Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins).  Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.

...

moment

moment

RepositoryGroupImpact AnalysisAction
policy/commoncom.fasterxml.jackson.core

False Positive - we are not using the Jackson code in the manner that exposes the vulnerability.

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1007

policy/commonorg.jsonThis is a license issue that is brought in due to inclusion of Cambria clientcom.fasterxml.jackson.datatypeFalse Positive - we are not using any DurationDeserializer or InstantDeserializer.

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1007





policy/api

policy/pap

policy/drools-pdp

policy/xacml-pdp

policy/drools-applications

policy/distributionengine

policy/enginedistribution

com.fasterxml.jackson.core

False Positive - flagged due to inheritance of policy/common above.

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1007

policy/api

policy/pap

policy/drools-pdp

policy/xacml-pdp

policy/drools-applications

policy/engine

policy/distribution

org.json


This is a license issue that is brought in com.fasterxml.jackson.datatype

False Positive - flagged due to inheritance of policy/common

's inheritance of Cambria client

above.


Request exception

policy/drools-pdpcom.fasterxml.jackson.coreFalse Positive - we are not using the Jackson code in the manner that exposes the vulnerability.Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1007





policy/drools-pdpdom4j

This is both a security and a license issue due to Drools v6.5.0.Final including and using this dependency.

Upgrading to 7.x version would not clear this issue and would result in multiple other license exceptions that are not clearable.

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1407

policy/drools-pdpjsoup

This is a security issue due to Drools v6.5.0.Final including this dependency.

Upgrading to 7.x version would not clear this issue and would result in multiple other new license exceptions that are not clearable.

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1407

policy/enginejqueryFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/distributionorg.springframeworkFlagged due to inheritance from policy/engine which has dependency on ONAP Portal SDKRequest exception
policy/drools-pdpant

This is a security issue due to Drools v6.5.0.Final including this dependency.

Upgrading to 7.x version would clear this issue, but would then consequently result in multiple other new license exceptions that are not clearable.

policy/

Request exception

policy/drools-pdpjboss.jta

This is a license issue - LGPL.

JBoss has a newer set of transaction code which has the same license issue so upgrading is not possible.

This feature is unused in ONAP and is disabled.

Request exception
policy/drools-pdphibernate-core

This is a license issue - LGPL

This feature is unused in ONAP and is disabled.

Request exception
policy/drools-pdphibernate-commons-annotations

This is a license issue - LGPL

This feature is unused in ONAP and is disabled.

Request exception
policy/drools-pdpmariadbFalse positive - BSD3 license

Request LF to select correct license.

NOTE: LF requested ONAP projects to move to mariadb in Amsterdam release.

policy/enginecommons-fileuploadFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/enginebootstrapFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/enginecom.fasterxml.jackson.core

False positive

The code is not using jackson in the manner described in the vulnerability.

Request exception
policy/engineorg.springframeworkFlagged due to inclusion of ONAP Portal SDK

Request exception

policy/enginebouncycastleFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/engine

angularjs

angular

angular.min.js

angular-ui-grid.js

angular-sanitize

Flagged due to inclusion of ONAP Portal SDK

Request exception

policy/engineng-formio-gridFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/enginewicket-utilFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/engineFlagged due to inclusion of ONAP Portal SDK

Request exception

policy/enginexercesFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/enginecommons-beanutilsFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/engineesapiFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/engineantisamyFlagged due to inclusion of ONAP Portal SDKRequest exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1407





policy/apex-pdporg.codehaus.jackson.jackson-mapper-asl

This dependency is pulled in by org.apache.avro. We are using the latest version of Avro.

We are using Avro to deserialize events. Avro uses jackson-mapper-asl for its Json decoding. The schema for the events we are decoding is controlled in policy models and prevents executable code being specified. Therefore this vulnerability cannot be exploited.

Request exception

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1508

policy/apex-pdporg.python.jython-standalone.2.7.1

This dependency brings in the Jython (Python) interpreter for executing scripts written in Python under the control of Apex.

There are two vulnerabilities, both concerning adding extra modules to the Python libraries on a host running Python scripts under Jython.

  • The setup.py and build_py.py files allow extra python packages to be installed on the host during the startup of Jython. This mechanism uses the setuptools mechanism to install those packages. That mechanism does not enforce path traversal restrictions, allowing malicious packages to access protected areas on the host.
  • Jython uses packages installed with the python pip utility. Pip is vulnerable to Path Traversal attacks, malicious packages installed with pip can access protected areas on the host

The solution is to warn developers not to install malicious extra Python packages.

Request Exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1509

The apex-pdp documentation for the Jython plugin is updated to warn developers that they must ensure that extra python packages they add at install time with PIP or using the setup.py/build_py.py mechanisms must be checked and certified by them as not being malicious.


policy/apex-pdpdom4j

This dependency is pulled in by hibernate-core. We are using the latest release of Hibernate.

The XML schema of incoming events is controlled in Apex and arbitrary code even if it was injected cannot be executed.

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1510

policy/apex-pdporg.jboss.marshalling.jboss-marshalling-osgiThis is a license issue that is a false positive - it is Apache 2.0Request LF to select correct license.
policy/apex-pdpcom.hazelcast.hazelcast

Version 3.11-BETA-1 does not have a license provided. We must use this version because it clears a security issue.

Earlier versions of this component were licensed with Apache 2.0 and I expect version 3.11 will be too once it is released.

Request exemption
policy/apex-pdporg.hibernate.hibernate-core

This is a license issue - LGPL

Request exception
policy/apex-pdporg.hibernate.hibernate-c3po

This is a license issue - LGPL

Request exception
policyapex-pdporg.python.jython-standaloneThis is a license issue that is a false positive - it is Apache 2.0Request LF to select correct license..apache.zookeeper

Liam Fallon - can you take a quick look at the impact?

Request exception








policy/enginecom.fasterxml.jackson.core

False positive

The code is not using jackson in the manner described in the vulnerability.

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1007
- This is a large amount of work to clear Jackson from this repository. It may not be worth the effort as we will be deprecating the repo in the next 2 or 3 releases.

policy/engineorg.springframeworkOne version is flagged due to inclusion of ONAP Portal SDK

Request exception

policy/engineorg.springframeworkWe will upgrade other versions not related to ONAP Portal SDK. Possible together, needs investigation.

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1539

policy/enginebouncycastleFlagged due to inclusion of ONAP Portal SDK

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1601

policy/enginecom.mchangeFlagged due to inclusion of ONAP Portal SDK

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1601

policy/engine

angularjs

angular

angular.min.js

angular-ui-grid.js

angular-sanitize

Flagged due to inclusion of ONAP Portal SDK

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1601

policy/engineng-formio-gridFlagged due to inclusion of ONAP Portal SDK

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1601

policy/enginewicket-utilFlagged due to inclusion of ONAP Portal SDK

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1601

policy/engine

moment


moment

Flagged due to inclusion of ONAP Portal SDK

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1601

policy/enginexercesFlagged due to inclusion of ONAP Portal SDK

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1601

policy/enginecommons-beanutilsFlagged due to inclusion of ONAP Portal SDK

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1601

policy/engineesapiFlagged due to inclusion of ONAP Portal SDK

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1601

policy/engineantisamyFlagged due to inclusion of ONAP Portal SDK

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1601

policy/enginejqueryFlagged due to inclusion of ONAP Portal SDK

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1601

policy/enginecommons-fileuploadFlagged due to inclusion of ONAP Portal SDK

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1601





policy/distributionorg.springframeworkFlagged due to inheritance from policy/engine which has dependency on ONAP Portal SDK

Request exception

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-1507


Sample of CLM Report