Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins).  Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.

This table will be presented to TSC at Code Freeze milestone (M4) to the TSC.

It is recommended to first update to the latest version of the third party components available. In case the latest third party components still reports some vulnerabilities, you must provide an impact analysis as illustrated in the example below.

In the case where you have nested third party components (a third party component embedding another third party component) and there is NO CVE number for the upstream third party component (meaning the third party component you are embedding), it is recommended to open a vulnerability issue on the upstream third party component.

The following table is addressing 2 different scenarios:

  • Confirmation of a vulnerability including an action
  • False Positive

The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.


RepositoryGroupImpact AnalysisAction
dcaegen2/analytics/tca-gen2  com.fasterxml.jackson.core

False Positive - we are not using the Jackson code in the manner that exposes the vulnerability.

DCAEGEN2-765

Request exception

dcaegen2/analytics/tcacom.fasterxml.jackson.core

False Positive - we are not using the Jackson code in the manner that exposes the vulnerability.

There is no use of BeanDeserializerFactory class in artifact "dcae-analytics-model". Hence we believe that this vulnerability report is a false positive.


No Action (same version as R2)


dcaegen2/analytics/tcacom.fasterxml.jackson.core

False Positive

There is no use of either UTF8StreamJsonParser or ReaderBasedJsonParser class in artifact "dcae-analytics-model".


No Action (same version as R2)


dcaegen2/collectors/datafile com.fasterxml.jackson.core

Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library. 

At the moment we haven't got any workaround.

DCAEGEN2-764


Request exception

 dcaegen2/collectors/hv-vescom.fasterxml.jackson.core

False Positive

Vulnerable artifacts are used only in following cases:

  1. CSIT robot testsuites (hv-collector-dcae-app-simulator, hv-collector-xnf-simulator) which obviously does not pose a threat
  2. Healthcheck mechanism which ignores client requests and uses ( by dependency to hv-collector-utils ) jackson to create response.

Other modules affected are component-level-tests and coverage report which also are not used in production environment.

DCAEGEN2-766

Request exception


dcaegen2/collectors/ves  com.fasterxml.jackson.core

False Positive

The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here.

Request exception

dcaegen2/platform/inventory-apicom.fasterxml.jackson.core 

False Positive

According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive.

DCAEGEN2-768



Request exception

 





dcaegen2/services/mapper  com.fasterxml.jackson.core

False Positive

There is no use of BeanDeserializerFactory class in snmpmapper. Hence we believe that this vulnerability report is a false positive.

DCAEGEN2-769


Request exception


dcaegen2/services/prh com.fasterxml.jackson.core

Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library. 

DCAEGEN2-770

Request exception

CRITICAL



 dcaegen2/
analytics/tca-gen2 io.undertow Requires updating to newer version Request exception  org.springframework.integration Unknown License issue Request exception  org.springframework.boot    io.projectreactor    org.checkerframework CC-BY-2.5, LGPL-3.0, MIT   com.google.code.findbugs License  
collectors/ves  org.apache.tomcat.embedRequires moving to tomcat-embed-websocket:8.5.34

 Added 10/29 -  Request exception

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-927

 dcaegen2/platform/inventory-api org.postgresqlRequires moving postgresql  to 42.2.5

 Added 10/29 -  Request exception

 

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-926

dcaegen2/analytics/tca-gen2io.undertow No non-vulnerable version available. Request exception
dcaegen2/analytics/tca
 com
com.google.guava
 
No non-vulnerable version available. Request exception
dcaegen2/analytics/tca 
 commons 
commons-codecNot applicable as base32 encoding is not used  
   JunitUnknown License issue   c3p0 LGPL-2.1   javax.ws.rs CDDL-1.1 or GPL-2.0-CPE,Apache-2.0
Request exception
dcaegen2/collectors/datafileorg.springframework  

Newer non vulnerable version available (5.1.0.RELEASE)


 Upgrade to newer version 

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-869


dcaegen2/collectors/
datafile  com.
datafile 
org.springframework  Need to be upgraded to newer version Request exception
com.jcraftNot applicable; as the application doesn't run on windows Request exception
  org.immutables  org.checkerframework GPL-2.0-with-classpath-exception 
 Unknown License issue 
dcaegen2/collectors/hv-ves
 org
org.apache.kafka
Need to be upgraded to newer version
Newer non vulnerable version available Request exception
 
 org.jetbrains.kotlinx Unknown License issue 
dcaegen2/collectors/ves
 org.apache.tomcat.embedNeed to be upgraded to newer version Request exception  com
org.springframeworkRequires moving to spring-web:5.1.1.RELEASE

 Added 10/29 - Request exception

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-927

dcaegen2/collectors/ves com.googlecode.libphonenumber
 Not
Not applicable. 
  javax
Request exception
dcaegen2/collectors/ves  javax.mail
 Not   org.json JSON   org.checkerframework MIT,GPL-2.0-with-classpath-exception 
Not applicable; as the specified method is not invoked 
Request exception
 dcaegen2/collectors/ves  org.springframework.security

spring-security-web:5.0.6.RELEASE flagged

No non-vulnerable version available.

Added 10/30 -  Request exception
dcaegen2/platform/inventory-api
 org  org.checkerframework License - LGPL-3.0,MIT,CC-BY-2.5   com.google.code.findbugs License  - LGPL-3.0 dcaegen2/platform/servicechange-handler riddley : riddley  Unknown License issue   potemkin : potemkin Unknown License issue   org.json : json : 20131018 JSON 
org.postgresql : postgresqlNo non-vulnerable version available. 
Request exception
dcaegen2/services/mapperdom4j : dom4j : 
 Not  org
Not applicable; as the specified method is not invoked 
 
Request exception
dcaegen2/services/mapper org.springframework : spring-web
 No
No non-vulnerable version available & Unknown license reported 
  ognl   org
Request exception
dcaegen2/services/mapper ognl : ognl : 3.0.9
Need to be upgraded to newer version  
Newer non vulnerable version available

 Upgrade to newer version available

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-871

dcaegen2/services/mapper org.postgresql : postgresql : 42.2.4
 No
No non-vulnerable version available. 
  xerces
Request exception
dcaegen2/services/mapper xerces : xercesImpl : 2.12.0
 No   org.milyn LGPL2.1   org.json : json : 20131018 JSON   javax.servlet.jsp : jsp-api : 2.1 False positive   javax.jms : jms : 1.1    org.checkerframework : checker-qual LGPL-3.0,MIT,CC-BY-2.5   org.hibernate.common LGPL2.1   com.ibm.icu : icu4j unicode   org.codehaus.jackson : jackson-core-lgpl LGPL2.1   org.hibernate : hibernate-core LGPL2.1   com.wutka : dtdparser LGPL-3.0,Apache-1.1   xom:xomLGPL2.1   dcaegen2/services/prhorg.springframework : spring-web  Need to be upgraded to newer version      
No non-vulnerable version available. 
Request exception
 dcaegen2/services/prhorg.springframework : spring-web Newer non vulnerable version available

Upgrade to newer version available

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-870