Skip to end of metadata
Go to start of metadata

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.


RepositoryGroupImpact AnalysisAction

logging-analytics

pomba-aai-context-builder

pomba-context-aggregator

pomba-network-discovery-context-builder

pomba-sdc-context-builder

pomba-sdnc-context-builder

com.fasterxml.jackson.core

false positive - we don't use this part of the library

LOG-826 - Getting issue details... STATUS


will fix in dublin - as no version of jackson is safe

LOG-826 - Getting issue details... STATUS

logging-analyticscom.fasterxml.jackson.core
false positive - we don't use this part of the library

LOG-833 - Getting issue details... STATUS

will fix in dublin - as no version of jackson is safe

Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now

LOG-833 - Getting issue details... STATUS

pomba-audit-commoncom.fasterxml.jackson.corefalse positive - we don't use this part of the library

will fix in dublin - as no version of jackson is safe



logging-analytics org.glassfish.hk2.external

false positive - we don't use this part of the library

will fix in dublin

Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now


pomba-sdnc-context-builder

pomba-sdnc-context-builder

handelbars

Need to upgrade to or above 4.0.0

LOG-827 - Getting issue details... STATUS

For SDNC-CB this is pushed to dublin

LOG-827 - Getting issue details... STATUS

pomba-network-discovery-context-builder

pomba-sdnc-context-builder

stipsan/uikit (swagger)

No versions are good - need a replacement for this swagger component

LOG-828 - Getting issue details... STATUS

For SDNC-CB this is pushed to dublin

LOG-828 - Getting issue details... STATUS

pomba-sdnc-context-builderlogback-classic

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca

Note: SDNC-ContextBuilder is not deployed as part of Casablanca - OOM has not branched as of 20181128 - so we can see there is no pod for SDNC-CB - it will appear in the dublin branch via master - therefore the SV reports can be ignored for now as they are in dublin scope (there is an issue where CLM jobs are run against master instead of branches)


onap          onap-pomba-pomba-aaictxbuilder-67ccd944f-zc2k2                 2/2       Running            0          4h
onap          onap-pomba-pomba-contextaggregator-678d4587cd-gwkgh            1/1       Running            0          4h
onap          onap-pomba-pomba-data-router-6c8cf96c8d-hfq4x                  1/1       Running            0          4h
onap          onap-pomba-pomba-elasticsearch-7b8bc5f864-z682m                1/1       Running            0          4h
onap          onap-pomba-pomba-kibana-64f8788bbd-9vtr9                       1/1       Running            0          4h
onap          onap-pomba-pomba-networkdiscovery-5bd8f8b96d-wqk8j             2/2       Running            0          4h
onap          onap-pomba-pomba-networkdiscoveryctxbuilder-5bf84c9f6d-dpzsw   2/2       Running            0          4h
onap          onap-pomba-pomba-sdcctxbuilder-5b688d6fd5-f4gbt                1/1       Running            0          4h
onap          onap-pomba-pomba-search-data-5b4d8f7dc6-f9v69                  2/2       Running            0          4h
onap          onap-pomba-pomba-servicedecomposition-9885f8f88-ps8kd          2/2       Running            0          4h
onap          onap-pomba-pomba-validation-service-54598588fc-wf8lx           1/1       Running            0          4h


move to or above 1.2 - should be at 1.2.2+

LOG-846 - Getting issue details... STATUS

LOG-846 - Getting issue details... STATUS

pomba-sdnc-context-builderstruts-core

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca

pomba-sdnc-context-builderstruts-taglib

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca
Dependency org.apache.struts:struts-taglib:jar:1.3.8 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT


struts-taglib-1.3.8.jar located at target/pomba-sdnc-context-builder.jar/BOOT-INF/lib


pomba-sdnc-context-builderorg.codehaus.plexus

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca

Dependency org.codehaus.plexus:plexus-utils:jar:3.0.22 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT


pomba-sdnc-context-builderdom4j

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca

Dependency dom4j:dom4j:jar:1.6.1 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT

dom4j-1.6.1.jar located at target/pomba-sdnc-context-builder.jar/BOOT-INF/lib


pomba-sdnc-context-buildercommons-beanutils

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca

Dependency commons-beanutils:commons-beanutils:jar:1.9.3 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT

commons-beanutils-1.9.3.jar located at target/pomba-sdnc-context-builder.jar/BOOT-INF/lib


pomba-sdnc-context-builderorg.apache.ant

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca

Dependency org.apache.ant:ant:jar:1.8.4 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT

ant-1.8.4.jar located at target/pomba-sdnc-context-builder.jar/BOOT-INF/lib


pomba-sdnc-context-builderorg.jsoup

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca

Dependency org.jsoup:jsoup:jar:1.7.2 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT

jsoup-1.7.2.jar located at target/pomba-sdnc-context-builder.jar/BOOT-INF/lib