This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.


RepositoryGroupImpact AnalysisAction
ccsdk/appsch.qos.logback

FALSE POSITIVE. The vulnerability refers to classes in logback that are used for remote logging, which does not apply to our usage.

Tracked in issue


ccsdk/distribution,
ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/plugins

ch.qos.logback

FALSE POSITIVE. The vulnerability refers to classes in logback that are used for remote logging, which does not apply to our usage.

Tracked in issue


ccsdk/distribution, ccsdk/featurescom.fasterxml.jackson.coreNeed to upgrade to version 2.7.7 or greater

Tracked in issue

ccsdk/distribution, ccsdk/featurescom.fasterxml.jackson.coreNeed to upgrade to version 2.8.6 or greater

Tracked in issue

ccsdk/apps, ccsdk/cds, ccsdk/dashboardcom.fasterxml.jackson.coreNo non-vulnerable version of Jackson exists

Tracked in issue

ccsdk/featurescom.fasterxml.jackson.coreNo non-vulnerable version of Jackson exists

Tracked in issue

ccsdk/sli/northboundcom.fasterxml.jackson.coreNo non-vulnerable version of Jackson exists

Tracked in issue

ccsdk/apps, ccsdk/cdscom.fasterxml.jackson.coreNo non-vulnerable version of Jackson exist

Tracked in issue

ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/pluginscom.fasterxml.jackson.coreInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/featurescom.fasterxml.jackson.coreNo non-vulnerable version of Jackson exists

Tracked in issue

ccsdk/parentcom.fasterxml.jackson.coreNo non-vulnerable version exists

Tracked in issue

ccsdk/distribution, ccsdk/featurescom.fasterxml.jackson.coreNo non-vulnerable version of Jackson exists

Tracked in issue

ccsdk/parentcom.fasterxml.jackson.datatypeNo non-vulnerable version of Jackson exists

Tracked in issue

ccsdk/sli/northboundcom.google.guavaNeed to upgrade to version 23.6.1 or greater

Tracked in issue

ccsdk/parentcom.google.guavaNeed to upgrade to version 23.6.1 or greater

Tracked in issue

ccsdk/dashboardcom.google.guavaNeed to upgrade to version 23.6.1 or greater

Tracked in issue

ccsdk/distribution, ccsdk/featurescom.google.guavaInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/appscom.h2databaseFALSE POSITIVE - code is only used in jUnit testing, thus is not exposed during runtime

Tracked in issue


ccsdk/cdscom.h2databaseFALSE POSITIVE - code is only used in jUnit testing, thus is not exposed during runtime

Tracked in issue


ccsdk/distributioncom.h2databaseInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/dashboardcom.mchangeInherited from ONAP Portal project library 

Tracked in issue 

ccsdk/distribution, ccsdk/sli/adaptorscom.sun.mailNeed to upgrade to version 1.5.3 or greater

Tracked in issue

ccsdk/dashboardcommons-beanutilsInherited from ONAP Portal project library FALSE POSITIVE - Portal library does not use vulnerable functionality
ccsdk/distribution, ccsdk/featurescommons-beanutilsInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distribution, ccsdk/featurescommons-beanutilsInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/northboundcommons-codecLibrary is not used directly in ONAP, but is inherited from upstream springboot. There is no fix yet, but looks like this was revived today - see https://issues.apache.org/jira/browse/CODEC-134

Tracked in issue


ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/corecommons-codecLibrary is not used directly in ONAP, but is inherited from upstream springboot. There is no fix yet, but looks like this was revived today - see https://issues.apache.org/jira/browse/CODEC-134

Tracked in issue


ccsdk/dashboardcommons-codecInherited from ONAP Portal project library

Must be addressed in Portal project


ccsdk/distribution, ccsdk/sli/pluginscommons-collectionsInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distributioncommons-fileuploadInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/dashboardcommons-fileuploadInherited from ONAP Portal project library

Tracked in issue 

ccsdk/apps, ccsdk/distribution, ccsdk/dashboard, ccsdk/sli/plugins

dom4j

Library is not used directly in ONAP, but is inherited from upstream springboot and OpenDaylight.

Need to upgrade to version 2.1.1 or higher

Tracked with issue


ccsdk/distributionio.nettyInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distributionjavax.mailInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/dashboardjavax.servletFixed in version 1.2.3

Tracked with issue 

ccsdk/distributionnet.sf.ehcacheInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distributionorg.apache.activemqInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/cdsorg.apache.commonsFixed in version 1.18

Tracked with issue

ccsdk/cdsorg.apache.commonsFixed in version 1.16

Tracked with issue

ccsdk/distributionorg.apache.felixInherited from OpenDaylightMust be fixed in upstream OpenDaylight

ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors

org.apache.httpcomponentsInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distribution, ccsdk/parentorg.apache.karafInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/parentorg.apache.karaf.featuresDependent on OpenDaylightMust be fixed in upstream OpenDaylight

ccsdk/apps, ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/core, ccsdk/sli/northbound, ccsdk/sli/plugins

org.apache.karaf.jaasInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/apps, ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/core, ccsdk/sli/northbound, ccsdk/sli/pluginsorg.apache.karaf.jaasInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/apps, ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/core, ccsdk/sli/northbound, ccsdk/sli/pluginsorg.apache.karaf.jaasInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distributionorg.apache.karaf.karDependent on OpenDaylightMust be fixed in upstream OpenDaylight

ccsdk/apps, ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/core, ccsdk/sli/northbound, ccsdk/sli/plugins

org.apache.karaf.shellInherited from OpenDaylightMust be fixed in upstream OpenDaylight

ccsdk/distribution

org.apache.karaf.shellInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distributionorg.apache.karaf.webconsoleInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distribution, ccsdk/featuresorg.apache.luceneFixed in version 7.0.0-cdh6.0.0

