This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins). Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.
This table will be presented to TSC at Code Freeze milestone (M4) to the TSC.
It is recommended to first update to the latest version of the third party components available. In case the latest third party components still reports some vulnerabilities, you must provide an impact analysis as illustrated in the example below.
In the case where you have nested third party components (a third party component embedding another third party component) and there is NO CVE number for the upstream third party component (meaning the third party component you are embedding), it is recommended to open a vulnerability issue on the upstream third party component.
The following table is addressing 2 different scenarios:
- Confirmation of a vulnerability including an action
- False Positive
The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)
Repository | Group | Impact Analysis | Action |
---|---|---|---|
dcaegen2/analytics/tca-gen2 | com.fasterxml.jackson.core | Vulnerable artifact:
Vulnerability report: SONATYPE-2017-0312
| False Positive Classification Reasoning to be confirmed if identified Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method. |
dcaegen2/analytics/tca-gen2 | org.springframework | spring-aop Vulnerability report | Update spring-aop to newer version 5.0.8.RELEASE version |
dcaegen2/analytics/tca-gen2 | org.springframework.data | spring-data-commons Vulnerability report | Update spring-data-commons to 2.0.8.RELEASE version |
dcaegen2/analytics/tca | com.fasterxml.jackson.core | jackson-databind:jar:2.4.4 Vulnerable artifact: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-aai:jar:2.2.1-SNAPSHOT Vulnerability report:
| False Positive Classification Reasoning There is no use of |
dcaegen2/analytics/tca | com.fasterxml.jackson.core | jackson-core:2.4.4 Vulnerable artifacts: <same as jackson-databind 2.4.4 above> Vulnerability report: SONATYPE-2016-0397 SONATYPE-2017-0355 | False Positive Classification Reasoning There is no use of either |
dcaegen2/collectors/datafile | org.apache.tomcat.embed | tomcat-embed-core Vulnerability report | Update tomcat-embed-core to 8.5.32 version |
dcaegen2/collectors/datafile | org.bouncycastle | bcprov-jdk15on Vulnerability report | Upgrade version. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later. |
dcaegen2/collectors/datafile | com.fasterxml.jackson.core | Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.collectors.datafile:datafile-app-server:jar:1.0.0-SNAPSHOT Vulnerability report: SONATYPE-2017-0312
| To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995). |
dcaegen2/collectors/datafile | org.springframework | Vulnerability report | Update spring-aop to newer version 5.0.8.RELEASE version |
dcaegen2/collectors/hv-ves | com.fasterxml.jackson.core | jackson-databind Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-coverage:pom:1.0.0-SNAPSHOT Vulnerability report: | To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995). |
dcaegen2/collectors/ves | org.apache.tomcat.embed | tomcat-embed-core Vulnerability report: | Update tomcat-embed-core to 8.5.32 version |
dcaegen2/collectors/ves | com.fasterxml.jackson.core | jackson-databind Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.6 located at Module org.onap.dcaegen2.collectors.ves:VESCollector:jar:1.3.1-SNAPSHOT Vulnerability report:
| False Positive Classification Reasoning The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here. |
dcaegen2/platform/inventory-api | com.fasterxml.jackson.core | jackson-databind Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.8.7 located at Module org.onap.dcaegen2.platform:inventory-api:jar:3.0.3 Vulnerability report:
| False Positive Classification Reasoning According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive. |
dcaegen2/platform/inventory-api | org.eclipse.jetty | jetty-http, 9.4.2.v20170220 Vulnerability report: |
Upgrade to latest version - 9.4.12.v20180830 |
dcaegen2/platform/inventory-api | org.eclipse.jetty | jetty-server, 9.4.2.v20170220 Vulnerability report: | Upgrade to latest version - 9.4.12.v20180830 |
dcaegen2/services/mapper | org.codehaus.groovy | groovy-all, 2.4.4 Vulnerability report: | Upgrade to latest version - 2.4.15 |
dcaegen2/services/mapper | org.apache.tomcat.embed | tomcat-embed-core, 8.5.31 Vulnerability report: | Update tomcat-embed-core to 8.5.32 version |
dcaegen2/services/mapper | org.springframework | spring-expression, 5.0.3.RELEASE Vulnerability report: | Update to 5.0.9.RELEASE version |
dcaegen2/services/mapper | com.fasterxml.jackson.core | jackson-databind, 2.9.5 Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.services.mapper.vesadapter:UniversalVesAdapter:jar:0.0.1 Vulnerability report: SONATYPE-2017-0312
| To be assessed Jackson version can be updated to 2.9.6 (for consistency within application) as jackson related vulnerability can be addressed as single item (below for 2.9.6) |
dcaegen2/services/mapper | com.fasterxml.jackson.core | jackson-databind, 2.9.6 Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.6 located at Module org.onap.dcaegen2.services.mapper:snmpmapper:jar:0.0.1-SNAPSHOT Vulnerability report: SONATYPE-2017-0312
| False Positive Classification Reasoning To be confirmed In mapper, Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method. Thus we believe the reporting is a false positive. |
dcaegen2/services/mapper | org.springframework.data | spring-data-commons, 2.0.6.RELEASE Vulnerability report: | Update to 2.0.8.RELEASE version |
dcaegen2/services/mapper | xerces | xercesImpl,2.11.0-atlassian-01 Vulnerability report: | Update to 2.12.0 version |
dcaegen2/services/mapper | org.apache.httpcomponents | httpclient, 4.5.2 Vulnerability report: SONATYPE-2017-0359 Sonatype CWE: 22 The Apache httpcomponents component is vulnerable to Directory Traversal. The | Update to 4.5.3 or later |
dcaegen2/services/mapper | org.springframework | spring-core, 5.0.3.RELEASE Vulnerability report: | Update to 5.0.5.RELEASE or later version |
dcaegen2/services/prh | org.apache.tomcat.embed | tomcat-embed-core, 8.5.28 Vulnerability report: | Update to 8.5.32 version |
dcaegen2/services/prh | org.bouncycastle | bcprov-jdk15on, 1.59 Vulnerable artifacts: Dependency org.bouncycastle:bcprov-jdk15on:jar:1.59 located at Module org.onap.dcaegen2.services.prh:prh-app-server:jar:1.0.0-SNAPSHOT Vulnerability report: | No alternate (unflagged) version available. To be assessed if this dependency can be removed or thread not applicable |
dcaegen2/services/prh | com.fasterxml.jackson.core | jackson-databind, 2.9.6 Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.6 located at Module org.onap.dcaegen2.services.mapper:snmpmapper:jar:0.0.1-SNAPSHOT Vulnerability report: SONATYPE-2017-0312
| To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995). |