Casablanca Logging Security/Vulnerability Report

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.



Repository

Group

Impact Analysis

Action

Repository

Group

Impact Analysis

Action

logging-analytics

pomba-aai-context-builder

pomba-context-aggregator

pomba-network-discovery-context-builder

pomba-sdc-context-builder

pomba-sdnc-context-builder

com.fasterxml.jackson.core

false positive - we don't use this part of the library

LOG-826: Logging/POMBA CLM: fix/address/red-flag jackson-databind-2.8.11.3 SECClosed



will fix in dublin - as no version of jackson is safe

LOG-826: Logging/POMBA CLM: fix/address/red-flag jackson-databind-2.8.11.3 SECClosed

logging-analytics

com.fasterxml.jackson.core

false positive - we don't use this part of the library

LOG-833: Logging/POMBA CLM: fix/address/red LA jackson-databind 2.5.1 SECClosed

will fix in dublin - as no version of jackson is safe

Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now

LOG-833: Logging/POMBA CLM: fix/address/red LA jackson-databind 2.5.1 SECClosed

pomba-audit-common

com.fasterxml.jackson.core

false positive - we don't use this part of the library

will fix in dublin - as no version of jackson is safe





logging-analytics

 org.glassfish.hk2.external

false positive - we don't use this part of the library

will fix in dublin

Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now



logging-analytics

com.fasterxml.jackson.module

will move to 2.8.7 by upgrading to spring-boot 2.1 - likely before Dublin - but a lot of testing is required

Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now



logging-analytics

pomba-aai-context-builder

pomba-context-aggregator

pomba-network-discovery-context-builder

pomba-sdc-context-builder

org.springframework.boot :

Like all the other onap projects - we need to move to spring-boot 2.1 - likely before Dublin - but a lot of testing

LOG-829: Logging/POMBA CLM: fix/address/red-flag License for spring-boot-actuator 1.5.17 - move spring-boot to 2.xClosed

LOG-829: Logging/POMBA CLM: fix/address/red-flag License for spring-boot-actuator 1.5.17 - move spring-boot to 2.xClosed

LOG-830: Logging/POMBA CLM: fix/address/red-flag License org.json:json-20140107.jarClosed

LOG-874: Logging CLM: fix/address/red-flag License org.json:json-20140107.jarClosed

pomba-sdc-context-builder

logging-analytics

org.json

Like all the other onap projects - we need to move to spring-boot 2.1 - likely before Dublin - but a lot of testing

Dependency org.json:json:jar:20140107 located at Module org.onap.logging-analytics:logging-slf4j-demo:war:1.4.0-SNAPSHOT

json-20140107.jar located at reference/logging-slf4j-demo/target/logging-slf4j-demo-1.4.0-SNAPSHOT.war/WEB-INF/lib

json-20140107.jar located at reference/logging-slf4j-demo/target/logging-slf4j-demo-1.4.0-SNAPSHOT/WEB-INF/lib

LOG-830: Logging/POMBA CLM: fix/address/red-flag License org.json:json-20140107.jarClosed

LOG-874: Logging CLM: fix/address/red-flag License org.json:json-20140107.jarClosed

pomba-sdc-context-builder



net.sf.flexjson

Like all the other onap projects - we need to move to spring-boot 2.1 - likely before Dublin - but a lot of testing

Dependency net.sf.flexjson:flexjson:jar:3.3 located at Module org.onap.logging-analytics.pomba:pomba-sdc-context-builder:jar:1.4.0-SNAPSHOT

flexjson-3.3.jar located at target/pomba-sdc-context-builder.jar/BOOT-INF/lib

We will defer this like SDC does



pomba-sdnc-context-builder

pomba-sdnc-context-builder

handelbars

Need to upgrade to or above 4.0.0

LOG-827: Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+Closed

For SDNC-CB this is pushed to dublin

LOG-827: Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+Closed

pomba-network-discovery-context-builder

pomba-sdnc-context-builder

stipsan/uikit (swagger)

