Casablanca Logging Security/Vulnerability Report
- Amy Zwarico
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Impact Analysis | Action |
|---|---|---|---|
logging-analytics pomba-aai-context-builder pomba-context-aggregator pomba-network-discovery-context-builder pomba-sdc-context-builder | com.fasterxml.jackson.core | false positive - we don't use this part of the library LOG-826: Logging/POMBA CLM: fix/address/red-flag jackson-databind-2.8.11.3 SECClosed | will fix in dublin - as no version of jackson is safe LOG-826: Logging/POMBA CLM: fix/address/red-flag jackson-databind-2.8.11.3 SECClosed |
logging-analytics | com.fasterxml.jackson.core | false positive - we don't use this part of the library LOG-833: Logging/POMBA CLM: fix/address/red LA jackson-databind 2.5.1 SECClosed | will fix in dublin - as no version of jackson is safe Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now LOG-833: Logging/POMBA CLM: fix/address/red LA jackson-databind 2.5.1 SECClosed |
pomba-audit-common | com.fasterxml.jackson.core | false positive - we don't use this part of the library will fix in dublin - as no version of jackson is safe | |
logging-analytics | org.glassfish.hk2.external | false positive - we don't use this part of the library will fix in dublin Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now | |
logging-analytics | com.fasterxml.jackson.module | will move to 2.8.7 by upgrading to spring-boot 2.1 - likely before Dublin - but a lot of testing is required Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now | |
logging-analytics pomba-aai-context-builder pomba-context-aggregator pomba-network-discovery-context-builder pomba-sdc-context-builder | org.springframework.boot : | Like all the other onap projects - we need to move to spring-boot 2.1 - likely before Dublin - but a lot of testing | LOG-830: Logging/POMBA CLM: fix/address/red-flag License org.json:json-20140107.jarClosed LOG-874: Logging CLM: fix/address/red-flag License org.json:json-20140107.jarClosed |
pomba-sdc-context-builder logging-analytics | org.json | Like all the other onap projects - we need to move to spring-boot 2.1 - likely before Dublin - but a lot of testing Dependency org.json:json:jar:20140107 located at Module org.onap.logging-analytics:logging-slf4j-demo:war:1.4.0-SNAPSHOT | LOG-830: Logging/POMBA CLM: fix/address/red-flag License org.json:json-20140107.jarClosed LOG-874: Logging CLM: fix/address/red-flag License org.json:json-20140107.jarClosed |
pomba-sdc-context-builder | net.sf.flexjson | Like all the other onap projects - we need to move to spring-boot 2.1 - likely before Dublin - but a lot of testing Dependency net.sf.flexjson:flexjson:jar:3.3 located at Module org.onap.logging-analytics.pomba:pomba-sdc-context-builder:jar:1.4.0-SNAPSHOT We will defer this like SDC does | |
handelbars | Need to upgrade to or above 4.0.0 LOG-827: Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+Closed For SDNC-CB this is pushed to dublin | LOG-827: Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+Closed | |
stipsan/uikit (swagger) | No versions are good - need a replacement for this swagger component For SDNC-CB this is pushed to dublin | ||
logback-classic | DMaaP usage related Fixing in Dublin - the sdnc-cb repo/service was not part of casablancaNote: SDNC-ContextBuilder is not deployed as part of Casablanca - OOM has not branched as of 20181128 - so we can see there is no pod for SDNC-CB - it will appear in the dublin branch via master - therefore the SV reports can be ignored for now as they are in dublin scope (there is an issue where CLM jobs are run against master instead of branches) onap onap-pomba-pomba-aaictxbuilder-67ccd944f-zc2k2 2/2 Running 0 4h
onap onap-pomba-pomba-contextaggregator-678d4587cd-gwkgh 1/1 Running 0 4h
onap onap-pomba-pomba-data-router-6c8cf96c8d-hfq4x 1/1 Running 0 4h
onap onap-pomba-pomba-elasticsearch-7b8bc5f864-z682m 1/1 Running 0 4h
onap onap-pomba-pomba-kibana-64f8788bbd-9vtr9 1/1 Running 0 4h
onap onap-pomba-pomba-networkdiscovery-5bd8f8b96d-wqk8j 2/2 Running 0 4h
onap onap-pomba-pomba-networkdiscoveryctxbuilder-5bf84c9f6d-dpzsw 2/2 Running 0 4h
onap onap-pomba-pomba-sdcctxbuilder-5b688d6fd5-f4gbt 1/1 Running 0 4h
onap onap-pomba-pomba-search-data-5b4d8f7dc6-f9v69 2/2 Running 0 4h
onap onap-pomba-pomba-servicedecomposition-9885f8f88-ps8kd 2/2 Running 0 4h
onap onap-pomba-pomba-validation-service-54598588fc-wf8lx 1/1 Running 0 4hmove to or above 1.2 - should be at 1.2.2+ LOG-846: Logging/POMBA CLM: fix/address/red-flag logback-classic 1.1.11 - should be 1.2.2Closed | LOG-846: Logging/POMBA CLM: fix/address/red-flag logback-classic 1.1.11 - should be 1.2.2Closed | |
struts-core | DMaaP usage related Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca | ||
struts-taglib | DMaaP usage related Dependency org.apache.struts:struts-taglib:jar:1.3.8 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT | ||
org.codehaus.plexus | DMaaP usage related Dependency org.codehaus.plexus:plexus-utils:jar:3.0.22 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT | ||
dom4j | DMaaP usage related Dependency dom4j:dom4j:jar:1.6.1 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT | ||
commons-beanutils | DMaaP usage related Dependency commons-beanutils:commons-beanutils:jar:1.9.3 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT | ||
org.apache.ant | DMaaP usage related Dependency org.apache.ant:ant:jar:1.8.4 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT | ||
org.jsoup | DMaaP usage related Dependency org.jsoup:jsoup:jar:1.7.2 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT |