Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 26 Next »

This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins).  Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.

This table will be presented to TSC at Code Freeze milestone (M4) to the TSC.

It is recommended to first update to the latest version of the third party components available. In case the latest third party components still reports some vulnerabilities, you must provide an impact analysis as illustrated in the example below.

In the case where you have nested third party components (a third party component embedding another third party component) and there is NO CVE number for the upstream third party component (meaning the third party component you are embedding), it is recommended to open a vulnerability issue on the upstream third party component.


The following table is addressing 2 different scenarios:

  • Confirmation of a vulnerability including an action
  • False Positive

The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)

RepositoryGroupImpact AnalysisAction
dcaegen2/analytics/tca-gen2  com.fasterxml.jackson.core

False Positive - we are not using the Jackson code in the manner that exposes the vulnerability.

DCAEGEN2-765

Request exception

dcaegen2/analytics/tcacom.fasterxml.jackson.core

False Positive - we are not using the Jackson code in the manner that exposes the vulnerability.

There is no use of BeanDeserializerFactory class in artifact "dcae-analytics-model". Hence we believe that this vulnerability report is a false positive.


No Action (same version as R2)


dcaegen2/analytics/tcacom.fasterxml.jackson.core

False Positive

There is no use of either UTF8StreamJsonParser or ReaderBasedJsonParser class in artifact "dcae-analytics-model".


No Action (same version as R2)


dcaegen2/collectors/datafile com.fasterxml.jackson.core

Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library. 

At the moment we haven't got any workaround.

DCAEGEN2-764


Request exception

 dcaegen2/collectors/hv-vescom.fasterxml.jackson.core

False Positive

Vulnerable artifacts are used only in following cases:

  1. CSIT robot testsuites (hv-collector-dcae-app-simulator, hv-collector-xnf-simulator) which obviously does not pose a threat
  2. Healthcheck mechanism which ignores client requests and uses ( by dependency to hv-collector-utils ) jackson to create response.

Other modules affected are component-level-tests and coverage report which also are not used in production environment.

DCAEGEN2-766

Request exception


dcaegen2/collectors/ves  com.fasterxml.jackson.core

False Positive

The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here.

Request exception

dcaegen2/platform/inventory-apicom.fasterxml.jackson.core 

False Positive

According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive.

DCAEGEN2-768



Request exception

 




dcaegen2/services/mapper  com.fasterxml.jackson.core

False Positive

There is no use of BeanDeserializerFactory class in snmpmapper. Hence we believe that this vulnerability report is a false positive.

DCAEGEN2-769


Request exception


dcaegen2/services/prh com.fasterxml.jackson.core

Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library. 

DCAEGEN2-770

Request exception



CRITICAL




dcaegen2/analytics/tca-gen2io.undertow Newer non vulnerable version available Upgrade to newer version 
dcaegen2/analytics/tca-gen2 org.springframework.integration Unknown License issue Request exception
dcaegen2/analytics/tca-gen2org.springframework.boot Unknown License issue Request exception
dcaegen2/analytics/tca-gen2 io.projectreactor Unknown License issue Request exception
dcaegen2/analytics/tca-gen2org.checkerframework

CC-BY-2.5, LGPL-3.0, MIT

False positive  - MIT license should be acceptable

 Request LF to select correct license
dcaegen2/analytics/tca-gen2com.google.code.findbugs

License issue (CC-BY-2.5, LGPL-2.1)


 Request exception
dcaegen2/analytics/tcacom.google.guavaNo non-vulnerable version available. Request exception
dcaegen2/analytics/tca commons-codecNot applicable as base32 encoding is not used  Request exception
dcaegen2/analytics/tca JunitUnknown License issue Request exception
dcaegen2/analytics/tca c3p0License issue (LGPL-2.1) Request exception
dcaegen2/analytics/tca javax.ws.rs

