Dublin Policy Security/Vulnerability Report
- Amy Zwarico
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Impact Analysis | Action |
policy/common These repos inherit from policy/common: policy/models policy/api policy/pap policy/drools-pdp policy/xacml-pdp policy/apex-pdp policy/drools-applications policy/distribution | com.fasterxml.jackson.core | Request Exception - false positive Inherit from Dmaap 1.1.9 Project artifacts - we are not using Jackson in this repo anymore. Apr 19, 2019 The dmaap team indicated they are not vulnerable to the jackson security issue. | |
policy/common These repos inherit from policy/common: policy/models policy/api policy/pap policy/drools-pdp policy/xacml-pdp policy/apex-pdp policy/drools-applications policy/distribution | commons-codec | Request Exception This dependency is used by org.apache.httpcomponents HttpClient - which is a popular library heavily used in open source. The codec does the Base64 decoding for authentication. There is no alternate commons-codec, nor a fix in HttpClient that excludes it. Replacing this code would be a significant effort - possible the apache codec team is recently looking to fix this. | |
policy/drools-pdp | dom4j | Request Exception - False Positive This is both a security and a license issue due to Drools v6.5.0.Final including and using this dependency. Upgrading to 7.x version would not clear this issue and would result in multiple other license exceptions that are not clearable. Our Drools PDP does not utilize XML documents. We are trying to determine an appropriate time to upgrade Drools: POLICY-1407: Upgrade PDP-D to drools 7.28.0.FinalClosed | |
policy/drools-pdp | org.apache.ant | Request Exception This is a security issue due to Drools v6.5.0.Final including this dependency. Upgrading to 7.x version would clear this issue, but would then consequently result in multiple other new license exceptions that are not clearable. It does not look like the Drools v6.5.0 calls any of the methods identified in the sonatype or the CVE. We are trying to determine an appropriate time to upgrade Drools: POLICY-1407: Upgrade PDP-D to drools 7.28.0.FinalClosed | |
policy/drools-pdp | org.jsoup | Request Exception - false positive This is a security issue due to Drools v6.5.0.Final including this dependency. Upgrading to 7.x version would not clear this issue and would result in multiple other new license exceptions that are not clearable. It does not look like the Drools v6.5.0 uses the class identified in the CVE. We are trying to determine an appropriate time to upgrade Drools: | |
policy/xacml-pdp policy/drools-applications | com.fasterxml.jackson.core | Request Exception - false positive Inherited from a dependency which does not use jackson in the manner subject to vulnerability. NOTE: This dependency is in github and is managed by @Pamela Dragosh - removal of jackson from that dependency is in progress. We will upgrade it in El Alto. POLICY-1666: Upgrade XACML github PDP when jackson is removedClosed | |
policy/apex-pdp | org.codehaus.jackson | Request Exception - false positive This dependency is pulled in by org.apache.avro. We are using the latest version of Avro. We are using Avro to deserialize events. Avro uses jackson-mapper-asl for its Json decoding. The schema for the events we are decoding is controlled in policy models and prevents executable code being specified. Therefore this vulnerability cannot be exploited. POLICY-1508: Investigate Apex org.codehaus.jackson.jackson-mapper-asl security false positiveClosed | |
policy/apex-pdp | org.python | This dependency brings in the Jython (Python) interpreter for executing scripts written in Python under the control of Apex. There are two vulnerabilities, both concerning adding extra modules to the Python libraries on a host running Python scripts under Jython.
The solution is to warn developers not to install malicious extra Python packages. POLICY-1509: Investigate Apex org.python.jython-standalone.2.7.1Closed | |
policy/engine | bouncycastle | Flagged due to inclusion of ONAP Portal SDK POLICY-1601: Upgrade Portal SDK when they fix vulnerabilitiesClosed | |
policy/engine | com.fasterxml.jackson.core | Request Exception - false positive The repo does not use the dependency in the manner exposing the vulnerability. We will finish removal of Jackson from this repo when possible, it is a large effort. POLICY-1644: Finish removal of Jackson from Policy Framework repositoriesClosed | |
policy/engine | com.mchange | Flagged due to inclusion of ONAP Portal SDK POLICY-1601: Upgrade Portal SDK when they fix vulnerabilitiesClosed | |
policy/engine | org.springframework | Flagged due to inclusion of ONAP Portal SDK POLICY-1601: Upgrade Portal SDK when they fix vulnerabilitiesClosed | |
policy/engine | angular angularjs angular.min.js | Flagged due to inclusion of ONAP Portal SDK POLICY-1601: Upgrade Portal SDK when they fix vulnerabilitiesClosed | |
policy/engine | angular-sanitize | Flagged due to inclusion of ONAP Portal SDK POLICY-1601: Upgrade Portal SDK when they fix vulnerabilitiesClosed | |
policy/engine | angular-ui-grid | Flagged due to inclusion of ONAP Portal SDK POLICY-1601: Upgrade Portal SDK when they fix vulnerabilitiesClosed | |
policy/engine | commons-beanutils | Flagged due to inclusion of ONAP Portal SDK POLICY-1601: Upgrade Portal SDK when they fix vulnerabilitiesClosed | |
policy/engine | dom4j | Request Exception dom4j is a dependency of org.hibernate:hibernate-core:jar:4.3.10 https://lf-onap.atlassian.net/browse/POLICY-1661 Upgrading hibernate or moving to eclipselink is a large effort in this repo. | |
policy/engine | org.springframework | May need an exception - will investigate upgrade https://lf-onap.atlassian.net/browse/POLICY-1539 | |
policy/engine | org.apache.tomcat | Request Exception - false positive https://lf-onap.atlassian.net/browse/POLICY-1675 We upgraded to remove a vulnerability from 8.5.34, now we have a new one due to 9.0.16 https://lf-onap.atlassian.net/browse/POLICY-1662 The application is vulnerable by using this component when running on Windows with the CGI Servlet initialization parameter enableCmdLineArguments option of the component set to true. Since we do not run this in windows, ONAP Policy Engine is not vulnerable. | |
policy/engine | moment | Flagged due to inclusion of ONAP Portal SDK POLICY-1601: Upgrade Portal SDK when they fix vulnerabilitiesClosed | |
policy/engine | org.apache.wicket | Flagged due to inclusion of ONAP Portal SDK POLICY-1601: Upgrade Portal SDK when they fix vulnerabilitiesClosed | |
policy/engine | org.owasp.antisamy | Flagged due to inclusion of ONAP Portal SDK POLICY-1601: Upgrade Portal SDK when they fix vulnerabilitiesClosed | |
policy/engine | org.webjars bootstrap | Flagged due to inclusion of ONAP Portal SDK POLICY-1601: Upgrade Portal SDK when they fix vulnerabilitiesClosed | |
policy/engine | org.webjars jquery jQuery | Flagged due to inclusion of ONAP Portal SDK POLICY-1601: Upgrade Portal SDK when they fix vulnerabilitiesClosed | |
policy/engine | org.owasp.esapi | Flagged due to inclusion of ONAP Portal SDK POLICY-1601: Upgrade Portal SDK when they fix vulnerabilitiesClosed | |
policy/engine | commons-fileupload | Flagged due to inclusion of ONAP Portal SDK POLICY-1601: Upgrade Portal SDK when they fix vulnerabilitiesClosed | |
policy/engine | org.exist-db.thirdparty.xerces | Flagged due to inclusion of ONAP Portal SDK POLICY-1601: Upgrade Portal SDK when they fix vulnerabilitiesClosed | |
policy/distribution | com.fasterxml.jackson.core | Request Exception - false positive Inherited from policy/engine, does not use this dependency directly. Could exclude it when time permits. |