Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.


RepositoryGroupImpact AnalysisAction

vfc/nfvo/driver/vnfm/gvnfm


org.springframework

False positive

Code doesn't use the getValueInternal() method in the OperatorMatches class

Plan to update the no vulnerability version in E version

VFC-1284 - Getting issue details... STATUS


vfc/nfvo/driver/vnfm/gvnfmorg.springframework
Plan to update the no vulnerability version in E version

vfc/nfvo/resmanagement

vfc-nfvo-multivimproxy

vfc/nfvo/driver/vnfm/gvnfm/juju

commons-beanutils

False positive

net.sf.json-lib:json-lib:2.4 depend on this

This vulnerability issue is an indirect dependency introduced by vfc/nfvo/resmanagement

False positive. No Action.

All of the existing commons-beanutils have vulnerabilities issues.



vfc/nfvo/driver/vnfm/svnfm/huawei

vfc/nfvo/driver/vnfm/gvnfm

commons-beanutils

False positive

net.sf.json-lib:json-lib:2.4 depend on this

This vulnerability issue is an indirect dependency introduced by vfc/nfvo/resmanagement

False positive. No Action.

All of the existing commons-beanutils have vulnerabilities issues.

vfc/nfvo/resmanagement

vfc/nfvo/driver/vnfm/svnfm/huawei

vfc-nfvo-multivimproxy

vfc/nfvo/driver/vnfm/gvnfm/juju

vfc/nfvo/driver/vnfm/gvnfm


org.codehaus.jackson

False positive

Version 1.9.13 is already newest.

There is no non vulnerable version of this component. 

Code doesn’t use Jackson directly and don’t use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability 

False positive.

All of the existing jackson jackson-mapper-asl have vulnerabilities issues.

VFC-1272 - Getting issue details... STATUS

vfc/nfvo/driver/vnfm/svnfm/huaweiapache-httpclient

False positive

Version 3.1 is already newest.

There is no non vulnerable version of this component. 

VF-C code doesn’t use the readRawLine() method in commons-httpclient directly. We plan to replace this jar with Apache HttpComponents, but need some time to update the code and test.

Code doesn't use it for the verification of the SSL certificate

False positive

We are trying to replace this jar with other jars

VFC-1274 - Getting issue details... STATUS

VFC-1285 - Getting issue details... STATUS

VFC-1286 - Getting issue details... STATUS

vfc/nfvo/driver/vnfm/gvnfm

commons-collections

False positive

Code doesn't use InvokerTransformer

False positive. Not use the security class. No Action

VFC-1275 - Getting issue details... STATUS

vfc/nfvo/driver/vnfm/svnfm/huawei

vfc/nfvo/driver/vnfm/gvnfm

vfc-nfvo-multivimproxy

vfc-nfvo-resmanagement 

org.eclipse.jetty.aggregate

False positive

Code doesn't use boolean check(Object credentials) function in the Password.java 

No Action

VFC-1302 - Getting issue details... STATUS

vfc/nfvo/driver/vnfm/gvnfm 

org.springframework

False positive

Code doesn't use ResourceHttpRequestHandler to  check for directory traversal

Plan to update the no vulnerability version in D version

VFC-1288 - Getting issue details... STATUS

vfc/nfvo/driver/vnfm/gvnfmorg.apache.commonsno vulnerability analysis

Plan to update the no vulnerability version in E version

VFC-1289 - Getting issue details... STATUS

vfc-nfvo-driver-emscom.fasterxml.jackson.core

False positive

Explaination: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization.

ems driver doesn't invoke this method

False positive.No Action.

All of the existing jackson databind have vulnerabilities issues.


vfc-nfvo-driver-emsorg.exist-db.thirdparty.xerces

False positive

ems driver haven't used  the setupCurrentEntity()method in

XMLEntityManager class and ems doesn't run on the following java version: Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144, it used openjdk version '1.8.0_191'

False positive

VFC-1294 - Getting issue details... STATUS

vfc-nfvo-driver-emsjavax.mailEms driver doesn't invoke getUniqueMessageIDValue() method

False positive

VFC-1295 - Getting issue details... STATUS Done

vfc-nfvo-driver-svnfm-nokiav2 org.springframework.security

False positive

Code didn't use the doFilter() method in the SwitchUserFilter Class and the Switch User Processing Filter doesn't configured in the code.

False positive.No Action. 

No version with a fix is currently available.

VFC-1300 - Getting issue details... STATUS

vfc-gvnfm-vnflcm

vfc-gvnfm-vnfmgr

vfc-gvnfm-vnfres

vfc-nfvo-catalog

vfc-nfvo-driver-vnfm-gvnfm

vfc-nfvo-driver-vnfm-svnfm-zte

vfc-nfvo-lcm


False postive.

We don't use jquery and bootstrap package.

Request Exception

vfc-gvnfm-vnflcm

vfc-gvnfm-vnfmgr

vfc-gvnfm-vnfres

vfc-nfvo-catalog

vfc-nfvo-driver-vnfm-gvnfm

vfc-nfvo-driver-vnfm-svnfm-zte

vfc-nfvo-lcm


Currently we can't find an alternative for this. We will try to investigate this in El Alto Release.

No Action

vfc-gvnfm-vnflcm

vfc-gvnfm-vnfmgr

vfc-gvnfm-vnfres

vfc-nfvo-catalog

vfc-nfvo-driver-vnfm-gvnfm

vfc-nfvo-driver-vnfm-svnfm-zte

vfc-nfvo-lcm


False postive.

We don't use jquery and qunit package.

No Action
vfc-nfvo-driver-emsorg.eclipse.jetty

False positive

Code doesn't use the sendDirectory() function in ResourceService.class and DefaultServlet.class files and files and the doDirectory() function in the ResourceHandler.class file .

This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version
vfc-nfvo-driver-emsorg.eclipse.jetty

False positive

Code doesn't use the sendDirectory() function in ResourceService.class and DefaultServlet.class files and files and the doDirectory() function in the ResourceHandler.class file .

This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version

vfc-nfvo-driver-ems

vfc-nfvo-driver-svnfm-huawei

commons-codec
This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version

vfc-nfvo-driver-svnfm-huawei

vfc-nfvo-driver-vnfm-gvnfm

vfc-nfvo-multivimproxy

vfc-nfvo-resmanagement

org.apache.commons
This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version
vfc-nfvo-driver-svnfm-nokiav2org.springframework.security
This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version
vfc-nfvo-driver-svnfm-nokiav2org.eclipse.jetty

False positive

Code doesn't use the sendDirectory() function in ResourceService.class and DefaultServlet.class files and files and the doDirectory() function in the ResourceHandler.class file .

This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version
vfc-nfvo-driver-svnfm-nokiav2org.eclipse.jetty

False positive

Code doesn't use the sendDirectory() function in ResourceService.class and DefaultServlet.class files and files and the doDirectory() function in the ResourceHandler.class file .

This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version
vfc-nfvo-driver-svnfm-nokiav2commons-codec
This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version
vfc-nfvo-driver-vnfm-gvnfm
vfc-nfvo-driver-svnfm-nokiav2com.squareup.okhttp3
This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version
vfc-nfvo-driver-svnfm-nokiav2org.json
This is scanned by NEXUS IQ server recently, plan to update the no vulnerability version in E version
  • No labels