Dublin VID Security/Vulnerability Report

Owned by Amy Zwarico
May 30, 2019
1 min read

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.



Repository

Group

Impact Analysis

Action

Repository

Group

Impact Analysis

Action

vid

angular

It might be a hard upgrade. VID use angularjs, but have it also as ONAP sdk dependency



















vid

angular



vid

angular



vid

angular



vid

angular



vid

angular



vid

angular



vid

angular



vid

angular



vid

angular



vid

angular



vid

angular



vid

angular



vid

angular



vid

angular



vid

angular



vid

angular



vid

angular



vid

angular

Its source is in ONAP Portal SDK 2.4.0






VID-471: Use ONAP Portal SDK >2.5.0, where vulnerabilities addressedClosed

vid

angular



vid

angular



vid

angular



vid

angular



vid

angular



vid

angular



vid

angular-sanitize

Its source is in ONAP Portal SDK 2.4.0











vid

angular-sanitize



vid

angular-sanitize



vid

angular-sanitize



vid

angular-sanitize



vid

angular-sanitize



vid

angular-sanitize



vid

angular-sanitize



vid

angular-sanitize



vid

angular-sanitize



vid

angular-ui-grid

Its source is in ONAP Portal SDK 2.4.0



vid

angular-ui-grid

Its source is in ONAP Portal SDK 2.4.0



vid

angular-ui-grid



vid

org.owasp.antisamy

Its source is in ONAP Portal SDK 2.4.0



vid

org.owasp.antisamy



vid

org.bouncycastle

Its source is in ONAP Portal SDK 2.4.0



vid

org.bouncycastle



vid

org.webjars

Its source is in ONAP Portal SDK 2.4.0





vid

org.webjars



vid

org.webjars



vid

org.webjars



vid

com.mchange



VID-461: Upgrade c3p0 to 0.9.5.4 or higherClosed

vid

commons-beanutils

Its source is in ONAP Portal SDK 2.4.0



vid

commons-codec

Its source is in ONAP Portal SDK 2.4.0



vid

commons-fileupload

Its source is in ONAP Portal SDK 2.4.0



vid

dom4j

Its source is in ONAP Portal SDK 2.4.0



vid

org.elasticsearch

Its source is in ONAP Portal SDK 2.4.0



vid

org.elasticsearch



vid

org.owasp.esapi

Its source is in ONAP Portal SDK 2.4.0



vid

org.owasp.esapi



vid

org.hibernate

Its source is in ONAP Portal SDK 2.4.0



vid

com.fasterxml.jackson.core

False positive
VID doesn't use createBeanDeserializer() function in the BeanDeserializerFactory class



vid

org.eclipse.jetty

False positive

This only impacts users using Eclipse Jetty on Windows.



vid

org.eclipse.jetty

False positive

VID is using only org.eclipse.jetty.util.security.Password, no http servers.

Anyhow: VID-472: Use jersey.version >=2.28Closed

vid

org.webjars

No use of parseHTML function;
No use of AJAX calls in Jquery (only make such calls with Angular)








vid

jQuery



vid

jQuery



vid

jquery



vid

jquery



vid

moment

Its source is in ONAP Portal SDK 2.4.0



vid

moment



vid

moment

Its source is in ONAP Portal SDK 2.4.0




vid

moment



vid

org.seleniumhq.selenium

False positive; used only for tests



vid

org.apache.wicket

Its source is in ONAP Portal SDK 2.4.0



vid

org.exist-db.thirdparty.xerces

Its source is in ONAP Portal SDK 2.4.0