Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins).  Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.

...

RepositoryGroupImpact AnalysisAction
dcaegen2/analytics/tca-gen2  com.fasterxml.jackson.core

False Positive - we are not using the Jackson code in the manner that exposes the vulnerability.

DCAEGEN2-765

Request exception

dcaegen2/analytics/tcacom.fasterxml.jackson.core

False Positive - we are not using the Jackson code in the manner that exposes the vulnerability.

There is no use of BeanDeserializerFactory class in artifact "dcae-analytics-model". Hence we believe that this vulnerability report is a false positive.


No Action (same version as R2)


dcaegen2/analytics/tcacom.fasterxml.jackson.core

False Positive

There is no use of either UTF8StreamJsonParser or ReaderBasedJsonParser class in artifact "dcae-analytics-model".


No Action (same version as R2)


dcaegen2/collectors/datafile com.fasterxml.jackson.core

Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library. 

At the moment we haven't got any workaround.

DCAEGEN2-764


Request exception

 dcaegen2/collectors/hv-vescom.fasterxml.jackson.core

False Positive

Vulnerable artifacts are used only in following cases:

  1. CSIT robot testsuites (hv-collector-dcae-app-simulator, hv-collector-xnf-simulator) which obviously does not pose a threat
  2. Healthcheck mechanism which ignores client requests and uses ( by dependency to hv-collector-utils ) jackson to create response.

Other modules affected are component-level-tests and coverage report which also are not used in production environment.

DCAEGEN2-766

Request exception


dcaegen2/collectors/ves  com.fasterxml.jackson.core

False Positive

The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here.

Request exception

dcaegen2/platform/inventory-apicom.fasterxml.jackson.core 

False Positive

According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive.

DCAEGEN2-768



Request exception

 




dcaegen2/services/mapper  com.fasterxml.jackson.core

False Positive

There is no use of BeanDeserializerFactory class in snmpmapper. Hence we believe that this vulnerability report is a false positive.

DCAEGEN2-769


Request exception


dcaegen2/services/prh com.fasterxml.jackson.core

Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library. 

DCAEGEN2-770

Request exception



CRITICAL




dcaegen2/analytics/tca-gen2 io.undertow Requires updating to newer version Request exception
  org.springframework.integration Unknown License issue Request exception
  org.springframework.boot  
  io.projectreactor  
  org.checkerframework CC-BY-2.5, LGPL-3.0, MIT 
  com.google.code.findbugs License 
 dcaegen2/analytics/tca com.google.guava  
  commons-codec  
  JunitUnknown License issue 
  c3p0 LGPL-2.1 
  javax.ws.rs CDDL-1.1 or GPL-2.0-CPE,Apache-2.0 
dcaegen2/collectors/datafileorg.springframework  Need to be upgraded to newer version Request exception
  com.jcraftNot applicable; as the application doesn't run on windows Request exception
  org.immutables Unknown License issue 
  org.checkerframework GPL-2.0-with-classpath-exception 
dcaegen2/collectors/hv-ves org.apache.kafkaNeed to be upgraded to newer version Request exception
  org.jetbrains.kotlinx Unknown License issue 
dcaegen2/collectors/ves org.apache.tomcat.embedNeed to be upgraded to newer version Request exception
  com.googlecode.libphonenumber Not applicable. 
  javax.mail Not applicable; as the specified method is not invoked 
  org.json JSON 
  org.checkerframework MIT,GPL-2.0-with-classpath-exception 
dcaegen2/platform/inventory-api org.postgresql : postgresqlNo non-vulnerable version available. 
  org.checkerframework License - LGPL-3.0,MIT,CC-BY-2.5 
  com.google.code.findbugs License  - LGPL-3.0 
dcaegen2/platform/servicechange-handler riddley : riddley  Unknown License issue 
  potemkin : potemkin Unknown License issue 
  org.json : json : 20131018 JSON 
    
    
    
    
    
    
    
    
    
    
    

...