This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins). Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.
This table will be presented to TSC at Code Freeze milestone (M4) to the TSC.
It is recommended to first update to the latest version of the third party components available. In case the latest third party components still reports some vulnerabilities, you must provide an impact analysis as illustrated in the example below.
In the case where you have nested third party components (a third party component embedding another third party component) and there is NO CVE number for the upstream third party component (meaning the third party component you are embedding), it is recommended to open a vulnerability issue on the upstream third party component.
The following table is addressing 2 different scenarios:
- Confirmation of a vulnerability including an action
- False Positive
The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)
...
Vulnerable artifacts:
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-aai:jar:2.2.0-SNAPSHOT
...
This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins). Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.
This table will be presented to TSC at Code Freeze milestone (M4) to the TSC.
It is recommended to first update to the latest version of the third party components available. In case the latest third party components still reports some vulnerabilities, you must provide an impact analysis as illustrated in the example below.
In the case where you have nested third party components (a third party component embedding another third party component) and there is NO CVE number for the upstream third party component (meaning the third party component you are embedding), it is recommended to open a vulnerability issue on the upstream third party component.
The following table is addressing 2 different scenarios:
- Confirmation of a vulnerability including an action
- False Positive
The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)
| Repository | Group | Impact Analysis | Action | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| dcaegen2/analytics/tca | com.fasterxml.jackson.core | Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-aai:jar:2.2.0-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-common:jar:2.2.0-SNAPSHOT Although the offending dependency appears in all above artifacts, it is only the direct dependent of "dcae-analytics-model". All other uses are transient dependencies through this artifact. Hence the analysis below applies to the "dcae-analytics-model" artifact. Vulnerability report: False Positive Classification Reasoning There is no use of |
| ||||||||
| dcaegen2/analytics/tca | com.fasterxml.jackson.core | Vulnerable artifacts: <same as jackson-databind 2.4.4 above> False Positive Classification Reasoning There is no use of either |
| ||||||||
| dcaegen2/platform/inventory-api | com.fasterxml.jackson.core | Vulnerable artifact: False Positive Classification Reasoning According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive. |
| ||||||||
| dcaegen2/collectors/ves | com.fasterxml.jackson.core | Vulnerable artifact: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2. |
8. |
11 located at Module org.onap.dcaegen2. |
collectors. |
ves:VESCollector:jar |
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module
Vulnerability report: CVE-2017-7525 originally reports that the application is vulnerable by using this component, when default typing is enabled. More details about the vulnerability is provided by https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization. False Positive Classification Reasoning: The org.onap.dcaegen2. |
collectors. |
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-dmaap:jar:2.2.0-SNAPSHOT
Dependency com
ves:VESCollector code does not enable use of global type information, using Class name as the type id. More over, VESCollector invokes json-schema-validator, which is where jackson-databind is used, post event serialization primarily for schema validation. Thus, we believe that the reported vulnerability is a false positive. |
| ||||||||||
| dcaegen2/services/mapper | com.fasterxml.jackson.core |
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-model:jar:2.2.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4
Vulnerable artifact: Vulnerability report: incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. False Positive Classification Reasoning: In mapper, Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vunerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method. Thus we believe the reporting is a false positive. |
| |||||||||
| dcaegen2/services/mapper | org.springframework | Vulnerable artifact: Dependency org.springframework:spring-expression:jar:5.0.4.RELEASE located at Module org.onap.dcaegen2. |
services.mapper. |
vesadapter:snmpmapper:jar: |
0. |
Although the offending dependency appears in all above artifacts, it is only the direct dependent of "dcae-analytics-model". All other uses are transient dependencies through this artifact. Hence the analysis below applies to the "dcae-analytics-model" artifact.
Vulnerability report:0.1 Vulnerability report: older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. False Positive Classification Reasoning: |
In mapper, there is no use of |
BeanDeserializerFactory class in artifact "dcae-analytics-model". Hence STOMP over websocket. There fore we believe that this |
is a false positive. |
|
| ||
| dcaegen2/ |
| services/ |
| mapper | com.fasterxml.jackson.core | Vulnerable |
artifact: |
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2 |
False Positive Classification Reasoning
There is no use of either UTF8StreamJsonParser or ReaderBasedJsonParser class in artifact "dcae-analytics-model". Hence we believe that this vulnerability report is a false positive.
