Casablanca Maintenance Logging Security/Vulnerability Report
- Amy Zwarico
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Impact Analysis | Action |
|---|---|---|---|
logging-analytics pomba-aai-context-builder pomba-context-aggregator pomba-network-discovery-context-builder pomba-sdc-context-builder | com.fasterxml.jackson.core | false positive - we don't use this part of the library LOG-826: Logging/POMBA CLM: fix/address/red-flag jackson-databind-2.8.11.3 SECClosed | will fix in dublin - as no version of jackson is safe LOG-826: Logging/POMBA CLM: fix/address/red-flag jackson-databind-2.8.11.3 SECClosed |
logging-analytics | com.fasterxml.jackson.core | false positive - we don't use this part of the library LOG-833: Logging/POMBA CLM: fix/address/red LA jackson-databind 2.5.1 SECClosed | will fix in dublin - as no version of jackson is safe Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now LOG-833: Logging/POMBA CLM: fix/address/red LA jackson-databind 2.5.1 SECClosed |
pomba-audit-common | com.fasterxml.jackson.core | false positive - we don't use this part of the library will fix in dublin - as no version of jackson is safe | |
logging-analytics | org.glassfish.hk2.external | false positive - we don't use this part of the library will fix in dublin Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now | |
handelbars | Need to upgrade to or above 4.0.0 LOG-827: Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+Closed For SDNC-CB this is pushed to dublin | LOG-827: Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+Closed | |
stipsan/uikit (swagger) | No versions are good - need a replacement for this swagger component For SDNC-CB this is pushed to dublin | ||
logback-classic | DMaaP usage related Fixing in Dublin - the sdnc-cb repo/service was not part of casablancaNote: SDNC-ContextBuilder is not deployed as part of Casablanca - OOM has not branched as of 20181128 - so we can see there is no pod for SDNC-CB - it will appear in the dublin branch via master - therefore the SV reports can be ignored for now as they are in dublin scope (there is an issue where CLM jobs are run against master instead of branches) onap onap-pomba-pomba-aaictxbuilder-67ccd944f-zc2k2 2/2 Running 0 4h
onap onap-pomba-pomba-contextaggregator-678d4587cd-gwkgh 1/1 Running 0 4h
onap onap-pomba-pomba-data-router-6c8cf96c8d-hfq4x 1/1 Running 0 4h
onap onap-pomba-pomba-elasticsearch-7b8bc5f864-z682m 1/1 Running 0 4h
onap onap-pomba-pomba-kibana-64f8788bbd-9vtr9 1/1 Running 0 4h
onap onap-pomba-pomba-networkdiscovery-5bd8f8b96d-wqk8j 2/2 Running 0 4h
onap onap-pomba-pomba-networkdiscoveryctxbuilder-5bf84c9f6d-dpzsw 2/2 Running 0 4h
onap onap-pomba-pomba-sdcctxbuilder-5b688d6fd5-f4gbt 1/1 Running 0 4h
onap onap-pomba-pomba-search-data-5b4d8f7dc6-f9v69 2/2 Running 0 4h
onap onap-pomba-pomba-servicedecomposition-9885f8f88-ps8kd 2/2 Running 0 4h
onap onap-pomba-pomba-validation-service-54598588fc-wf8lx 1/1 Running 0 4hmove to or above 1.2 - should be at 1.2.2+ LOG-846: Logging/POMBA CLM: fix/address/red-flag logback-classic 1.1.11 - should be 1.2.2Closed | LOG-846: Logging/POMBA CLM: fix/address/red-flag logback-classic 1.1.11 - should be 1.2.2Closed | |
struts-core | DMaaP usage related Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca | ||
struts-taglib | DMaaP usage related Dependency org.apache.struts:struts-taglib:jar:1.3.8 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT
| ||
org.codehaus.plexus | DMaaP usage related Dependency org.codehaus.plexus:plexus-utils:jar:3.0.22 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT | ||
dom4j | DMaaP usage related Dependency dom4j:dom4j:jar:1.6.1 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT | ||
commons-beanutils | DMaaP usage related Dependency commons-beanutils:commons-beanutils:jar:1.9.3 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT | ||
org.apache.ant | DMaaP usage related Dependency org.apache.ant:ant:jar:1.8.4 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT | ||
org.jsoup | DMaaP usage related Dependency org.jsoup:jsoup:jar:1.7.2 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT |