This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
| Repository | Group | Impact Analysis | Action |
|---|---|---|---|
| SO | com.fasterxml.jackson.core | False positive Jackson: can be an issue if we leave on default typing In SO we do not use default typing. We use strict parsing and validation of deserialized data. There is no unknown source data from which SO reads the application data (xml/json). | No Action. All of the existing jackson databind have vulnerabilities issues. |
| SO | Commons-beanutils | Remote Code Execution (RCE) using class loader is the reported issue, current SO does not handle the specific scenarios. | No Action All of the existing jackson databind have vulnerabilities issues. |
| SO | commons-collections | Pulled in by Springboot, indirect dependency | Will handle in the E - release SO-1778 |
| SO | dom4j | Pulled in by Springboot, indirect dependency | No Action |
| SO | io.springfox | Used in the vnfm-service and vnfm-simulator module | Need to upgrade to 2.7.0,2.8.0 or 2.9.2 versions we will handle in the E release |
| SO | jquery 1.10.2 | Has no direct usage, comes along with the spring boot in the catalog-db-adapter jar. Is not used in the SO functionality | No Action |
| SO | js-yaml 3.4.6 |
| No Action |
| SO | org.apache.tomcat.embed | Pulled in by Springboot, indirect dependency | Need to upgrade to from 9.0.20 will handle in the E release |
| SO | org.slf4j | Pulled in by Springboot 1.5.13-RELEASE and also specified by SO | Need to upgrade to 1.7.26 will handle in the E release |
| SO | org.springframework | Pulled in by Springboot | Need to upgrade to 5.0.10 or 5.1.5 Will handle in the E - release SO-1778 |
| SO | org.webjars jquery | Not used in the code comes from the springframework
| No Action |
| SO | javax.servlet | No direct reference in the code, this should be pulled in by the framework | |
| SO | org.camunda.bpm | Used in the bpmn module and core module | Need to upgrade 7.11.0-alpha1,7.11.0-alpha2 and 7.11.0-alpha3 we will in the E release |
| SO | org.json | Used in the bpmn module, adapters module, mso-api-handler module, comman modules and asdc-controller | All of the existing jackson databind have vulnerabilities issues. |
| SO | com.googlecode.libphonenumber | Pulled in by Springboot | Need to upgrade to 7.2.3 or any above. |
| SO | com.squareup.okhttp | Used by so adapters and vnfm-simulator | All of the existing jackson databind have vulnerabilities issues. |
| SO | commons-codec | //dependency is mentioned in the main project pom.xml// | All of the existing jackson databind have vulnerabilities issues. |
| SO | commons-fileupload | Used by so bpmn module. | Need to upgrade to 1.4 |
| SO | javax.mail | Pulled in by springboot. | All of the existing jackson databind have vulnerabilities issues. |
| SO | org.springframework.data | need to upgrade to 2.0.14Release or 2.1.6RELEASE and will be handled in the E-release. | |
| SO | org.springframework.security | Used in so adapters, asdc-controller,bpmn,common,mso-api-handlers,docker and vnfm-simulator. | need to upgrade to 5.0.12Eelease or 5.1.5RELEASE and will be handled in the E-release. |
| SO | org.webjars bootstrap | Pulled in by springboot. | Need to upgrade to 4.1.3 and will handle in the E-release. |
| SO | uikit | Pulled in by springboot. | Need to uprade to 2.26.4,2.27.0,2.27.1,2.27.2,2.27.3, 2.27.4 and will handle in the E-release. |
| SO | org.apache.cxf | Used in so adapters,bpmn,common,cxf-logging,logger and docker. | All of the existing jackson databind have vulnerabilities issues. |
| SO | com.google.code.findbugs | Used by adapters and common. | All of the existing jackson databind have vulnerabilities issues. |
| SO | org.hibernate | Used in so adapters,asdc-controller,bpmn, common, mso-api-handlers,mso-catalog-db.(cfg, dialect, exceptions and annotations) | Need to upgrade to 5.3.7.Final and will handle in the E-release |
| SO | org.hibernate.common | Pulled in by Springboot | All of the existing jackson databind have vulnerabilities issues. |
| SO | org.mariadb.jdbc | Driver is used by yaml files for maraidb connection in modules :adapters,mso-catalog-db,mso-api-handlers,bpmn and asdc-controller. | All of the existing jackson databind have vulnerabilities issues. |
| SO libs | com.fasterxml.jackson.core | False positive Jackson: can be an issue if we leave on default typing In SO we do not use default typing. We use strict parsing and validation of deserialized data. There is no unknown source data from which SO reads the application data (xml/json). | No Action All of the exisiting jackson have vunerabilities issues. |
| SO libs | commons-codec | This is used for the decoding of the input. contains an Improper Input Validation vulnerability. The only way is to use extra validations added before the actual input | There is no non vulnerable version of this component. We recommend investigating alternative components or a potential mitigating control. |