Dublin Logging Security/Vulnerability Report

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.

Repository	Group	Impact Analysis	Action
logging-analytics pomba-aai-context-builder pomba-context-aggregator pomba-network-discovery-context-builder pomba-sdc-context-builder pomba-sdnc-context-builder	com.fasterxml.jackson.core	false positive - we don't use this part of the library still no version of jackson is safe jackson-databind is pulled in by: For network-discovery-context-builder: org.springframework.boot:spring-boot-starter-web:jar:1.5.17.RELEASE:compile For aai-context-builder: org.springframework.boot:spring-boot-starter-web:jar:1.5.17.RELEASE:compile For context-aggregator: org.onap.dmaap.messagerouter.dmaapclient:dmaapClient:jar:1.1.5:compile	tracking this issue with the following JIRA LOG-826 - Logging/POMBA CLM: fix/address/red-flag jackson-databind-2.8.11.3 SEC Open
logging-analytics	com.fasterxml.jackson.core	false positive - we don't use this part of the library Still no version of jackson is safe Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now	tracking this issue with the following JIRA https://lf-onap.atlassian.net/browse/LOG-1060
pomba-audit-common	com.fasterxml.jackson.core	false positive - we don't use this part of the library as no version of jackson is safe	tracking this issue with following JIRA LOG-1061: POMBA-AUDIT-COMMON CLM: fix/address/red-flag jackson-databind-2.4.5 SECClosed
logging-analytics	org.glassfish.hk2.external	false positive - we don't use this part of the library Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now	No action
pomba-sdnc-context-builder pomba-sdnc-context-builder	handelbars	Need to upgrade to or above 4.0.0	LOG-827 - Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+ Open
pomba-network-discovery-context-builder pomba-sdnc-context-builder	stipsan/uikit (swagger)	Don't see it in the report, will close LOG-828	WIll close LOG-828 LOG-828: Logging/POMBA CLM: fix/address/red-flag Swagger stipsan/uikit 2.2.1.0 marked.js SEC - no version is safeClosed
pomba-sdnc-context-builder	logback-classic	Don't see it in the report, will close LOG-846	Will close LOG-846 https://lf-onap.atlassian.net/browse/LOG-846
pomba-sdnc-context-builder	struts-core	DMaaP usage related no version of struts-core is safe	tracking this issue with the following JIRA LOG-1062: POMBA-SDNC-CONTEXT-BUILDER CLM: fix/address/red-flag struts-core : 1.3.8-2.4.5 SECClosed
pomba-sdnc-context-builder	struts-taglib	No issue	No action
pomba-sdnc-context-builder	org.codehaus.plexus	DMaaP usage related should update to a newer version	tracking this issue with the following JIRA LOG-1063: POMBA-SDNC-CONTEXT-BUILDER CLM: fix/address/red-flag plexus-utils : 3.0.22 SECClosed
pomba-sdnc-context-builder	dom4j	False Positive; pulled in by Springboot, indirect dependency	No action
pomba-sdnc-context-builder	commons-beanutils	no version of commons-beanutils is safe	tracking this issue with following JIRA https://lf-onap.atlassian.net/browse/LOG-1064
pomba-sdnc-context-builder	org.apache.ant	No issue	No action
pomba-sdnc-context-builder	org.jsoup	No issue	No action
logging-analytics pomba-aai-context-builder pomba-context-aggregator pomba-network-discovery-context-builder pomba-sdc-context-builder pomba-sdnc-context-builder	org.apache.tomcat.embed	Upgrade to version 8.5.42- upgrade planned for El Alto	tracking this issue with the following JIRA https://lf-onap.atlassian.net/browse/LOG-1066
logging-analytics pomba-sdc-context-builder pomba-sdnc-context-builder	commons-codec	No version has policy threat below 6 at the moment	tracking this issue with the following JIRA https://lf-onap.atlassian.net/browse/LOG-1067
pomba-aai-context-builder pomba-context-aggregator pomba-network-discovery-context-builder pomba-sdc-context-builder pomba-sdnc-context-builder	org.eclipse.jetty	Upgrade to version 9.4.13.v20181111 - upgrade planned for El Alto	tracking this issue with the following JIRA LOG-1068: Vulnerability issue: upgrade org.eclipse.jetty: jetty-server to 9.4.13.v20181111Closed
pomba-aai-context-builder pomba-context-aggregator pomba-network-discovery-context-builder pomba-sdc-context-builder pomba-sdnc-context-builder	org.eclipse.jetty	Upgrade to version 9.4.13.v20181111 - upgrade planned for El Alto	tracking this issue with the following JIRA LOG-1069: Vulnerability issue: upgrade org.eclipse.jetty: jetty-util to 9.4.13.v20181111Closed
pomba-context-aggregator pomba-network-discovery-context-builder pomba-sdnc-context-builder	ch.qos.logback	Upgrade to version 1.2.3 - upgrade planned for El Alto	tracking this issue with the following JIRA LOG-1070: Vulnerability issue: upgrade ch.qos.logback : logback-classic to 1.2.3Closed
pomba-sdnc-context-builder	org.apache.camel	Upgrade to version 2.23.1 - upgrade planned for El Alto	tracking this issue with the following JIRA LOG-1071: Vulnerability issue: upgrade org.apache.camel : camel-core to 2.23.1Closed