Casablanca DCAE Security/Vulnerability Report
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Impact Analysis | Action |
---|---|---|---|
com.fasterxml.jackson.core | False Positive - we are not using the Jackson code in the manner that exposes the vulnerability. | Request exception | |
com.fasterxml.jackson.core | False Positive - we are not using the Jackson code in the manner that exposes the vulnerability. There is no use of | No Action (same version as R2) | |
dcaegen2/analytics/tca | com.fasterxml.jackson.core | False Positive There is no use of either | No Action (same version as R2) |
com.fasterxml.jackson.core | Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library. At the moment we haven't got any workaround. | Request exception | |
com.fasterxml.jackson.core | False Positive Vulnerable artifacts are used only in following cases:
Other modules affected are component-level-tests and coverage report which also are not used in production environment. | Request exception | |
com.fasterxml.jackson.core | False Positive The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here. | Request exception | |
com.fasterxml.jackson.core | False Positive According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive. | Request exception | |
com.fasterxml.jackson.core | False Positive There is no use of | Request exception | |
com.fasterxml.jackson.core | Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library. | Request exception | |
org.apache.tomcat.embed | Requires moving to tomcat-embed-websocket:8.5.34 | Added 10/29 - Request exception DCAEGEN2-927: Address VESCollector vulnerability reported R3 RC1 phaseClosed | |
org.postgresql | Requires moving postgresql to 42.2.5 | Added 10/29 - Request exception DCAEGEN2-926: Address InventoryAPI vulnerabilities reported - R3 RC1 phaseClosed | |
io.undertow | No non-vulnerable version available. | Request exception | |
com.google.guava | No non-vulnerable version available. | Request exception | |
commons-codec | Not applicable as base32 encoding is not used | Request exception | |
dcaegen2/collectors/datafile | org.springframework | Newer non vulnerable version available (5.1.0.RELEASE) | Upgrade to newer version DCAEGEN2-869: Address critical vulnerability for DFCClosed |
dcaegen2/collectors/datafile | com.jcraft | Not applicable; as the application doesn't run on windows | Request exception |
dcaegen2/collectors/hv-ves | org.apache.kafka | Newer non vulnerable version available | Request exception |
dcaegen2/collectors/ves | org.springframework | Requires moving to spring-web:5.1.1.RELEASE | Added 10/29 - Request exception DCAEGEN2-927: Address VESCollector vulnerability reported R3 RC1 phaseClosed |
dcaegen2/collectors/ves | com.googlecode.libphonenumber | Not applicable. | Request exception |
dcaegen2/collectors/ves | javax.mail | Not applicable; as the specified method is not invoked | Request exception |
dcaegen2/collectors/ves | org.springframework.security | spring-security-web:5.0.6.RELEASE flagged No non-vulnerable version available. | Added 10/30 - Request exception |
org.postgresql : postgresql | No non-vulnerable version available. | Request exception | |
dcaegen2/services/mapper | dom4j : dom4j : | Not applicable; as the specified method is not invoked | Request exception |
dcaegen2/services/mapper | org.springframework : spring-web | No non-vulnerable version available & Unknown license reported | Request exception |
dcaegen2/services/mapper | ognl : ognl : 3.0.9 | Newer non vulnerable version available | Upgrade to newer version available https://lf-onap.atlassian.net/browse/DCAEGEN2-871 |
dcaegen2/services/mapper | org.postgresql : postgresql : 42.2.4 | No non-vulnerable version available. | Request exception |
dcaegen2/services/mapper | xerces : xercesImpl : 2.12.0 | No non-vulnerable version available. | Request exception |
dcaegen2/services/prh | org.springframework : spring-web | Newer non vulnerable version available | Upgrade to newer version available DCAEGEN2-870: Address critical vulnerability for PRHClosed |