Versions Compared

Version Old Version 1 New Version 2
Changes made by

Sanchita Pathak

Sanchita Pathak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please note: Report is as per London release

so-adapters-so-etsi-sol003-adapter

Priority

Component name and version

CVE

Recommended version

Threat level

Project’s assessment

1com.fasterxml.jackson.core : jackson-databind : 2.11.3
CVE-2020-36518
CVE-2022-42003
CVE-2022-42004
SONATYPE-2021-4682
2.14.1

This is indirect dependency coming from the o-parent.
 
There is no o-parent dependency present in the pom.xml 

1org.yaml : snakeyaml : 1.26
CVE-2022-25857
CVE-2022-38749
CVE-2022-38751
CVE-2022-38752
CVE-2022-41854
CVE-2022-38750
1.33

This needs further analysis and is being checked in detail. We have a resource crunch at the moment.

 
That version is declare but there is no use in the entire file.

so-libs

Priority

Component name and version

CVE

Recommended version

Threat level

Project’s assessment

1com.fasterxml.jackson.core : jackson-databind : 2.11.1
CVE-2020-36518
CVE-2022-42003
CVE-2022-42004
SONATYPE-2021-4682
2.14.1

This is indirect dependency coming from the o-parent. 

 
The version 2.14.2 is updated and available in Master branch 

so

Priority

Component name and version

CVE

Recommended version

Threat level

Project’s assessment

1com.fasterxml.jackson.core : jackson-databind : 2.11.3

CVE-2020-36518

CVE-2022-42003

CVE-2022-42004

SONATYPE-2021-4682
2.14.1

7

7

7

7

This is indirect dependency coming from the o-parent.

The version 2.14.2 is updated and available in Master branch   

1com.fasterxml.jackson.core : jackson-databind : 2.9.8

CVE-2019-12086

CVE-2020-25649

CVE-2020-36518

CVE-2022-42003

CVE-2022-42004

2.14.1

7

7

7

7

7

Same as above
1com.google.protobuf : protobuf-java : 3.10.0

CVE-2022-3171

CVE-2022-3509

CVE-2021-22569

4.0.0-rc-2

7

7

5

This needs further analysis and is being checked in detail. We have a resource crunch at the moment.

 
not found 

1com.h2database : h2 : 1.4.200

CVE-2021-42392

CVE-2022-23221

SONATYPE-2021-1681

SONATYPE-2022-6243

SONATYPE-2018-0863
0.16.4

9

9

8

8

6

We dont use this code in the production and is only built for testing code.

 
not found

1org.apache.tomcat : tomcat-catalina : 9.0.45

CVE-2022-23181

CVE-2021-30640

9.0.37.1

7

6

This needs further analysis and We are facing resource issue at the moment, request a waiver.
 
not found

1org.json : json : 20140107

SONATYPE-2022-3061

20220924

7

The change would bring in a major testing to be performed across the projects and we have a resource crunch.

 
The version 20220924 is updated and available in Master branch   

1org.json : json : 20160212
SONATYPE-2022-3061
202209247

The change would bring in a major testing to be performed across the projects and we have a resource crunch.
 
The version 20220924 is updated and available in Master branch   

1org.springframework : spring-web : 5.2.14.RELEASE
CVE-2016-1000027

CVE-2021-22118

CVE-2021-22096

6.0.2

9

7

4

The change would bring in a major testing to be performed across the projects and we have a resource crunch.
 
not found

1

org.springframework.data : spring-data-rest-hal-browser : 3.3.9.RELEASE

CVE-2021-23358

CVE-2021-23358

CVE-2018-14042

CVE-2019-11358

CVE-2019-8331

CVE-2020-11023

CVE-2020-26291

CVE-2021-3647

CVE-2022-1233

SONATYPE-2014-0026

SONATYPE-2020-0187

SONATYPE-2022-2019

CVE-2022-24723

SONATYPE-2016-0129

3.3.9.RELEASE

7

7

6

6

6

6

6

6

6

6

6

6

5

5

This needs further analysis and We are facing resource issue at the moment, request a waiver.

 
not found

1org.springframework.security : spring-security-web : 5.4.6
CVE-2022-22978
3.0.11-oss

9

This needs further analysis and We are facing resource issue at the moment, request a waiver.
 
not found

1org.yaml : snakeyaml : 1.26

CVE-2022-25857

CVE-2022-38749

CVE-2022-38751

CVE-2022-38752

CVE-2022-41854

CVE-2022-38750

1.33

7

6

6

6

6

5

This needs further analysis and We are facing resource issue at the moment, request a waiver.

2org.glassfish.jersey.core : jersey-common : 2.22.1
CVE-2021-28168

5Indirect dependency,
2org.glassfish.jersey.core : jersey-common : 2.30.1
CVE-2021-28168

5Indirect dependency.
2org.springframework : spring-webmvc : 5.2.12.RELEASE
CVE-2021-22060
6.0.24This needs further analysis and We are facing resource issue at the moment, request a waiver.

so-so-admin-cockpit

Priority

Component name and version

CVE

Recommended version

Threat level

Project’s assessment

1com.fasterxml.jackson.core : jackson-databind : 2.11.1
CVE-2020-36518
CVE-2022-42003
CVE-2022-42004
SONATYPE-2021-4682
2.14.1

This is indirect dependency coming from the o-parent. The change would bring in a major testing to be performed across the projects and we have a resource crunch.
 
There is no o-parent dependency present in the pom.xml 

so-so-etsi-nfvo

Priority

Component name and version

CVE

Recommended version

Threat level

Project’s assessment

1com.fasterxml.jackson.core : jackson-databind : 2.11.1
CVE-2020-36518
CVE-2022-42003
CVE-2022-42004
SONATYPE-2021-4682
2.14.1

This is indirect dependency coming from the o-parent. The change would bring in a major testing to be performed across the projects and we have a resource crunch.
 
There is no o-parent dependency present in the pom.xml 

1org.yaml : snakeyaml : 1.26
CVE-2022-25857
CVE-2022-38749
CVE-2022-38751
CVE-2022-38752
CVE-2022-41854
CVE-2022-38750
1.33

This needs further analysis and is being checked in detail. We have a resource crunch at the moment.
 
That version is declare but there is no use in the entire file.