Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.

...

RepositoryGroupImpact AnalysisAction

vfc/nfvo/driver/vnfm/gvnfm


org.springframework

False positive

Code doesn't use the getValueInternal() method in the OperatorMatches class

Plan to update the no vulnerability version in E version

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyVFC-1284


vfc/nfvo/driver/vnfm/gvnfmorg.springframework
Plan to update the no vulnerability version in E version

vfc/nfvo/resmanagement

vfc-nfvo-multivimproxy

vfc/nfvo/driver/vnfm/gvnfm/juju

commons-beanutils

False positive

net.sf.json-lib:json-lib:2.4 depend on this

This vulnerability issue is an indirect dependency introduced by vfc/nfvo/resmanagement

False positive. No Action.

All of the existing commons-beanutils have vulnerabilities issues.



vfc/nfvo/driver/vnfm/svnfm/huawei

vfc/nfvo/driver/vnfm/gvnfm

commons-beanutils

False positive

net.sf.json-lib:json-lib:2.4 depend on this

This vulnerability issue is an indirect dependency introduced by vfc/nfvo/resmanagement

False positive. No Action.

All of the existing commons-beanutils have vulnerabilities issues.

vfc/nfvo/resmanagement

vfc/nfvo/driver/vnfm/svnfm/huawei

vfc-nfvo-multivimproxy

vfc/nfvo/driver/vnfm/gvnfm/juju

vfc/nfvo/driver/vnfm/gvnfm


org.codehaus.jackson

False positive

Version 1.9.13 is already newest.

There is no non vulnerable version of this component. 

Code doesn’t use Jackson directly and don’t use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability 

False positive.

All of the existing jackson jackson-mapper-asl have vulnerabilities issues.

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyVFC-1272

vfc/nfvo/driver/vnfm/svnfm/huaweiapache-httpclient

False positive

Version 3.1 is already newest.

There is no non vulnerable version of this component. 

VF-C code doesn’t use the readRawLine() method in commons-httpclient directly. We plan to replace this jar with Apache HttpComponents, but need some time to update the code and test.

Code doesn't use it for the verification of the SSL certificate

False positive

We are trying to replace this jar with other jars

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyVFC-1274

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyVFC-1285

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyVFC-1286

vfc/nfvo/driver/vnfm/gvnfm

commons-collections

False positive

Code doesn't use InvokerTransformer

False positive. Not use the security class. No Action

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyVFC-1275

vfc/nfvo/driver/vnfm/svnfm/huawei

vfc/nfvo/driver/vnfm/gvnfm

vfc-nfvo-multivimproxy

vfc-nfvo-resmanagement 

org.eclipse.jetty.aggregate

False positive

Code doesn't use boolean check(Object credentials) function in the Password.java 

No Action

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyVFC-1302

vfc/nfvo/driver/vnfm/gvnfm 

org.springframework

False positive

Code doesn't use ResourceHttpRequestHandler to  check for directory traversal

Plan to update the no vulnerability version in D version

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyVFC-1288

vfc/nfvo/driver/vnfm/gvnfmorg.apache.commonsno vulnerability analysis

Plan to update the no vulnerability version in E version

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyVFC-1289

vfc-nfvo-driver-emscom.fasterxml.jackson.core

False positive

Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization.

ems driver doesn't invoke this method

False positive.No Action.

All of the existing jackson databind have vulnerabilities issues.


vfc-nfvo-driver-emsorg.exist-db.thirdparty.xerces

False positive

ems driver haven't used  the setupCurrentEntity()method in

XMLEntityManager class and ems doesn't run on the following java version: Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144, it used openjdk version '1.8.0_191'

False positive

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyVFC-1294

vfc-nfvo-driver-emsjavax.mailEms driver doesn't invoke getUniqueMessageIDValue() method

False positive

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyVFC-1295
Done

vfc-nfvo-driver-svnfm-nokiav2 org.springframework.security

False positive

Code didn't use the doFilter() method in the SwitchUserFilter Class and the Switch User Processing Filter doesn't configured in the code.

False positive.No Action. 

No version with a fix is currently available.

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyVFC-1300

vfc-gvnfm-vnflcm

vfc-gvnfm-vnfmgr

vfc-gvnfm-vnfres

vfc-nfvo-catalog

vfc-nfvo-driver-vnfm-gvnfm

vfc-nfvo-driver-vnfm-svnfm-zte

vfc-nfvo-lcm


False postive.

We don't use jquery and bootstrap package.

Request Exception

vfc-gvnfm-vnflcm

vfc-gvnfm-vnfmgr

vfc-gvnfm-vnfres

vfc-nfvo-catalog

vfc-nfvo-driver-vnfm-gvnfm

vfc-nfvo-driver-vnfm-svnfm-zte

vfc-nfvo-lcm


Currently we can't find an alternative for this. We will try to investigate this in El Alto Release.

No Action

vfc-gvnfm-vnflcm

vfc-gvnfm-vnfmgr

vfc-gvnfm-vnfres

vfc-nfvo-catalog

vfc-nfvo-driver-vnfm-gvnfm

vfc-nfvo-driver-vnfm-svnfm-zte

vfc-nfvo-lcm


False postive.

We don't use jquery and qunit package.

No Action
vfc-nfvo-driver-emsorg.eclipse.jetty

False positive

Code doesn't use the sendDirectory() function in ResourceService.class and DefaultServlet.class files and files and the doDirectory() function in the ResourceHandler.class file .

This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version
vfc-nfvo-driver-emsorg.eclipse.jetty

False positive

Code doesn't use the sendDirectory() function in ResourceService.class and DefaultServlet.class files and files and the doDirectory() function in the ResourceHandler.class file .

This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version

vfc-nfvo-driver-ems

vfc-nfvo-driver-svnfm-huawei

commons-codec
This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version

vfc-nfvo-driver-svnfm-huawei

vfc-nfvo-driver-vnfm-gvnfm

vfc-nfvo-multivimproxy

vfc-nfvo-resmanagement

org.apache.commons
This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version
vfc-nfvo-driver-svnfm-nokiav2org.springframework.security
This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version
vfc-nfvo-driver-svnfm-nokiav2org.eclipse.jetty

False positive

Code doesn't use the sendDirectory() function in ResourceService.class and DefaultServlet.class files and files and the doDirectory() function in the ResourceHandler.class file .

This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version
vfc-nfvo-driver-svnfm-nokiav2org.eclipse.jetty

False positive

Code doesn't use the sendDirectory() function in ResourceService.class and DefaultServlet.class files and files and the doDirectory() function in the ResourceHandler.class file .

This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version
vfc-nfvo-driver-svnfm-nokiav2commons-codec
This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version
vfc-nfvo-driver-vnfm-gvnfm
vfc-nfvo-driver-svnfm-nokiav2com.squareup.okhttp3
This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version
vfc-nfvo-driver-svnfm-nokiav2org.json
This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version

...