Casablanca UUI Security/Vulnerability Report

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.



Repository

Group

Impact Analysis

Action

Repository

Group

Impact Analysis

Action

usecase-ui

com.fasterxml.jackson.core

False positive.

Analysis: This vulnerability is not exposed from the portal’s code, because

  1. The portal does not pass any untrusted data for deserialization, as there is XSS/XSRF validation enabled in the portal’s backend code.

  2. and the default typing (ObjectMapper.setDefaultTyping()) is not called as we use concrete java types.

  3. and we use Spring Security 4.2.3 as recommended in the nexus-iq report.



Spring version 4.2.3 will take care of this.

Comments from Nexus-IQ: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995). If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

 

Not vulnerable in ONAP

usecase-ui

commons-httpclient

The recommendation is to use org.apache.httocomponents. But we are not directly using the said package/class. It comes as a dependency.

False positive.

No Action.

usecase-ui

angular

All available versions of moment.js are vulnerable. Upgrade is not an option.

Analysis: Not vulnerable as all our date fields are reformatted and validated before being submitted.

From our analysis the vulnerability cannot be exploited because the usecase-ui application follows the below design recommendations provided by nexus-iq report.

Recommendation by nexus-iq for this vulnerability (SONATYPE-2016-0064): 

It's best to design your application in such a way that users cannot change client-side templates.

  • Do not mix client and server templates

  • Do not use user input to generate templates dynamically

  • Do not run user input through $scope.$eval (or any of the other expression parsing functions listed above)

  • Consider using {@link ng.directive:ngCsp CSP} (but don't rely only on CSP)

Not vulnerable in ONAP