This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Impact Analysis | Action |
---|---|---|---|
ccsdk/apps | ch.qos.logback | FALSE POSITIVE. The vulnerability refers to classes in logback that are used for remote logging, which does not apply to our usage. | |
ccsdk/distribution, | ch.qos.logback | FALSE POSITIVE. The vulnerability refers to classes in logback that are used for remote logging, which does not apply to our usage. | |
ccsdk/distribution, ccsdk/features | com.fasterxml.jackson.core | Need to upgrade to version 2.7.7 or greater | |
ccsdk/distribution, ccsdk/features | com.fasterxml.jackson.core | Need to upgrade to version 2.8.6 or greater | |
ccsdk/apps, ccsdk/cds, ccsdk/dashboard | com.fasterxml.jackson.core | No non-vulnerable version of Jackson exists | |
ccsdk/features | com.fasterxml.jackson.core | No non-vulnerable version of Jackson exists | |
ccsdk/sli/northbound | com.fasterxml.jackson.core | No non-vulnerable version of Jackson exists | |
ccsdk/apps, ccsdk/cds | com.fasterxml.jackson.core | No non-vulnerable version of Jackson exist | |
ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/plugins | com.fasterxml.jackson.core | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/features | com.fasterxml.jackson.core | No non-vulnerable version of Jackson exists | |
ccsdk/parent | com.fasterxml.jackson.core | No non-vulnerable version exists | |
ccsdk/distribution, ccsdk/features | com.fasterxml.jackson.core | No non-vulnerable version of Jackson exists | |
ccsdk/parent | com.fasterxml.jackson.datatype | No non-vulnerable version of Jackson exists | |
ccsdk/sli/northbound | com.google.guava | Need to upgrade to version 23.6.1 or greater | |
ccsdk/parent | com.google.guava | Need to upgrade to version 23.6.1 or greater | |
ccsdk/dashboard | com.google.guava | Need to upgrade to version 23.6.1 or greater | |
ccsdk/distribution, ccsdk/features | com.google.guava | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/apps | com.h2database | FALSE POSITIVE - code is only used in jUnit testing, thus is not exposed during runtime | |
ccsdk/cds | com.h2database | FALSE POSITIVE - code is only used in jUnit testing, thus is not exposed during runtime | |
ccsdk/distribution | com.h2database | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/dashboard | com.mchange | Inherited from ONAP Portal project library | |
ccsdk/distribution, ccsdk/sli/adaptors | com.sun.mail | Need to upgrade to version 1.5.3 or greater | |
ccsdk/dashboard | commons-beanutils | Inherited from ONAP Portal project library | FALSE POSITIVE - Portal library does not use vulnerable functionality |
ccsdk/distribution, ccsdk/features | commons-beanutils | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution, ccsdk/features | commons-beanutils | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/northbound | commons-codec | Library is not used directly in ONAP, but is inherited from upstream springboot. There is no fix yet, but looks like this was revived today - see https://issues.apache.org/jira/browse/CODEC-134 | |
ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/core | commons-codec | Library is not used directly in ONAP, but is inherited from upstream springboot. There is no fix yet, but looks like this was revived today - see https://issues.apache.org/jira/browse/CODEC-134 | |
ccsdk/dashboard | commons-codec | Inherited from ONAP Portal project library | Must be addressed in Portal project |
ccsdk/distribution, ccsdk/sli/plugins | commons-collections | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | commons-fileupload | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/dashboard | commons-fileupload | Inherited from ONAP Portal project library | |
ccsdk/apps, ccsdk/distribution, ccsdk/dashboard, ccsdk/sli/plugins | dom4j | Library is not used directly in ONAP, but is inherited from upstream springboot and OpenDaylight. Need to upgrade to version 2.1.1 or higher | |
ccsdk/distribution | io.netty | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | javax.mail | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/dashboard | javax.servlet | Fixed in version 1.2.3 | |
ccsdk/distribution | net.sf.ehcache | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.apache.activemq | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/cds | org.apache.commons | Fixed in version 1.18 | |
ccsdk/cds | org.apache.commons | Fixed in version 1.16 | |
ccsdk/distribution | org.apache.felix | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors | org.apache.httpcomponents | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution, ccsdk/parent | org.apache.karaf | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/parent | org.apache.karaf.features | Dependent on OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/apps, ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/core, ccsdk/sli/northbound, ccsdk/sli/plugins | org.apache.karaf.jaas | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/apps, ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/core, ccsdk/sli/northbound, ccsdk/sli/plugins | org.apache.karaf.jaas | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/apps, ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/core, ccsdk/sli/northbound, ccsdk/sli/plugins | org.apache.karaf.jaas | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.apache.karaf.kar | Dependent on OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/apps, ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/core, ccsdk/sli/northbound, ccsdk/sli/plugins | org.apache.karaf.shell | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.apache.karaf.shell | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.apache.karaf.webconsole | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution, ccsdk/features | org.apache.lucene | Fixed in version 7.0.0-cdh6.0.0 | |
