Dublin VNFSDK Security/Vulnerability Report
- Amy Zwarico
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Impact Analysis | Action |
|---|---|---|---|
vnfsdk/functest | com.fasterxml.jackson.core | False positive. We do not use default typing in vnfsdk/functest. Currently, we are looking for using the Gson to replace the Jackson. | No Action |
vnfsdk/functest | com.github.roskart.dropwizard-jaxws | False positive. The code comes in through a 3rd party dependency, but isn't used in VNFSDK. | No Action |
vnfsdk/functest | com.h2database | False positive. Only used in unit testing. There is no way for this to be used during deployment. | No Action |
vnfsdk/validation | com.fasterxml.jackson.core | False positive. We do not use default typing in vnfsdk/validation | No Action |
vnfsdk/refrepo | com.fasterxml.jackson.core | False positive Jackson: can be an issue if we leave on default typing
| No Action |
vnfsdk/refrepo | bootstrap | 2019/4/17: Bootstarp publish the latest non-vulnerable version 4.3.1 two month ago. we will try to investigate this in El Alto Release. There is no non-vulnerable version of bootstrap package. | Request Exception... |
vnfsdk/functest | postgresql | the related CVE is marked as disputed. it's commonly used and without newer version. we'd like to ask exception for it. | Request Exception... |
vnfsdk/validation | jline | False postive. jline is used during the mvn test phase and is not used while vnfsdk service is running. so it is false positive categoty. | No Action |
vnfsdk/refrepo vnfsdk/functest | jetty-http jetty-server jetty-util | WIP | |
vnfsdk/refrepo | commons-codec | Request Exception This dependency is used by httpclient package: org.apache.httpcomponents. HttpClient is heavily used in opensource and currently we cant find an alternative for this. | Request Exception |
vnfsdk/validation | commons-codec | Request Exception This dependency is used by httpclient package: org.apache.httpcomponents. HttpClient is heavily used in opensource and currently we cant find an alternative for this. | Request Exception |
vnfsdk/refrepo | postgresql | the related CVE is marked as disputed. it's commonly used and without newer version. we'd like to ask exception for it. | Request Exception... |