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
Vulnerable artifact:
False Positive Classification Reasoning
According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report.9.5 located at Module org.onap.dcaegen2.services.mapper.vesadapter:UniversalVesAdapter:jar:0.0.1 Vulnerability report:
False Positive Classification Reasoning: In mapper, Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vunerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method. Thus we believe the reporting is a false positive. |
|
| ||
| dcaegen2/ |
| services/ |
| mapper |
| org.springframework | Vulnerable artifact: Dependency |
org.springframework:spring-webmvc:jar: |
5.0. |
4. |
RELEASE located at Module org. |
Vulnerability report:
CVE-2017-7525 originally reports that the application is vulnerable by using this component, when default typing is enabled. More details about the vulnerability is provided by https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization.
False Positive Classification Reasoning:
The org.onap.dcaegen2.collectors.ves:VESCollector code does not enable use of global type information, using Class name as the type id. More over, VESCollector invokes json-schema-validator, which is where jackson-databind is used, post event serialization primarily for schema validation. Thus, we believe that the reported vulnerability is a false positive.
onap.dcaegen2.services.mapper.vesadapter:snmpmapper:jar:0.0.1 Vulnerability report: older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack. False Positive Classification Reasoning: The identified vulnerability exists when serving static artifact from Windows host. Our use is neither from a Windows host, or serving static file. Therefore we believe this is afalse positive. |
| ||||||||||
|
|
Vulnerable artifact:
Vulnerability report: incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
False Positive Classification Reasoning:
In mapper, Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vunerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method. Thus we believe the reporting is a false positive.
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
All vulnerabilities addressed, according to CLM scan on 04/21. https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/reports/dcaegen2-services-prh/a66b0ace9ec046c18cda082800e0fddc | |||
| dcaegen2/analytics/tca-gen2 | com.fasterxml.jackson.core | Vulnerable artifact:
|
com.fasterxml.jackson.core:jackson-databind:jar: |
2. |
9. |
5 located at |
Module org.onap |
Vulnerability report:
older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
False Positive Classification Reasoning:
In mapper, there is no use of STOMP over websocket. There fore we believe that this is a false positive.
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
.dcaegen2.analytics.tca-gen2:dcae-analytics-model:jar:3.0.0-SNAPSHOT |
5 located at |
Module org.onap.dcaegen2. |
Vulnerability report:
jackson-databind is vulnerable to Remote Code Execution (RCE). A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.
False Positive Classification Reasoning:
In mapper, Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vunerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method. Thus we believe the reporting is a false positive.
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
Vulnerable artifact:
Dependency org.springframework:spring-webmvc:jar:5.0.4.RELEASE located at Module org.onap.dcaegen2.services.mapper.vesadapter:snmpmapper:jar:0.0.1
Vulnerability report:
older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
False Positive Classification Reasoning:
The identified vulnerability exists when serving static artifact from Windows host. Our use is neither from a Windows host, or serving static file. Therefore we believe this is afalse positive.
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
analytics.tca-gen2:dcae-analytics-tca-model:jar:3.0.0-SNAPSHOT Vulnerability report: SONATYPE-2017-0312
| False Positive Classification Reasoning to be confirmed if identified Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method. | ||
| dcaegen2/analytics/tca-gen2 | org.springframework | spring-aop Vulnerability report | Update spring-aop to newer version 5.0.8.RELEASE version |
| dcaegen2/analytics/tca-gen2 | org.springframework.data | spring-data-commons Vulnerability report | Update spring-data-commons to 2.0.8.RELEASE version |
| dcaegen2/analytics/tca | com.fasterxml.jackson.core |
incomplete fix for the CVE-2017-7525 deserialization flaw
FasterXML 2.9.5 released March 2018, supposed to correct this behavior (in tests currently).
After FasterXML upgrade to 2.9.5, we still have negative CLM scan results, we will be constantly looking at newer FasterXML version, providing permanent correction of bugs found in 2.9.x.
