Skip to end of metadata
Go to start of metadata

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.

RepositoryGroupImpact AnalysisAction
vfc/nfvo/resmanagementcommons-beanutils

False positive

net.sf.json-lib:json-lib:2.4 depend on this

This vulnerability issue is an indirect dependency introduced by vfc/nfvo/resmanagement

False positive.No Action.

All of the existing jackson jackson-mapper-asl have vulnerabilities issues.


vfc/nfvo/resmanagementorg.codehaus.jackson

False positive

Version 1.9.13 is already newest.

There is no non vulnerable version of this component. 

Code doesn’t use Jackson directly and don’t use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability 

False positive.No Action.

All of the existing jackson jackson-mapper-asl have vulnerabilities issues.

vfc/nfvo/driver/vnfm/svnfm/huaweicommons-beanutils

False positive

net.sf.json-lib:json-lib:2.4 depend on this

This vulnerability issue is an indirect dependency introduced by vfc/nfvo/driver/vnfm/svnfm/huawei

False positive
vfc/nfvo/driver/vnfm/svnfm/huaweicommons-httpclient

False positive

Version 3.1 is already newest.

There is no non vulnerable version of this component. 

VF-C code doesn’t use the readRawLine() method in commons-httpclient directly. We plan to replace this jar with Apache HttpComponents, but need some time to update the code and test.

False positive

We are trying to replace this jar with other jars

vfc/nfvo/driver/vnfm/svnfm/huaweiorg.codehaus.jackson

False positive

Version 1.9.13 is already newest.

There is no non vulnerable version of this component. 

We don’t use Jackson directly and don’t use createBeanDeserializer() function which has the vulnerability.

False positive.No Action .

No version with a fix is currently available.

 false positive

vfc/nfvo/driver/vnfm/gvnfm

commons-collections

False positive

Code doesn't use InvokerTransformer

Plan to update the no vulnerability version in D version

vfc/nfvo/driver/vnfm/gvnfm

org.apache.cxf

False positive

Code doesn't use the verify() function in AllowAllHostnameVerifier.class and DefaultHostnameVerifier.class, and the decorateWithTLS() function in HttpsURLConnectionFactory.class 

Plan to update the no vulnerability version in D version

vfc/nfvo/driver/vnfm/gvnfm

org.springframework

False positive

Code doesn't use getMethods() method in the ReflectiveMethodResolver class, the canWrite method in the ReflectivePropertyAccessor class, and the filterSubscriptions() method in the DefaultSubscriptionRegistry class

Plan to update the no vulnerability version in D version

vfc/nfvo/driver/vnfm/gvnfm

org.springframework

False positive

Code doesn't use the generateMultipartBoundary() method in the MimeTypeUtils class

Plan to update the no vulnerability version in D version

vfc/nfvo/driver/vnfm/svnfm/huawei

vfc/nfvo/driver/vnfm/gvnfm

vfc-nfvo-multivimproxy

vfc-nfvo-resmanagement 

org.eclipse.jetty.aggregate

False positive

Code doesn't use boolean check(Object credentials) function in the Password.java 

Plan to update the no critical vulnerability version in D version

vfc/nfvo/driver/vnfm/gvnfm


org.springframework

False positive

Code doesn't use the getValueInternal() method in the OperatorMatches class

Plan to update the no vulnerability version in D version

vfc/nfvo/driver/vnfm/gvnfm


org.apache.cxf

False positive

Code doesn't use FormattedServiceListWriter

Plan to update the no vulnerability version in D version

vfc/nfvo/driver/vnfm/gvnfm


org.springframework

False positive

Code doesn't use HiddenHttpMethodFilter class

Plan to update the no vulnerability version in D version
vfc/nfvo/driver/vnfm/svnfm/huaweicommons-httpclient

False positive

Code doesn't use it for the verification of the SSL certificate

Will trying to replace this jar with other jars in D release
vfc/nfvo/driver/vnfm/svnfm/huaweicommons-httpclient

False positive

Code doesn't use it for the verification of the SSL certificate

Will trying to replace this jar with other jars in D release

vfc/nfvo/driver/vnfm/svnfm/huawei

vfc/nfvo/driver/vnfm/gvnfm

vfc-nfvo-multivimproxy

vfc-nfvo-resmanagement 

org.apache.cxf

False positive

Code doesn't use the readLine() function in the AttachmentDeserializer class and get() function in the MessageContextImpl class and the ContentDisposition() function in the ContentDisposition class

False positive.No Action.

There is no non vulnerable version of this component

vfc/nfvo/driver/vnfm/gvnfm


org.apache.cxf

False positive

Code doesn't use the readLine() function in the AttachmentDeserializer class and get() function in the MessageContextImpl class and the ContentDisposition() function in the ContentDisposition class 

Plan to update the no vulnerability version in D version

vfc/nfvo/driver/vnfm/gvnfm 

org.springframework

False positive

Code doesn't use ResourceHttpRequestHandler to  check for directory traversal

Plan to update the no vulnerability version in D version

vfc/nfvo/driver/vnfm/svnfm/huawei

vfc/nfvo/driver/vnfm/gvnfm

vfc-nfvo-multivimproxy

vfc-nfvo-resmanagement 

org.eclipse.jetty.aggregate

False positive


Plan to update the no critical vulnerability version in D version

vfc/nfvo/driver/vnfm/gvnfm

vfc-nfvo-multivimproxy

vfc-nfvo-resmanagement 

commons-beanutils

False positive

net.sf.json-lib:json-lib:2.4 depend on this

This vulnerability issue is an indirect dependency introduced by vfc/nfvo/driver/vnfm/gvnfm/juju

False positive

vfc/nfvo/driver/vnfm/gvnfm

vfc-nfvo-multivimproxy

vfc-nfvo-resmanagement 

org.codehaus.jackson

False positive

Version 1.9.13 is already newest.

There is no non vulnerable version of this component. 

We don’t use Jackson directly and don’t use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability 

False positive.No Action. 

No version with a fix is currently available.

vfc/nfvo/driver/vnfm/gvnfmorg.apache.commonsno vulnerability analysisPlan to update the no vulnerability version in D version
vfc/nfvo/driver/vnfm/gvnfmorg.apache.commons

False positive

Code doesn't use the readStored() method in ZipArchiveInputStream.class

Plan to update the no vulnerability version in D version
vfc-nfvo-driver-emscom.fasterxml.jackson.core

False positive

Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization.

ems driver doesn't invoke this method

False positive.No Action.

All of the existing jackson databind have vulnerabilities issues.

vfc-nfvo-driver-emsxerces

False positive

ems driver is using this in the normal way.

There is no non vulnerable version of this component

False positive

There is no non vulnerable version of this component


vfc-nfvo-driver-emsxerces

False positive

ems driver haven't use  the setupCurrentEntity??method in

XMLEntityManager class

False positive
vfc-nfvo-driver-emsjavax.mailEms driver doesn't invoke getUniqueMessageIDValue() methodFalse positive
vfc-nfvo-multivimproxycommons-beanutils

False positive

net.sf.json-lib:json-lib:2.4 depend on this

This vulnerability issue is an indirect dependency introduced by vfc/nfvo/resmanagement

There is no non vulnerable version of this component. 

False positive.No Action. 

No version with a fix is currently available.

vfc-nfvo-multivimproxyorg.codehaus.jackson

False positive

Version 1.9.13 is already newest.

There is no non vulnerable version of this component. 

We don’t use Jackson directly and don’t use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability 

False positive.No Action. 

No version with a fix is currently available.