This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.

RepositoryGroupImpact AnalysisAction

logging-analytics

pomba-aai-context-builder

pomba-context-aggregator

pomba-network-discovery-context-builder

pomba-sdc-context-builder

pomba-sdnc-context-builder

com.fasterxml.jackson.core
  • false positive - we don't use this part of the library
  • still no version of jackson is safe
  • jackson-databind is pulled in by:  

For network-discovery-context-builder: org.springframework.boot:spring-boot-starter-web:jar:1.5.17.RELEASE:compile

For aai-context-builder: org.springframework.boot:spring-boot-starter-web:jar:1.5.17.RELEASE:compile

For context-aggregator:  org.onap.dmaap.messagerouter.dmaapclient:dmaapClient:jar:1.1.5:compile


  • tracking this issue with the following JIRA

LOG-826 - Logging/POMBA CLM: fix/address/red-flag jackson-databind-2.8.11.3 SEC Open

logging-analyticscom.fasterxml.jackson.core
  • false positive - we don't use this part of the library
  • Still no version of jackson is safe
  • Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now
  • tracking this issue with the following JIRA

LOG-1060 - Getting issue details... STATUS

pomba-audit-commoncom.fasterxml.jackson.core
  • false positive - we don't use this part of the library
  • as no version of jackson is safe


  • tracking this issue with following JIRA 
    LOG-1061 - Getting issue details... STATUS
logging-analytics org.glassfish.hk2.external
  • false positive - we don't use this part of the library
  • Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now
No action

pomba-sdnc-context-builder

pomba-sdnc-context-builder

handelbars
  • Need to upgrade to or above 4.0.0

LOG-827 - Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+ Open

pomba-network-discovery-context-builder

pomba-sdnc-context-builder

stipsan/uikit (swagger)
  • Don't see it in the report, will close LOG-828

WIll close LOG-828

  LOG-828 - Getting issue details... STATUS

pomba-sdnc-context-builderlogback-classic
  • Don't see it in the report, will close LOG-846

Will close LOG-846
LOG-846 - Getting issue details... STATUS

pomba-sdnc-context-builderstruts-core
  • DMaaP usage related
  • no version of struts-core is safe
  • tracking this issue with the following JIRA 

LOG-1062 - Getting issue details... STATUS

pomba-sdnc-context-builderstruts-taglib
  • No issue
No action
pomba-sdnc-context-builderorg.codehaus.plexus
  • DMaaP usage related
  • should update to a newer version
  • tracking this issue with the following JIRA
    LOG-1063 - Getting issue details... STATUS
pomba-sdnc-context-builderdom4j
  • False Positive; pulled in by Springboot, indirect dependency
No action
pomba-sdnc-context-buildercommons-beanutils
  • no version of commons-beanutils is safe
  • tracking this issue with following JIRA
    LOG-1064 - Getting issue details... STATUS


pomba-sdnc-context-builderorg.apache.ant
  • No issue
No action
pomba-sdnc-context-builderorg.jsoup
  • No issue
No action
logging-analytics
pomba-aai-context-builder
pomba-context-aggregator
pomba-network-discovery-context-builder
pomba-sdc-context-builder
pomba-sdnc-context-builder		org.apache.tomcat.embed
  • Upgrade to version 8.5.42- upgrade planned for El Alto
  • tracking this issue with the following JIRA
    LOG-1066 - Getting issue details... STATUS
logging-analytics
pomba-sdc-context-builder
pomba-sdnc-context-builder		commons-codec
  • No version has policy threat below 6 at the moment
  • tracking this issue with the following JIRA
    LOG-1067 - Getting issue details... STATUS

pomba-aai-context-builder

pomba-context-aggregator
pomba-network-discovery-context-builder
pomba-sdc-context-builder
pomba-sdnc-context-builder

org.eclipse.jetty
  • Upgrade to version 9.4.13.v20181111 - upgrade planned for El Alto
  • tracking this issue with the following JIRA
    LOG-1068 - Getting issue details... STATUS

pomba-aai-context-builder

pomba-context-aggregator
pomba-network-discovery-context-builder
pomba-sdc-context-builder
pomba-sdnc-context-builder

org.eclipse.jetty
  • Upgrade to version 
9.4.13.v20181111 - upgrade planned for El Alto
  • tracking this issue with the following JIRA
    LOG-1069 - Getting issue details... STATUS

pomba-context-aggregator
pomba-network-discovery-context-builder
pomba-sdnc-context-builder		ch.qos.logback
  • Upgrade to version 1.2.3 - upgrade planned for El Alto
  • tracking this issue with the following JIRA
    LOG-1070 - Getting issue details... STATUS
pomba-sdnc-context-builderorg.apache.camel
  • Upgrade to version 2.23.1 - upgrade planned for El Alto
  • tracking this issue with the following JIRA
    LOG-1071 - Getting issue details... STATUS