Dublin CLAMP Security/Vulnerability Report

Owned by Amy Zwarico
Last updated: Jun 04, 2019 by Gervais-Martial Ngueko
1 min read

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.





Group

Impact Analysis

Action



Group

Impact Analysis

Action

clamp

com.fasterxml.jackson.core 

the issue has been removed from the CLAMP core code. the remaining usage of "Jackson" is coming from SDC client library so we depend on SDC project to remove the final reference to "Jackson" library.

CLAMP-236: Replace Jackson by another JSON libraryClosed

SDC-2216: Security improvementsClosed

clamp

com.fasterxml.jackson.core 

same as above.

CLAMP-236: Replace Jackson by another JSON libraryClosed

clamp

com.fasterxml.jackson.core 

same as above.

CLAMP-236: Replace Jackson by another JSON libraryClosed

clamp

com.fasterxml.jackson.core 

same as above.

CLAMP-236: Replace Jackson by another JSON libraryClosed

clamp

com.fasterxml.jackson.datatype

same as above.

CLAMP-236: Replace Jackson by another JSON libraryClosed

clamp

angular

need to go to higher version of angular which requires a complete re-work of the CLAMP UI.



CLAMP-223: replace "angular.js" and move to "React" for security issuesClosed

clamp

angular

need to go to higher version of angular which requires a complete re-work of the CLAMP UI.

CLAMP-223: replace "angular.js" and move to "React" for security issuesClosed

clamp

org.springframework.security

We need it to support the basic authentication case for CLAMP (to support deployment without AAF integration). Since in normal operation AAF will be used, this will not be an issue in normal use of CLAMP

CLAMP-282: spring-security-web vulnerability issueClosed

clamp

angular

need to go to higher version of angular which requires a complete re-work of the CLAMP UI.

CLAMP-223: replace "angular.js" and move to "React" for security issuesClosed

clamp

lodash

issue solved. "lodash" has been removed from GUI code as it is actually not used.

https://lf-onap.atlassian.net/browse/CLAMP-281

clamp

dom4j

used by hibernate inside the springboot framework. Since we are not using xml the impact is limited. but we plan to go to a newer version of springboot(version 2.1.4)to solve the issue

https://lf-onap.atlassian.net/browse/CLAMP-338

clamp

commons-codec

under investigation (just appeared on the report the april 13th 2019)

https://lf-onap.atlassian.net/browse/CLAMP-342

 clamp

 org.apache.tomcat.embed

only affect windows based platform. So not applicable in ONAP.

https://lf-onap.atlassian.net/browse/CLAMP-353

clamp 

 jquery.min.js

 under investigation



https://lf-onap.atlassian.net/browse/CLAMP-397