Tracked in issue

ccsdk/distributionorg.apache.myfaces.coreInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/dashboardorg.apache.poiFixed in version 3.17

Tracked in issue 

ccsdk/featuresorg.apache.shiroFALSE POSITIVE - this vulnerability applies to behavior on the shiro server.  We use shiro only as a client.No action necessary
ccsdk/dashboardorg.apache.wicketInherited from ONAP Portal library

Tracked in issue 

ccsdk/distributionorg.apache.servicemix.bundlesInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distributionorg.apache.shiroInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distributionorg.apache.thriftInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/appsorg.apache.tomcat.embedFALSE POSITIVE: CVE only impacts embedded-tomcat running in Windows, which does not impact us since our containers run on Alpine.

Tracked in issue

Note: this is not a problem we currently need to address, but we want to track as a reminder in case there is any need to run ONAP native on Windows.

ccsdk/cdsorg.apache.tomcat.embedFALSE POSITIVE : CVE only impacts embedded-tomcat running in Windows, which does not impact us since our containers run on Alpine.

Tracked in issue

Note: this is not a problem we currently need to address, but we want to track as a reminder in case there is any need to run ONAP native on Windows.

ccsdk/dashboardorg.bouncycastleInherited from ONAP Portal library

Tracked in issue 

ccsdk/sli/pluginsorg.eclipse.jettyFixed in version 9.4.12

Tracked in issue 

ccsdk/distributionorg.eclipse.jetty.aggregateInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distribution, ccsdk/featuresorg.elasticsearchFixed in version 5.0.0-alpha5

Tracked in issue

ccsdk/dashboardorg.hibernateInherited from ONAP Portal library

Tracked in issue 

ccsdk/distribution

org.hibernateInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distributionorg.infinispanInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distributionorg.jboss.narayana.osgiInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distributionorg.jgroupsInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/parentorg.opendaylight.odlparentInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distributionorg.ops4j.pax.tipiInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distributionorg.ops4j.pax.webInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/dashboardorg.owasp.antisamyInherited from ONAP Portal library

Tracked in issue 

ccsdk/dashboardorg.owasp.esapiInherited from ONAP Portal library

See R4 Portal Platform Security/Vulnerability - Full Content for current status

ccsdk/distributionorg.postgresqlInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/distributionorg.postgresql

FALSE POSITIVE:
a) This CVE is currently disputed
b) The disputed vulnerability is related to COPY TO/FROM PROGRAM, which we do not use

No action necessary
ccsdk/cdsorg.pythonThere has been no update to this artifact since 2017. Need to find a replacement.

ccsdk/parentorg.springframeworkNeed to upgrade to version 4.3.15 or higher

Tracked in issue

ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/pluginsorg.springframeworkNeed to upgrade to version 4.3.15 or higher
Tracked in issue
ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/pluginsorg.springframeworkNeed to upgrade to version 4.3.17 or higher

Tracked in issue

ccsdk/parentorg.springframeworkNeed to upgrade to version 4.3.18 or higher

Tracked in issue

ccsdk/distribution, ccsdk/featuresorg.springframeworkNeed to upgrade to version 4.3.15 or higher

Tracked in issue

ccsdk/distribution, ccsdk/featuresorg.springframeworkNeed to upgrade to version 4.3.18 or higher

Tracked in issue

ccsdk/appsorg.springframeworkNeed to upgrade to version 4.3.20 or higher

Tracked in issue

ccsdk/appsorg.springframeworkNeed to upgrade to version 4.3.18 or higher

Tracked in issue

ccsdk/cdsorg.springframework.dataFixed in version 2.1.6.RELEASE

Tracked in issue

ccsdk/cdsorg.springframework.securityFixed in version 5.1.5.RELEASE
ccsdk/apps, ccsdk/cdsorg.springframework.securityFALSE POSITIVE - only applies if using Switch User Processing filter, which we do not useNo action necessary
ccsdk/dashboardorg.webjarsInherited from ONAP Portal librarySee R4 Portal Platform Security/Vulnerability - Full Content for current status
ccsdk/dashboardorg.webjarsInherited from ONAP Portal libraryMust be addressed in ONAP Portal project
ccsdk/dashboardxercesInherited from ONAP Portal library

Tracked in issue 

ccsdk/distributionxercesInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/dashboardangularInherited from ONAP Portal library

FALSE POSITIVE per ONAP Portal team

ccsdk/dashboardangular-sanitizeInherited from ONAP Portal library

Tracked in issue 

ccsdk/dashboardangular-gridInherited from ONAP Portal library

See Dublin Portal Security/Vulnerability Report for current status

ccsdk/dashboardangularjsInherited from ONAP Portal library

Tracked in issue 

ccsdk/distributionbootstrapThere is no non-vulnerable version

Tracked in issue

ccsdk/dashboardbootstrapInherited from ONAP Portal library

See Dublin Portal Security/Vulnerability Report for current status

ccsdk/distributionhandlebarsInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/dashboardjQueryInherited from ONAP Portal library

Tracked in issue 

ccsdk/distributionjQueryInherited from OpenDaylightMust be fixed in upstream OpenDaylight
ccsdk/appsjQueryInherited from swagger-uiMust be fixed in upstream swagger-ui
ccsdk/dashboardjQueryInherited from ONAP Portal library

Tracked in issue 

ccsdk/dashboardmomentInherited from ONAP Portal library

Tracked in issue