Casablanca Maintenance SO Security/Vulnerability Report
- Amy Zwarico
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Impact Analysis | Action |
|---|---|---|---|
so/libs | com.fasterxml.jackson.core | False positive Jackson: can be an issue if we leave on default typing
| No Action. All of the existing jackson databind have vulnerabilities issues. |
SO | org.eclipse.jetty | Pulled in by Springboot 1.5.13-RELEASE Note: We don't use jetty, but it is impractical to exclude | Planning for a spring boot upgrade to 2.0 in Dublin. |
com.fasterxml.jackson.core | False positive Jackson: can be an issue if we leave on default typing
| No Action All of the existing jackson databind have vulnerabilities issues. | |
ch.qos.logback | Pulled in by Springboot 1.5.13-RELEASE | Planning for a spring boot upgrade to 2.0 in Dublin. | |
org.slf4j | Pulled in by Springboot 1.5.13-RELEASE and also specified by SO | Planning for a spring boot upgrade to 2.0 in Dublin. | |
org.apache.tomcat.embed | Pulled in by Springboot 1.5.13-RELEASE Note: Tomcat CORS is turned off in our application Not really an issue since the feature is turned off. | No Action. Planning for a spring boot upgrade to 2.0 in Dublin. | |
org.apache.commons | Pulled in by Camunda 7.8.0 We aren't using any email features in BPMN. | No Action for Casablanca. File for exception in Casablanca, Upgrade Camunda to 1.9.0 in Dublin |