Skip to end of metadata
Go to start of metadata

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.

RepositoryGroupImpact AnalysisAction

False Positive.

DefaultTyping is disabled, polymorphism with default typing or manual setting by property are not used in NBI.



False positive:

Beanutils is ONLY manipulated for outgoing serialization purpose, to filter json node to populate http response with json.

Beanutils is not used on input data or exposed as is to external client


Note: 1.9.3 is the latest released but still not fix the listed vulnerability.

We tried to use some other frameworks but only beanutils has some key features we can not miss, to filter json response data. Avoiding commonsbenanutils means an important re write of the code.


False positive

Used by the sdc-tosca parser. NBI uses sdc tosca parser without any input parameters provided through the NBI API.