Casablanca VNFSDK Security/Vulnerability Report

Owned by Amy Zwarico
Nov 03, 2018
1 min read

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.



Repository

Group

Impact Analysis

Action

Repository

Group

Impact Analysis

Action

vnfsdk-refrepo

com.fasterxml.jackson.core

False positive

Jackson: can be an issue if we leave on default typing

  •  

    •  In vnfsdk we do not use default typing. We use strict parsing and validation of deserialized data.

    •  There is no unknown source data  from which marketplace reads the application data (xml/json).

No Action





vnfsdk-refrepo

bootstrap

There is no non-vulnerable version of bootstrap package.

Request exception

vnfsdk-validation

com.fasterxml.jackson.core

False positive.  We do not use default typing in vnfsdk-validation.

no action

vnfsdk-functest

com.fasterxml.jackson.core

False positive.  We do not use default typing in vnfsdk-functest.

no action

vnfsdk-functest

com.github.roskart.dropwizard-jaxws

False positive. The code comes in through a 3rd party dependency, but isn't used in VNFSDK.

no action

vnfsdk-functest

com.h2database

False positive. Only used in unit testing. There is no way for this to be used during deployment.

No Action.