This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
The following table is addressing 2 different scenarios:
- Confirmation of a vulnerability including an action
- False Positive
The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)
| Repository | Group | Impact Analysis | Action |
|---|---|---|---|
| aaf-authz | AAF has no vulnerable third party packages in the AAF tool repo. | ||
| aaf-cadi | commons.beanutils | False Positive - this jar is used by Shiro, not by CADI code, and is thus a problem with Shiro, not AAF or CADI | None - Shiro needs to fix |
| aaf-cadi | org.apache.shiro | False Positive - this jar is used by Shiro, not by CADI code, and is thus a problem with Shiro, not AAF or CADI | There is a new Jar available, 1.4.0, which appears promising. However, checked with clients which use OpenDaylight. They cannot use 1.4.0 at this time. (4/2/2019) |