ccsdk/distribution | org.apache.myfaces.core | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/dashboard | org.apache.poi | Fixed in version 3.17 | |
ccsdk/features | org.apache.shiro | FALSE POSITIVE - this vulnerability applies to behavior on the shiro server. We use shiro only as a client. | No action necessary |
ccsdk/dashboard | org.apache.wicket | Inherited from ONAP Portal library | |
ccsdk/distribution | org.apache.servicemix.bundles | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.apache.shiro | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.apache.thrift | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/apps | org.apache.tomcat.embed | FALSE POSITIVE: CVE only impacts embedded-tomcat running in Windows, which does not impact us since our containers run on Alpine. | |
ccsdk/cds | org.apache.tomcat.embed | FALSE POSITIVE : CVE only impacts embedded-tomcat running in Windows, which does not impact us since our containers run on Alpine. | |
ccsdk/dashboard | org.bouncycastle | Inherited from ONAP Portal library | |
ccsdk/sli/plugins | org.eclipse.jetty | Fixed in version 9.4.12 | |
ccsdk/distribution | org.eclipse.jetty.aggregate | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution, ccsdk/features | org.elasticsearch | Fixed in version 5.0.0-alpha5 | |
ccsdk/dashboard | org.hibernate | Inherited from ONAP Portal library | |
ccsdk/distribution | org.hibernate | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.infinispan | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.jboss.narayana.osgi | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.jgroups | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/parent | org.opendaylight.odlparent | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.ops4j.pax.tipi | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.ops4j.pax.web | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/dashboard | org.owasp.antisamy | Inherited from ONAP Portal library | |
ccsdk/dashboard | org.owasp.esapi | Inherited from ONAP Portal library | See R4 Portal Platform Security/Vulnerability - Full Content for current status |
ccsdk/distribution | org.postgresql | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.postgresql | FALSE POSITIVE: | No action necessary |
ccsdk/cds | org.python | There has been no update to this artifact since 2017. Need to find a replacement. | |
ccsdk/parent | org.springframework | Need to upgrade to version 4.3.15 or higher | |
ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/plugins | org.springframework | Need to upgrade to version 4.3.15 or higher | |
ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/plugins | org.springframework | Need to upgrade to version 4.3.17 or higher | |
ccsdk/parent | org.springframework | Need to upgrade to version 4.3.18 or higher | |
ccsdk/distribution, ccsdk/features | org.springframework | Need to upgrade to version 4.3.15 or higher | |
ccsdk/distribution, ccsdk/features | org.springframework | Need to upgrade to version 4.3.18 or higher | |
ccsdk/apps | org.springframework | Need to upgrade to version 4.3.20 or higher | |
ccsdk/apps | org.springframework | Need to upgrade to version 4.3.18 or higher | |
ccsdk/cds | org.springframework.data | Fixed in version 2.1.6.RELEASE | |
ccsdk/cds | org.springframework.security | Fixed in version 5.1.5.RELEASE | |
ccsdk/apps, ccsdk/cds | org.springframework.security | FALSE POSITIVE - only applies if using Switch User Processing filter, which we do not use | No action necessary |
ccsdk/dashboard | org.webjars | Inherited from ONAP Portal library | See R4 Portal Platform Security/Vulnerability - Full Content for current status |
ccsdk/dashboard | org.webjars | Inherited from ONAP Portal library | Must be addressed in ONAP Portal project |
ccsdk/dashboard | xerces | Inherited from ONAP Portal library | |
ccsdk/distribution | xerces | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/dashboard | angular | Inherited from ONAP Portal library | FALSE POSITIVE per ONAP Portal team |
ccsdk/dashboard | angular-sanitize | Inherited from ONAP Portal library | |
ccsdk/dashboard | angular-grid | Inherited from ONAP Portal library | See Dublin Portal Security/Vulnerability Report for current status |
ccsdk/dashboard | angularjs | Inherited from ONAP Portal library | |
ccsdk/distribution | bootstrap | There is no non-vulnerable version | |
ccsdk/dashboard | bootstrap | Inherited from ONAP Portal library | See Dublin Portal Security/Vulnerability Report for current status |
ccsdk/distribution | handlebars | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/dashboard | jQuery | Inherited from ONAP Portal library | |
ccsdk/distribution | jQuery | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/apps | jQuery | Inherited from swagger-ui | Must be fixed in upstream swagger-ui |
ccsdk/dashboard | jQuery | Inherited from ONAP Portal library | |
ccsdk/dashboard | moment | Inherited from ONAP Portal library |