as no version of jackson is safe



logging-analytics org.glassfish.hk2.external

false positive - we don't use this part of the library

will fix in dublin

Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now


logging-analyticscom.fasterxml.jackson.module

will move to 2.8.7 by upgrading to spring-boot 2.1 - likely before Dublin - but a lot of testing is required

Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now


logging-analytics

pomba-aai-context-builder

pomba-context-aggregator

pomba-network-discovery-context-builder

pomba-sdc-context-builder

org.springframework.boot :

Like all the other onap projects - we need to move to spring-boot 2.1 - likely before Dublin - but a lot of testing

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-829

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-829

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-830

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-874

pomba-sdc-context-builder

logging-analytics

org.json

Like all the other onap projects - we need to move to spring-boot 2.1 - likely before Dublin - but a lot of testing

Dependency org.json:json:jar:20140107 located at Module org.onap.logging-analytics:logging-slf4j-demo:war:1.4.0-SNAPSHOT

json-20140107.jar located at reference/logging-slf4j-demo/target/logging-slf4j-demo-1.4.0-SNAPSHOT.war/WEB-INF/lib

json-20140107.jar located at reference/logging-slf4j-demo/target/logging-slf4j-demo-1.4.0-SNAPSHOT/WEB-INF/lib

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-830

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-874

pomba-sdc-context-builder


net.sf.flexjson

Like all the other onap projects - we need to move to spring-boot 2.1 - likely before Dublin - but a lot of testing

Dependency net.sf.flexjson:flexjson:jar:3.3 located at Module org.onap.logging-analytics.pomba:pomba-sdc-context-builder:jar:1.4.0-SNAPSHOT

flexjson-3.3.jar located at target/pomba-sdc-context-builder.jar/BOOT-INF/lib

We will defer this like SDC does


pomba-sdnc-context-builder

pomba-sdnc-context-builder

handelbars

Need to upgrade to or above 4.0.0

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-827

For SDNC-CB this is pushed to dublin

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-827

pomba-network-discovery-context-builder

pomba-sdnc-context-builder

stipsan/uikit (swagger)

No versions are good - need a replacement for this swagger component

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-828

For SDNC-CB this is pushed to dublin

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-828

pomba-sdnc-context-builderlogback-classic

DMaaP usage related

Code Block
themeMidnight
Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca

Note: SDNC-ContextBuilder is not deployed as part of Casablanca - OOM has not branched as of 20181128 - so we can see there is no pod for SDNC-CB - it will appear in the dublin branch via master - therefore the SV reports can be ignored for now as they are in dublin scope (there is an issue where CLM jobs are run against master instead of branches)


Code Block
themeMidnight
onap          onap-pomba-pomba-aaictxbuilder-67ccd944f-zc2k2                 2/2       Running            0          4h
onap          onap-pomba-pomba-contextaggregator-678d4587cd-gwkgh            1/1       Running            0          4h
onap          onap-pomba-pomba-data-router-6c8cf96c8d-hfq4x                  1/1       Running            0          4h
onap          onap-pomba-pomba-elasticsearch-7b8bc5f864-z682m                1/1       Running            0          4h
onap          onap-pomba-pomba-kibana-64f8788bbd-9vtr9                       1/1       Running            0          4h
onap          onap-pomba-pomba-networkdiscovery-5bd8f8b96d-wqk8j             2/2       Running            0          4h
onap          onap-pomba-pomba-networkdiscoveryctxbuilder-5bf84c9f6d-dpzsw   2/2       Running            0          4h
onap          onap-pomba-pomba-sdcctxbuilder-5b688d6fd5-f4gbt                1/1       Running            0          4h
onap          onap-pomba-pomba-search-data-5b4d8f7dc6-f9v69                  2/2       Running            0          4h
onap          onap-pomba-pomba-servicedecomposition-9885f8f88-ps8kd          2/2       Running            0          4h
onap          onap-pomba-pomba-validation-service-54598588fc-wf8lx           1/1       Running            0          4h


move to or above 1.2 - should be at 1.2.2+

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-846

Jira
serverONAP JIRA
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyLOG-846

pomba-sdnc-context-builderstruts-core

DMaaP usage related

Code Block
themeMidnight
Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca

pomba-sdnc-context-builderstruts-taglib

DMaaP usage related

Code Block
themeMidnight
Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca


Dependency org.apache.struts:struts-taglib:jar:1.3.8 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT

struts-taglib-1.3.8.jar located at target/pomba-sdnc-context-builder.jar/BOOT-INF/lib


pomba-sdnc-context-builderorg.codehaus.plexus

DMaaP usage related

Code Block
themeMidnight
Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca


Dependency org.codehaus.plexus:plexus-utils:jar:3.0.22 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT


pomba-sdnc-context-builderdom4j

DMaaP usage related

Code Block
themeMidnight
Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca


Dependency dom4j:dom4j:jar:1.6.1 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT

dom4j-1.6.1.jar located at target/pomba-sdnc-context-builder.jar/BOOT-INF/lib


pomba-sdnc-context-buildercommons-beanutils

DMaaP usage related

Code Block
themeMidnight
Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca

Dependency commons-beanutils:commons-beanutils:jar:1.9.3 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT

commons-beanutils-1.9.3.jar located at target/pomba-sdnc-context-builder.jar/BOOT-INF/lib


pomba-sdnc-context-builderorg.apache.ant

DMaaP usage related

Code Block
themeMidnight
Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca


Dependency org.apache.ant:ant:jar:1.8.4 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT

ant-1.8.4.jar located at target/pomba-sdnc-context-builder.jar/BOOT-INF/lib


pomba-sdnc-context-builderorg.jsoup

DMaaP usage related

Code Block
themeMidnight
Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca


Dependency org.jsoup:jsoup:jar:1.7.2 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT

jsoup-1.7.2.jar located at target/pomba-sdnc-context-builder.jar/BOOT-INF/lib