Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 32 Next »

This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins).  Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.

This table will be presented to TSC at Code Freeze milestone (M4) to the TSC.

It is recommended to first update to the latest version of the third party components available. In case the latest third party components still reports some vulnerabilities, you must provide an impact analysis as illustrated in the example below.


The following table is addressing 2 different scenarios:

  • Confirmation of a vulnerability including an action
  • False Positive

The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)


RepositoryGroupImpact AnalysisAction
policy/commoncom.fasterxml.jackson.core

False Positive - we are not using the Jackson code in the manner that exposes the vulnerability.

Request exception


policy/common

javax.jms

This is a license issue that is brought in due to inclusion of DMaap client.

Request exception
policy/commonorg.json

This is a license issue that is brought in due to inclusion of Cambria client.

Request exception
policy/commonlog4jThere is no license for this. This is used extensively for logging and would a large effort to remove its use.Request exception
policy/commonjunitThere is no license for this. This is used for satisfying the 50% JUnit test coverage.Request exception




policy/drools-applications

policy/drools-pdp

policy/distribution

policy/engine


com.fasterxml.jackson.core

False Positive - flagged due to inheritance of policy/common

Request exception

policy/drools-applications

policy/drools-pdp

policy/distribution


javax.jmsThis is a license issue that is brought in due to inheritance of DMaap client.Request exception

policy/drools-applications

policy/drools-pdp

policy/distribution


org.jsonThis is a license issue that is brought in due to inheritance of Cambria client.
Request exception




policy/drools-applicationscom.att.research.xacmlFalse positive - MIT license should be acceptableRequest LF to select correct license
policy/drools-applicationsxml-apisFalse positive - Apache 2.0 license should be acceptableRequest LF to select correct license




policy/drools-pdpcom.fasterxml.jackson.coreFalse Positive - we are not using the Jackson code in the manner that exposes the vulnerability.Request exception
policy/drools-pdpdom4j

This is both a security and a license issue due to Drools v6.5.0.Final including and using this dependency.

Upgrading to 7.x version would not clear this issue and would result in multiple other license exceptions that are not clearable.

Request exception
policy/drools-pdpjsoup

This is a security issue due to Drools v6.5.0.Final including this dependency.

Upgrading to 7.x version would not clear this issue and would result in multiple other new license exceptions that are not clearable.

Request exception
policy/drools-pdpant

This is a security issue due to Drools v6.5.0.Final including this dependency.

Upgrading to 7.x version would clear this issue, but would then consequently result in multiple other new license exceptions that are not clearable.

Request exception
policy/drools-pdpjboss.jta

This is a license issue - LGPL.

JBoss has a newer set of transaction code which has the same license issue so upgrading is not possible.

This feature is unused in ONAP and is disabled.

Request exception
policy/drools-pdphibernate-core

This is a license issue - LGPL

This feature is unused in ONAP and is disabled.

Request exception
policy/drools-pdphibernate-commons-annotations

This is a license issue - LGPL

This feature is unused in ONAP and is disabled.

Request exception
policy/drools-pdpmariadbFalse positive - BSD3 license

Request LF to select correct license.

NOTE: LF requested ONAP projects to move to mariadb in Amsterdam release.

policy/drools-pdplog4jUnknown License issue inherited from policy/commonRequest exception
policy/drools-pdpjunitUnknown License issue inherited from policy/commonRequest exception








policy/enginecom.fasterxml.jackson.core

False positive

The code is not using jackson in the manner described in the vulnerability.

Request exception
policy/engineorg.springframeworkFlagged due to inclusion of ONAP Portal SDK

Request exception

policy/enginebouncycastleFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/engine

angularjs

angular

angular.min.js


Flagged due to inclusion of ONAP Portal SDK

Request exception

policy/engine

moment


moment

Flagged due to inclusion of ONAP Portal SDK

Request exception

policy/enginexercesFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/enginecommons-beanutilsFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/engineesapiFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/engineantisamyFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/engineorg.apache.wicketFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/enginejqueryFlagged due to inclusion of ONAP Portal SDKRequest exception
policy/enginejavax.mailMissing license issue - it is CDDL according to Sun.Request LF to override license.




policy/distributionorg.springframeworkFlagged due to inheritance from policy/engine which has dependency on ONAP Portal SDKRequest exception
policy/distributionorg.dspace.xmlui.xmlThis is a license issue that is a false positive - it is Apache 2.0Request LF to select correct license.
policy/apex-pdporg.codehaus.jackson.jackson-mapper-asl

This dependency is pulled in by org.apache.avro. We are using the latest version of Avro.

We are using Avro to deserialize events. Avro uses jackson-mapper-asl for its Json decoding. The schema for the events we are decoding is controlled in policy models and prevents executable code being specified. Therefore this vulnerability cannot be exploited.

Request exception
policy/apex-pdpdom4j

This dependency is pulled in by hibernate-core. We are using the latest release of Hibernate.

The XML schema of incoming events is controlled in Apex and arbitrary code even if it was injected cannot be executed.

Request exception
policy/apex-pdpjunitUnknown License issue inherited from policy/parentRequest exemption
policy/apex-pdporg.jruby.jruby-coreThis is a license issue that is a false positive - it is Apache 2.0Request LF to select correct license.
policy/apex-pdporg.jboss.marshalling.jboss-marshalling-osgiThis is a license issue that is a false positive - it is Apache 2.0Request LF to select correct license.
policy/apex-pdpcom.hazelcast.hazelcast

Version 3.11-BETA-1 does not have a license provided. We must use this version because it clears a security issue.

Earlier versions of this component were licensed with Apache 2.0 and I expect version 3.11 will be too once it is released.

Request exemption
policy/apex-pdporg.hibernate.hibernate-core

This is a license issue - LGPL

Request exception
policy/apex-pdporg.infinispan.infinispan-coreThis is a license issue that is a false positive - it is Apache 2.0Request LF to select correct license.
policy/apex-pdporg.hibernate.hibernate-c3po

This is a license issue - LGPL

Request exception
policyapex-pdporg.python.jython-standaloneThis is a license issue that is a false positive - it is Apache 2.0Request LF to select correct license.


Sample of CLM Report



  • No labels