Dublin CLAMP Security/Vulnerability Report

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.

	Group	Impact Analysis	Action

	Group	Impact Analysis	Action
clamp	com.fasterxml.jackson.core	the issue has been removed from the CLAMP core code. the remaining usage of "Jackson" is coming from SDC client library so we depend on SDC project to remove the final reference to "Jackson" library.	CLAMP-236: Replace Jackson by another JSON libraryClosed SDC-2216: Security improvementsClosed
clamp	com.fasterxml.jackson.core	same as above.	CLAMP-236: Replace Jackson by another JSON libraryClosed
clamp	com.fasterxml.jackson.core	same as above.	CLAMP-236: Replace Jackson by another JSON libraryClosed
clamp	com.fasterxml.jackson.core	same as above.	CLAMP-236: Replace Jackson by another JSON libraryClosed
clamp	com.fasterxml.jackson.datatype	same as above.	CLAMP-236: Replace Jackson by another JSON libraryClosed
clamp	angular	need to go to higher version of angular which requires a complete re-work of the CLAMP UI.	CLAMP-223: replace "angular.js" and move to "React" for security issuesClosed
clamp	angular	need to go to higher version of angular which requires a complete re-work of the CLAMP UI.	CLAMP-223: replace "angular.js" and move to "React" for security issuesClosed
clamp	org.springframework.security	We need it to support the basic authentication case for CLAMP (to support deployment without AAF integration). Since in normal operation AAF will be used, this will not be an issue in normal use of CLAMP	CLAMP-282: spring-security-web vulnerability issueClosed
clamp	angular	need to go to higher version of angular which requires a complete re-work of the CLAMP UI.	CLAMP-223: replace "angular.js" and move to "React" for security issuesClosed
clamp	lodash	issue solved. "lodash" has been removed from GUI code as it is actually not used.	CLAMP-281: Fix Nexus IQ report for lodash libClosed
clamp	dom4j	used by hibernate inside the springboot framework. Since we are not using xml the impact is limited. but we plan to go to a newer version of springboot(version 2.1.4)to solve the issue	CLAMP-338: dom4j security issueClosed
clamp	commons-codec	under investigation (just appeared on the report the april 13th 2019)	CLAMP-342: commons-codec : commons-codec : 1.11 severe security issueClosed
clamp	org.apache.tomcat.embed	only affect windows based platform. So not applicable in ONAP.	CLAMP-353: critical security vulnerability : org.apache.tomcat.embed : tomcat-embed-core : 9.0.16_tomcat-embed-core-9.0.16.jar Closed
clamp	jquery.min.js	under investigation	CLAMP-397: jquery critical security issue per nexusiqClosed