This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins). Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.
...
| Repository | Group | Impact Analysis | Action | |||
|---|---|---|---|---|---|---|
| dcaegen2/analytics/tca-gen2 | com.fasterxml.jackson.core | False Positive - we are not using the Jackson code in the manner that exposes the vulnerability. | Request exception | |||
| dcaegen2/analytics/tca | com.fasterxml.jackson.core | False Positive - we are not using the Jackson code in the manner that exposes the vulnerability. There is no use of | No Action (same version as R2) | |||
| dcaegen2/analytics/tca | com.fasterxml.jackson.core | False Positive There is no use of either | No Action (same version as R2) | |||
| dcaegen2/collectors/datafile | com.fasterxml.jackson.core | Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library. At the moment we haven't got any workaround. | Request exception | |||
| dcaegen2/collectors/hv-ves | com.fasterxml.jackson.core | False Positive Vulnerable artifacts are used only in following cases:
Other modules affected are component-level-tests and coverage report which also are not used in production environment. | Request exception | |||
| dcaegen2/collectors/ves | com.fasterxml.jackson.core | False Positive The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here. | Request exception | |||
| dcaegen2/platform/inventory-api | com.fasterxml.jackson.core | False Positive According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive. | Request exception
| |||
| dcaegen2/services/mapper | com.fasterxml.jackson.core | False Positive There is no use of | Request exception | |||
| dcaegen2/services/prh | com.fasterxml.jackson.core | Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library. | Request exception | |||
| CRITICAL | ||||||
| dcaegen2/analytics/tca-gen2 | ioio.undertow | Requires updating to newer version | Request exception | |||
| dcaegen2/analytics/tca-gen2 | orgorg.springframework.integration | Unknown License issue | Request exception | |||
| orgdcaegen2/analytics/tca-gen2 | org.springframework.boot | Unknown License issue | Request exception | |||
| dcaegen2/analytics/tca-gen2 | ioio.projectreactor | Unknown License issue | orgRequest exception | |||
| dcaegen2/analytics/tca-gen2 | org.checkerframework | CC-BY-2.5, LGPL-3.0, MIT False positive - MIT | com license should be acceptable | Request LF to select correct license | ||
| dcaegen2/analytics/tca-gen2 | com.google.code.findbugs License | License issue (CC-BY-2.5, LGPL-2.1) | Request exception | |||
| dcaegen2/analytics/tca | comcom.google.guava | No non-vulnerable version available. | Request exception | |||
| dcaegen2/analytics/tca | commonscommons-codec | Not applicable as base32 encoding is not used | Request exception | |||
| dcaegen2/analytics/tca | JunitJunit | Unknown License issue | Request exception | |||
| dcaegen2/analytics/tca | c3p0c3p0 | License issue (LGPL-2.1) | Request exception | |||
| dcaegen2/analytics/tca | javax.ws.rs | CDDL-1.1 or GPL-2.0-CPE,Apache-2.0 False positive - Apache 2.0 license should be acceptable | Request LF to select correct license | |||
| dcaegen2/collectors/datafile | org.springframework | Need to be upgraded to newer version | Request exception | comNewer non vulnerable version available | Upgrade to newer version | |
| dcaegen2/collectors/datafile | com.jcraft | Not applicable; as the application doesn't run on windows | Request exception | |||
| orgdcaegen2/collectors/datafile | org.immutables | Unknown Unknown License issue | orgRequest exception | |||
| dcaegen2/collectors/datafile | org.checkerframework | License issue ( GPL-2.0-with-classpath-exception) | Request exception | |||
| dcaegen2/collectors/hv-ves | orgorg.apache.kafka | Need to be upgraded to newer versionNewer non vulnerable version available | Request exception | |||
| orgdcaegen2/collectors/hv-ves | org.jetbrains.kotlinx | Unknown Unknown License issue | Request exception | |||
| dcaegen2/collectors/ves | orgorg.apache.tomcat.embed | Need to be upgraded to newer versionNewer non vulnerable version available | Request exception | |||
| comdcaegen2/collectors/ves | com.googlecode.libphonenumber | Not Not applicable. | javaxRequest exception | |||
| dcaegen2/collectors/ves | javax.mail | Not Not applicable; as the specified method is not invoked | orgRequest exception | |||
| dcaegen2/collectors/ves | org.json | License issue - JSON | ||||
| orgdcaegen2/collectors/ves | org.checkerframework | MIT,GPL-2.0-with-classpath-exception False positive - MIT license should be acceptable | ||||
| dcaegen2/platform/inventory-api | orgorg.postgresql : postgresql | No non-vulnerable version available. | ||||
| dcaegen2/platform/inventory-api | orgorg.checkerframework | License License issue - LGPL-3.0,MIT,CC-BY-2.5 False positive - MIT license should be acceptable | ||||
| dcaegen2/platform/inventory-api | comcom.google.code.findbugs | License License issue - LGPL-3.0 | ||||
| dcaegen2/platform/servicechange-handler | riddley riddley : riddley | Unknown Unknown License issue | ||||
| potemkin dcaegen2/platform/servicechange-handler | potemkin : potemkin | Unknown Unknown License issue | ||||
| orgdcaegen2/platform/servicechange-handler | org.json : json : 20131018 | License issue - JSON | ||||
| dcaegen2/services/mapper | dom4j : dom4j : | Not Not applicable; as the specified method is not invoked | ||||
| orgdcaegen2/services/mapper | org.springframework : spring-web | No No non-vulnerable version available & Unknown license reported | ||||
| ognl dcaegen2/services/mapper | ognl : ognl : 3.0.9 | Need to be upgraded to newer version Newer non vulnerable version available | ||||
| orgdcaegen2/services/mapper | org.postgresql : postgresql : 42.2.4 | No No non-vulnerable version available. | ||||
| xerces dcaegen2/services/mapper | xerces : xercesImpl : 2.12.0 | No No non-vulnerable version available. | ||||
| orgdcaegen2/services/mapper | org.milyn | LGPL2License issue (LGPL2.1) | ||||
| orgdcaegen2/services/mapper | org.json : json : 20131018 | License issue - JSON | ||||
| javaxdcaegen2/services/mapper | javax.servlet.jsp : jsp-api : 2.1 | Apache-1.1,Apache-2.0,CDDL-1 False positive.0,Sun-IP, False positive - Apache 2.0 should be acceptable | ||||
| javaxdcaegen2/services/mapper | javax.jms : jms : 1.1 | Apache-1.1,Apache-2.0,CDDL-1.0,Sun-IP False positive - Apache license should be acceptable | ||||
| orgdcaegen2/services/mapper | org.checkerframework : checker-qual | LGPL-3.0,MIT,CC-BY-2.5 False positive - MIT license should be acceptable | ||||
| orgdcaegen2/services/mapper | org.hibernate.common | LGPL2LGPL2.1 | ||||
| comdcaegen2/services/mapper | com.ibm.icu : icu4j | unicodeunicode | ||||
| orgdcaegen2/services/mapper | org.codehaus.jackson : jackson-core-lgpl | LGPL2LGPL2.1 | ||||
| orgdcaegen2/services/mapper | org.hibernate : hibernate-core | LGPL2LGPL2.1 | ||||
| comdcaegen2/services/mapper | com.wutka : dtdparser | LGPL-3.0,Apache -1.1False positive - Apache license should be acceptable | ||||
| xomdcaegen2/services/mapper | xom:xom | LGPL2.1 | ||||
| dcaegen2/services/prh | org.springframework : spring-web | Need to be upgraded to newer version | Newer non vulnerable version available | Upgrade to newer version available | ||