This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins). Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.
This table will be presented to TSC at Code Freeze milestone (M4) to the TSC.
It is recommended to first update to the latest version of the third party components available. In case the latest third party components still reports some vulnerabilities, you must provide an impact analysis as illustrated in the example below.
In the case where you have nested third party components (a third party component embedding another third party component) and there is NO CVE number for the upstream third party component (meaning the third party component you are embedding), it is recommended to open a vulnerability issue on the upstream third party component.
The following table is addressing 2 different scenarios:
- Confirmation of a vulnerability including an action
- False Positive
The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)
Repository | Group | Impact Analysis | Action |
---|---|---|---|
dcaegen2/analytics/tca-gen2 | com.fasterxml.jackson.core | False Positive - we are not using the Jackson code in the manner that exposes the vulnerability. | Request exception |
dcaegen2/analytics/tca | com.fasterxml.jackson.core | False Positive - we are not using the Jackson code in the manner that exposes the vulnerability. There is no use of | No Action (same version as R2) |
dcaegen2/analytics/tca | com.fasterxml.jackson.core | False Positive There is no use of either | No Action (same version as R2) |
dcaegen2/collectors/datafile | com.fasterxml.jackson.core | Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library. At the moment we haven't got any workaround. | Request exception |
dcaegen2/collectors/hv-ves | com.fasterxml.jackson.core | False Positive Vulnerable artifacts are used only in following cases:
Other modules affected are component-level-tests and coverage report which also are not used in production environment. | Request exception |
dcaegen2/collectors/ves | com.fasterxml.jackson.core | False Positive The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here. | Request exception |
dcaegen2/platform/inventory-api | com.fasterxml.jackson.core | False Positive According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive. | Request exception
|
dcaegen2/services/mapper | com.fasterxml.jackson.core | False Positive There is no use of | Request exception |
dcaegen2/services/prh | com.fasterxml.jackson.core | Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library. | Request exception |
CRITICAL | |||
dcaegen2/analytics/tca-gen2 | io.undertow | Requires updating to newer version | Request exception |
org.springframework.integration | Unknown License issue | Request exception | |
org.springframework.boot | |||
io.projectreactor | |||
org.checkerframework | CC-BY-2.5, LGPL-3.0, MIT | ||
com.google.code.findbugs | License | ||
dcaegen2/analytics/tca | com.google.guava | ||