CDDL-1.1 or GPL-2.0-CPE,Apache-2.0


False positive  - Apache 2.0 license should be acceptable

 Request LF to select correct license
dcaegen2/collectors/datafileorg.springframework  Newer non vulnerable version available Upgrade to newer version 
dcaegen2/collectors/datafile com.jcraftNot applicable; as the application doesn't run on windows Request exception
dcaegen2/collectors/datafileorg.immutablesUnknown License issue Request exception
dcaegen2/collectors/datafile org.checkerframeworkLicense issue ( GPL-2.0-with-classpath-exception) Request exception
dcaegen2/collectors/hv-vesorg.apache.kafkaNewer non vulnerable version available Request exception
dcaegen2/collectors/hv-ves org.jetbrains.kotlinxUnknown License issue Request exception
dcaegen2/collectors/vesorg.apache.tomcat.embedNewer non vulnerable version available Request exception
dcaegen2/collectors/ves com.googlecode.libphonenumberNot applicable. Request exception
dcaegen2/collectors/ves  javax.mailNot applicable; as the specified method is not invoked Request exception
dcaegen2/collectors/ves  org.jsonLicense issue -  JSON Request exception
dcaegen2/collectors/ves  org.checkerframework

MIT,GPL-2.0-with-classpath-exception

False positive  - MIT license should be acceptable

 Request LF to select correct license
dcaegen2/platform/inventory-apiorg.postgresql : postgresqlNo non-vulnerable version available. Request exception
dcaegen2/platform/inventory-api org.checkerframework

License issue - LGPL-3.0,MIT,CC-BY-2.5

False positive  - MIT license should be acceptable

 Request LF to select correct license
dcaegen2/platform/inventory-api com.google.code.findbugsLicense issue - LGPL-3.0 Request exception
dcaegen2/platform/servicechange-handlerriddley : riddleyUnknown License issue Request exception
dcaegen2/platform/servicechange-handlerpotemkin : potemkinUnknown License issue Request exception
dcaegen2/platform/servicechange-handler org.json : json : 20131018License issue - JSON Request exception
dcaegen2/services/mapperdom4j : dom4j : Not applicable; as the specified method is not invoked Request exception
dcaegen2/services/mapper org.springframework : spring-webNo non-vulnerable version available & Unknown license reported Request exception
dcaegen2/services/mapper ognl : ognl : 3.0.9Newer non vulnerable version available Upgrade to newer version available
dcaegen2/services/mapper org.postgresql : postgresql : 42.2.4No non-vulnerable version available. Request exception
dcaegen2/services/mapper xerces : xercesImpl : 2.12.0No non-vulnerable version available. Request exception
dcaegen2/services/mapper org.milynLicense issue (LGPL2.1) Request exception
dcaegen2/services/mapper org.json : json : 20131018License issue - JSON Request exception
dcaegen2/services/mapper javax.servlet.jsp : jsp-api : 2.1

Apache-1.1,Apache-2.0,CDDL-1.0,Sun-IP,

False positive - Apache 2.0 should be acceptable

 Request LF to select correct license
dcaegen2/services/mapper javax.jms : jms : 1.1

License issues (SUN)

 Request exception
dcaegen2/services/mapper org.checkerframework : checker-qual

LGPL-3.0,MIT,CC-BY-2.5

False positive  - MIT license should be acceptable

 Request LF to select correct license
dcaegen2/services/mapper org.hibernate.commonLicense issue  (LGPL2.1) Request exception
dcaegen2/services/mapper com.ibm.icu : icu4jLicense issue  (Unicode) Request exception
dcaegen2/services/mapper org.codehaus.jackson : jackson-core-lgplLicense issue  (LGPL2.1) Request exception
dcaegen2/services/mapper org.hibernate : hibernate-coreLicense issue  (LGPL2.1) Request exception
dcaegen2/services/mapper com.wutka : dtdparser

LGPL-3.0,Apache

False positive  - Apache license should be acceptable

 Request LF to select correct license
dcaegen2/services/mapper xom:xomLicense issue  (LGPL2.1) Request exception
 dcaegen2/services/prhorg.springframework : spring-web Newer non vulnerable version availableUpgrade to newer version available
    












  • No labels