Dublin VF-C Security/Vulnerability Report
- Amy Zwarico
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Impact Analysis | Action |
|---|---|---|---|
vfc/nfvo/driver/vnfm/gvnfm | org.springframework | False positive Code doesn't use the getValueInternal() method in the OperatorMatches class | Plan to update the no vulnerability version in E version |
vfc/nfvo/driver/vnfm/gvnfm | org.springframework | Plan to update the no vulnerability version in E version | |
vfc/nfvo/resmanagement vfc-nfvo-multivimproxy vfc/nfvo/driver/vnfm/gvnfm/juju | commons-beanutils | False positive net.sf.json-lib:json-lib:2.4 depend on this This vulnerability issue is an indirect dependency introduced by vfc/nfvo/resmanagement | False positive. No Action. All of the existing commons-beanutils have vulnerabilities issues. |
vfc/nfvo/driver/vnfm/svnfm/huawei vfc/nfvo/driver/vnfm/gvnfm | commons-beanutils | False positive net.sf.json-lib:json-lib:2.4 depend on this This vulnerability issue is an indirect dependency introduced by vfc/nfvo/resmanagement | False positive. No Action. All of the existing commons-beanutils have vulnerabilities issues. |
vfc/nfvo/resmanagement vfc/nfvo/driver/vnfm/svnfm/huawei vfc-nfvo-multivimproxy vfc/nfvo/driver/vnfm/gvnfm/juju vfc/nfvo/driver/vnfm/gvnfm | org.codehaus.jackson | False positive Version 1.9.13 is already newest. There is no non vulnerable version of this component. Code doesn’t use Jackson directly and don’t use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability | False positive. All of the existing jackson jackson-mapper-asl have vulnerabilities issues. |
vfc/nfvo/driver/vnfm/svnfm/huawei | apache-httpclient | False positive Version 3.1 is already newest. There is no non vulnerable version of this component. VF-C code doesn’t use the readRawLine() method in commons-httpclient directly. We plan to replace this jar with Apache HttpComponents, but need some time to update the code and test. Code doesn't use it for the verification of the SSL certificate | False positive We are trying to replace this jar with other jars |
vfc/nfvo/driver/vnfm/gvnfm | commons-collections | False positive Code doesn't use InvokerTransformer | False positive. Not use the security class. No Action |
vfc/nfvo/driver/vnfm/svnfm/huawei vfc/nfvo/driver/vnfm/gvnfm vfc-nfvo-multivimproxy vfc-nfvo-resmanagement | org.eclipse.jetty.aggregate | False positive Code doesn't use | No Action VFC-1302: Fix the org.eclipse.jetty.aggregate:jetty-all:8.1.16.v20140903 security issueClosed |
vfc/nfvo/driver/vnfm/gvnfm | org.springframework | False positive Code doesn't use ResourceHttpRequestHandler to check for directory traversal | Plan to update the no vulnerability version in D version |
vfc/nfvo/driver/vnfm/gvnfm | org.apache.commons | no vulnerability analysis | Plan to update the no vulnerability version in E version |
vfc-nfvo-driver-ems | com.fasterxml.jackson.core | False positive Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. ems driver doesn't invoke this method | False positive.No Action. All of the existing jackson databind have vulnerabilities issues. |
vfc-nfvo-driver-ems | org.exist-db.thirdparty.xerces | False positive ems driver haven't used the setupCurrentEntity()method in XMLEntityManager class and ems doesn't run on the following java version: Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144, it used openjdk version '1.8.0_191' | False positive |
vfc-nfvo-driver-ems | javax.mail | Ems driver doesn't invoke getUniqueMessageIDValue() method | False positive |
vfc-nfvo-driver-svnfm-nokiav2 | org.springframework.security | False positive Code didn't use the doFilter() method in the SwitchUserFilter Class and the Switch User Processing Filter doesn't configured in the code. | False positive.No Action. No version with a fix is currently available. |
vfc-gvnfm-vnflcm vfc-gvnfm-vnfmgr vfc-gvnfm-vnfres vfc-nfvo-catalog vfc-nfvo-driver-vnfm-gvnfm vfc-nfvo-driver-vnfm-svnfm-zte vfc-nfvo-lcm | False postive. We don't use | Request Exception | |
vfc-gvnfm-vnflcm vfc-gvnfm-vnfmgr vfc-gvnfm-vnfres vfc-nfvo-catalog vfc-nfvo-driver-vnfm-gvnfm vfc-nfvo-driver-vnfm-svnfm-zte vfc-nfvo-lcm | Currently we can't find an alternative for this. We will try to investigate this in El Alto Release. | No Action | |
vfc-gvnfm-vnflcm vfc-gvnfm-vnfmgr vfc-gvnfm-vnfres vfc-nfvo-catalog vfc-nfvo-driver-vnfm-gvnfm vfc-nfvo-driver-vnfm-svnfm-zte vfc-nfvo-lcm | False postive. We don't use | No Action | |
vfc-nfvo-driver-ems | org.eclipse.jetty | False positive Code doesn't use the sendDirectory() function in ResourceService.class and DefaultServlet.class files and files and the doDirectory() function in the ResourceHandler.class file . | This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version |
vfc-nfvo-driver-ems | org.eclipse.jetty | False positive Code doesn't use the sendDirectory() function in ResourceService.class and DefaultServlet.class files and files and the doDirectory() function in the ResourceHandler.class file . | This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version |
vfc-nfvo-driver-ems vfc-nfvo-driver-svnfm-huawei | commons-codec | This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version | |
vfc-nfvo-driver-svnfm-huawei vfc-nfvo-driver-vnfm-gvnfm vfc-nfvo-multivimproxy vfc-nfvo-resmanagement | org.apache.commons | This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version | |
vfc-nfvo-driver-svnfm-nokiav2 | org.springframework.security | This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version | |
vfc-nfvo-driver-svnfm-nokiav2 | org.eclipse.jetty | False positive Code doesn't use the sendDirectory() function in ResourceService.class and DefaultServlet.class files and files and the doDirectory() function in the ResourceHandler.class file . | This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version |
vfc-nfvo-driver-svnfm-nokiav2 | org.eclipse.jetty | False positive Code doesn't use the sendDirectory() function in ResourceService.class and DefaultServlet.class files and files and the doDirectory() function in the ResourceHandler.class file . | This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version |
vfc-nfvo-driver-svnfm-nokiav2 | commons-codec | This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version | |
vfc-nfvo-driver-vnfm-gvnfm | |||
vfc-nfvo-driver-svnfm-nokiav2 | com.squareup.okhttp3 | This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version | |
vfc-nfvo-driver-svnfm-nokiav2 | org.json | This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version |