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
All vulnerabilities addressed, according to CLM scan on 04/21. https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/reports/dcaegen2-services-prh/a66b0ace9ec046c18cda082800e0fddc
Vulnerable artifact: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-model:jar:3.0.0-SNAPSHOT |
web:jar:3.0.0-SNAPSHOT |
test:jar:3.0.0-SNAPSHOT |
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-web:jar:3.0.0-SNAPSHOT
Dependency
web:jar:3.0.0-SNAPSHOT Vulnerability report: SONATYPE-2017-0312
| False Positive Classification Reasoning to be confirmed if identified Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method. |
| dcaegen2/analytics/tca | com.fasterxml.jackson.core |
Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson- |
core:jar:2. |
4. |
4 located at Module org.onap.dcaegen2.analytics.tca |
:dcae-analytics- |
aai:jar: |
2. |
2. |
1-SNAPSHOT |
Vulnerability report:
SONATYPE-2017-0312
jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.
False Positive Classification Reasoning to be confirmed
if identified Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method.
spring-aop
Vulnerability report
spring-data-commons
Vulnerability report
Dependency com.fasterxml.jackson.core:jackson-core:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-common:jar:2.2.1-SNAPSHOT |
core:jar:2. |
4. |
4 located at Module org.onap.dcaegen2.analytics.tca |
:dcae-analytics- |
dmaap:jar: |
2. |
2. |
1-SNAPSHOT |
core:jar:2. |
4. |
4 located at Module org.onap.dcaegen2.analytics.tca |
:dcae-analytics- |
it:jar: |
2. |
2. |
1-SNAPSHOT |
core:jar:2. |
4. |
4 located at Module org.onap.dcaegen2.analytics.tca |
:dcae-analytics |
-model:jar: |
2. |
2. |
1-SNAPSHOT |
core:jar:2. |
4. |
4 located at Module org.onap.dcaegen2.analytics.tca |
:dcae-analytics-tca |
:jar: |
Dependency
2.2.1-SNAPSHOT Vulnerability report: False Positive Classification Reasoning There is no use of |
| ||||||||
| dcaegen2/analytics/tca | com.fasterxml.jackson.core | Vulnerable artifacts: <same as jackson-databind |
2. |
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-web:jar:3.0.0-SNAPSHOT
Vulnerability report:
SONATYPE-2017-0312
jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.
False Positive Classification Reasoning to be confirmed
if identified Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method.
4.4 above> Vulnerability report: SONATYPE-2016-0397 SONATYPE-2017-0355 | False Positive Classification Reasoning to be confirmed There is no use of either | ||
| dcaegen2/collectors/datafile | org.apache.tomcat.embed | tomcat-embed-core Vulnerability report | Update tomcat-embed-core to 8.5.32 version |
| dcaegen2/collectors/datafile | org.bouncycastle | bcprov-jdk15on Vulnerability report | Upgrade version. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later. |
| dcaegen2/collectors/datafile | com.fasterxml.jackson.core | Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson- |
databind:jar:2. |
9. |
5 located at Module org.onap.dcaegen2. |
collectors. |
datafile: |
datafile- |
app- |
server:jar: |
1. |
0. |
Dependency com.fasterxml.jackson.core:jackson-core:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-common:jar:2.2.1-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-core:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-plugins:jar:2.2.1-SNAPSHOT
Dependency
0-SNAPSHOT Vulnerability report: SONATYPE-2017-0312
| To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995). | ||
| dcaegen2/collectors/datafile | org.springframework | Vulnerability report | Update spring-aop to newer version 5.0.8.RELEASE version |
| dcaegen2/collectors/hv-ves | com.fasterxml.jackson.core |
jackson- |
databind Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson- |
databind:jar:2. |
9.4 located at Module org.onap.dcaegen2. |
collectors. |
hv-ves: |
hv- |
collector- |
coverage: |
pom: |
1. |
0. |
0-SNAPSHOT |
databind:jar:2. |
9.4 located at Module org.onap.dcaegen2. |
collectors. |
hv-ves: |
hv- |
collector- |
ct:jar: |
1. |
0. |
0-SNAPSHOT |
databind:jar:2. |
9.4 located at Module org.onap.dcaegen2. |
collectors. |
hv-ves:hv-collector-dcae- |
app- |
simulator:jar: |
1. |
0. |
0-SNAPSHOT |
databind:jar:2. |
9.4 located at Module org.onap.dcaegen2. |
collectors. |
hv-ves: |
hv- |
collector- |
utils:jar: |
1. |
0. |
0-SNAPSHOT |
databind:jar:2. |
9.4 located at Module org.onap.dcaegen2. |
collectors. |
hv-ves:hv-collector-xnf-simulator:jar: |
1 |
Vulnerability report:
False Positive Classification Reasoning
There is no use of BeanDeserializerFactory class in artifact "dcae-analytics-model". Hence we believe that this vulnerability report is a false positive.
