This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
| Repository | Group | Impact Analysis | Action |
|---|---|---|---|
logging-analytics pomba-aai-context-builder pomba-context-aggregator pomba-network-discovery-context-builder pomba-sdc-context-builder | com.fasterxml.jackson.core | will fix in dublin - as no version of jackson is safe LOG-826 - Getting issue details... STATUS | |
| logging-analytics | com.fasterxml.jackson.core | false positive - we don't use this part of the library LOG-833 - Getting issue details... STATUS | will fix in dublin - as no version of jackson is safe Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now LOG-833 - Getting issue details... STATUS |
| pomba-audit-common | com.fasterxml.jackson.core | false positive - we don't use this part of the library will fix in dublin - as no version of jackson is safe | |
| logging-analytics | org.glassfish.hk2.external | false positive - we don't use this part of the library will fix in dublin Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now | |
| logging-analytics | com.fasterxml.jackson.module | will move to 2.8.7 by upgrading to spring-boot 2.1 - likely before Dublin - but a lot of testing is required Also implementing library is a non-deployed demo library - with no use in any deployed docker image right now | |
logging-analytics pomba-aai-context-builder pomba-context-aggregator pomba-network-discovery-context-builder pomba-sdc-context-builder | org.springframework.boot : | Like all the other onap projects - we need to move to spring-boot 2.1 - likely before Dublin - but a lot of testing LOG-829 - Getting issue details... STATUS | |
pomba-sdc-context-builder logging-analytics | org.json | Like all the other onap projects - we need to move to spring-boot 2.1 - likely before Dublin - but a lot of testing Dependency org.json:json:jar:20140107 located at Module org.onap.logging-analytics:logging-slf4j-demo:war:1.4.0-SNAPSHOT | |
| pomba-sdc-context-builder | net.sf.flexjson | Like all the other onap projects - we need to move to spring-boot 2.1 - likely before Dublin - but a lot of testing Dependency net.sf.flexjson:flexjson:jar:3.3 located at Module org.onap.logging-analytics.pomba:pomba-sdc-context-builder:jar:1.4.0-SNAPSHOT We will defer this like SDC does | |
| handelbars | Need to upgrade to or above 4.0.0 LOG-827 - Getting issue details... STATUS For SDNC-CB this is pushed to dublin | LOG-827 - Getting issue details... STATUS | |
| stipsan/uikit (swagger) | No versions are good - need a replacement for this swagger component LOG-828 - Getting issue details... STATUS For SDNC-CB this is pushed to dublin | LOG-828 - Getting issue details... STATUS | |
| pomba-sdnc-context-builder | logback-classic | DMaaP usage related Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca Note: SDNC-ContextBuilder is not deployed as part of Casablanca - OOM has not branched as of 20181128 - so we can see there is no pod for SDNC-CB - it will appear in the dublin branch via master - therefore the SV reports can be ignored for now as they are in dublin scope (there is an issue where CLM jobs are run against master instead of branches) onap onap-pomba-pomba-aaictxbuilder-67ccd944f-zc2k2 2/2 Running 0 4h onap onap-pomba-pomba-contextaggregator-678d4587cd-gwkgh 1/1 Running 0 4h onap onap-pomba-pomba-data-router-6c8cf96c8d-hfq4x 1/1 Running 0 4h onap onap-pomba-pomba-elasticsearch-7b8bc5f864-z682m 1/1 Running 0 4h onap onap-pomba-pomba-kibana-64f8788bbd-9vtr9 1/1 Running 0 4h onap onap-pomba-pomba-networkdiscovery-5bd8f8b96d-wqk8j 2/2 Running 0 4h onap onap-pomba-pomba-networkdiscoveryctxbuilder-5bf84c9f6d-dpzsw 2/2 Running 0 4h onap onap-pomba-pomba-sdcctxbuilder-5b688d6fd5-f4gbt 1/1 Running 0 4h onap onap-pomba-pomba-search-data-5b4d8f7dc6-f9v69 2/2 Running 0 4h onap onap-pomba-pomba-servicedecomposition-9885f8f88-ps8kd 2/2 Running 0 4h onap onap-pomba-pomba-validation-service-54598588fc-wf8lx 1/1 Running 0 4h move to or above 1.2 - should be at 1.2.2+ LOG-846 - Getting issue details... STATUS | LOG-846 - Getting issue details... STATUS |
| pomba-sdnc-context-builder | struts-core | DMaaP usage related Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca | |
| pomba-sdnc-context-builder | struts-taglib | DMaaP usage related Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca Dependency org.apache.struts:struts-taglib:jar:1.3.8 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT | |
| pomba-sdnc-context-builder | org.codehaus.plexus | DMaaP usage related Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca Dependency org.codehaus.plexus:plexus-utils:jar:3.0.22 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT | |
| pomba-sdnc-context-builder | dom4j | DMaaP usage related Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca Dependency dom4j:dom4j:jar:1.6.1 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT | |
| pomba-sdnc-context-builder | commons-beanutils | DMaaP usage related Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca Dependency commons-beanutils:commons-beanutils:jar:1.9.3 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT | |
| pomba-sdnc-context-builder | org.apache.ant | DMaaP usage related Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca Dependency org.apache.ant:ant:jar:1.8.4 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT | |
| pomba-sdnc-context-builder | org.jsoup | DMaaP usage related Fixing in Dublin - the sdnc-cb repo/service was not part of casablanca Dependency org.jsoup:jsoup:jar:1.7.2 located at Module org.onap.logging-analytics.pomba:pomba-sdnc-context-builder:jar:1.4.0-SNAPSHOT |