No versions are good - need a replacement for this swagger component

LOG-828: Logging/POMBA CLM: fix/address/red-flag Swagger stipsan/uikit 2.2.1.0 marked.js SEC - no version is safeClosed

For SDNC-CB this is pushed to dublin

LOG-828: Logging/POMBA CLM: fix/address/red-flag Swagger stipsan/uikit 2.2.1.0 marked.js SEC - no version is safeClosed

pomba-sdnc-context-builder

logback-classic

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca

Note: SDNC-ContextBuilder is not deployed as part of Casablanca - OOM has not branched as of 20181128 - so we can see there is no pod for SDNC-CB - it will appear in the dublin branch via master - therefore the SV reports can be ignored for now as they are in dublin scope (there is an issue where CLM jobs are run against master instead of branches)



onap onap-pomba-pomba-aaictxbuilder-67ccd944f-zc2k2 2/2 Running 0 4h onap onap-pomba-pomba-contextaggregator-678d4587cd-gwkgh 1/1 Running 0 4h onap onap-pomba-pomba-data-router-6c8cf96c8d-hfq4x 1/1 Running 0 4h onap onap-pomba-pomba-elasticsearch-7b8bc5f864-z682m 1/1 Running 0 4h onap onap-pomba-pomba-kibana-64f8788bbd-9vtr9 1/1 Running 0 4h onap onap-pomba-pomba-networkdiscovery-5bd8f8b96d-wqk8j 2/2 Running 0 4h onap onap-pomba-pomba-networkdiscoveryctxbuilder-5bf84c9f6d-dpzsw 2/2 Running 0 4h onap onap-pomba-pomba-sdcctxbuilder-5b688d6fd5-f4gbt 1/1 Running 0 4h onap onap-pomba-pomba-search-data-5b4d8f7dc6-f9v69 2/2 Running 0 4h onap onap-pomba-pomba-servicedecomposition-9885f8f88-ps8kd 2/2 Running 0 4h onap onap-pomba-pomba-validation-service-54598588fc-wf8lx 1/1 Running 0 4h



move to or above 1.2 - should be at 1.2.2+

LOG-846: Logging/POMBA CLM: fix/address/red-flag logback-classic 1.1.11 - should be 1.2.2Closed

LOG-846: Logging/POMBA CLM: fix/address/red-flag logback-classic 1.1.11 - should be 1.2.2Closed

pomba-sdnc-context-builder

struts-core

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca



pomba-sdnc-context-builder

struts-taglib

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca



Dependency org.apache.struts:struts-taglib:jar:1.3.8 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT

struts-taglib-1.3.8.jar located at target/pomba-sdnc-context-builder.jar/BOOT-INF/lib



pomba-sdnc-context-builder

org.codehaus.plexus

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca



Dependency org.codehaus.plexus:plexus-utils:jar:3.0.22 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT



pomba-sdnc-context-builder

dom4j

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca



Dependency dom4j:dom4j:jar:1.6.1 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT

dom4j-1.6.1.jar located at target/pomba-sdnc-context-builder.jar/BOOT-INF/lib



pomba-sdnc-context-builder

commons-beanutils

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca

Dependency commons-beanutils:commons-beanutils:jar:1.9.3 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT

commons-beanutils-1.9.3.jar located at target/pomba-sdnc-context-builder.jar/BOOT-INF/lib



pomba-sdnc-context-builder

org.apache.ant

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca



Dependency org.apache.ant:ant:jar:1.8.4 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT

ant-1.8.4.jar located at target/pomba-sdnc-context-builder.jar/BOOT-INF/lib



pomba-sdnc-context-builder

org.jsoup

DMaaP usage related

Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca



Dependency org.jsoup:jsoup:jar:1.7.2 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT

jsoup-1.7.2.jar located at target/pomba-sdnc-context-builder.jar/BOOT-INF/lib