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
Vulnerable artifacts:
<same as jackson-databind 2.4.4 above>
Vulnerability report:
SONATYPE-2016-0397
SONATYPE-2017-0355
False Positive Classification Reasoning to be confirmed
There is no use of either UTF8StreamJsonParser or ReaderBasedJsonParser class in artifact "dcae-analytics-model".
tomcat-embed-core
Vulnerability report.0.0-SNAPSHOT Vulnerability report: | To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995). | ||
| dcaegen2/collectors/ves | org.apache.tomcat.embed | tomcat-embed-core Vulnerability report: | Update tomcat-embed-core to 8.5.32 version |
bcprov-jdk15on
Vulnerability report
| dcaegen2/collectors/ |
| ves |
| com.fasterxml.jackson.core | jackson-databind Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9. |
6 located at Module org.onap.dcaegen2.collectors. |
ves:VESCollector:jar:1. |
3. |
1-SNAPSHOT Vulnerability report: |
|
To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true
If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).
Vulnerability report
jackson-databind
Vulnerable artifacts:
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-coverage:pom:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-ct:jar:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-dcae-app-simulator:jar:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-utils:jar:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-xnf-simulator:jar:1.0.0-SNAPSHOT
Vulnerability report:
To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true
If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).
tomcat-embed-core
Vulnerability report:
Vulnerable artifacts:
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.6 located at Module org.onap.dcaegen2.collectors.ves:VESCollector:jar:1.3.1-SNAPSHOT
Vulnerability report:
jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.
False Positive Classification Reasoning
The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here.
False Positive Classification Reasoning The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here. | |||
| dcaegen2/platform/inventory-api | com.fasterxml.jackson.core | jackson-databind Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.8.7 located at Module org.onap.dcaegen2.platform:inventory-api:jar:3.0.3 Vulnerability report:
| False Positive Classification Reasoning According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive. |
| dcaegen2/platform/inventory-api | org.eclipse.jetty | jetty-http, 9.4.2.v20170220 Vulnerability report: | Upgrade to latest version - 9.4.12.v20180830 |
| dcaegen2/platform/inventory-api | org.eclipse.jetty | jetty-server, 9.4.2.v20170220 Vulnerability report: | Upgrade to latest version - 9.4.12.v20180830 |
| dcaegen2/services/mapper | org.codehaus.groovy | groovy-all, 2.4.4 Vulnerability report: | Upgrade to latest version - 2.4.15 |
| dcaegen2/services/mapper | org.apache.tomcat.embed | tomcat-embed-core, 8.5.31 Vulnerability report: | Update tomcat-embed-core to 8.5.32 version |
| dcaegen2/services/mapper | org.springframework | spring-expression, 5.0.3.RELEASE Vulnerability report: | Update to .5.0.9.RELEASE version |
| dcaegen2/services/mapper | com.fasterxml.jackson.core | jackson-databind, 2.9.5 Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.services.mapper.vesadapter:UniversalVesAdapter:jar:0.0.1 Vulnerability report: SONATYPE-2017-0312
| To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995). |
| dcaegen2/services/mapper | com.fasterxml.jackson.core | jackson-databind, 2.9.6 Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2. |
9. |
6 located at Module org.onap.dcaegen2. |
services.mapper:snmpmapper:jar: |
0.0. |
1-SNAPSHOT Vulnerability report: |
SONATYPE-2017- |
Vulnerability report:
Upgrade to latest version - 9.4.12.v201808300312
|
False Positive Classification Reasoning
According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive.
To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995). | |||
| Vulnerable artifacts: Vulnerability report: | |||
| Vulnerable artifacts: Vulnerability report: |
Vulnerability report:
Vulnerability report: