-
Task
-
Resolution: Done
-
Medium
-
Casablanca Release
-
None
current nexus IQ report shows the below. and I am getting help from Pierre. This task should be revisited after ODL Oxygen upgrade which is finished by 8/10/2018
===
Please find below my analysis:
- Licenses
- tomcat-embed-core 8.5.31 is CDDL 1.1 or GPL2-with-CPE (classpath exception). Should be OK from a legal perspective but as usual it is reported as a high risk because it belongs to the family of GPL licenses. APPC will need to have an approval for this component, if not already.
- Security
Threat/vulnerabilities wiki page: https://wiki.onap.org/pages/viewpage.action?pageId=25438971
- appc-cdt:
Critical
- jackson-databind 2.9.6: same as already known for other Jackson databind issues (reported in threat wiki page)
- httpclient 4.5: it has a different version as the one reported in the Beijing Vulnerabilities/Threats wiki page but I assume the issue is the same. A safe version exists, starting from 4.5.3, so upgrade is recommended.
Severe
- guava 18.0: more recent versions exist, and a few of them appear to be safe (23.6.1-jre, 24.1.1-jre and later)
- appc-deployment:
Critical
- jackson-databind 2.9.6: see above
- commons-beanutils 1.8.3: more recent versions exist, but no safe versions exist. A way to address the vulnerability is proposed in Nexus IQ
- httpclient 4.5: same as above (recommend upgrade to 4.5.3 or more recent)
Severe
- shiro-core 1.3.2: no safe versions exist
- guava 18.0: same as above (recommend upgrade)
- appc:
Critical
- jackson-mapper-asl 1.9.13, 1.9.2: no safe versions exist; reported as being a false positive as stated in the wiki page
- jackson-databind 2.8.1, 2.3.2: no safe versions exist; anyway 2.3.2 should be upgraded to a more recent version, as this library version is getting old
- h2 database 1.4.196: no safe versions exist
- jackson-core 2.3.2, 2.8.1: threat page reports the issue as false positive. Safe versions exist so upgrade should be evaluated.
- apache.karaf.jaas.modules 4.0.10: reported in threat wiki page as false positive
- httpclient 4.5.2: as above, recommend upgrade to 4.5.3 or later
- grizzly-http 2.3.28: safe versions seem to exist but the licenses for those are reported as GPLv2. Threat wiki page says it’s a false positive.
Severe
- guava 18.0, 22.0: as above, some safe versions exist
- netty-handler 4.1.8.Final: all version after that one until 5.0.0.Alpha1 are reported as safe, so upgrade is recommended
- jsch 0.1.51, 0.1.52: version 0.1.54 is reported as secure, so upgrade to that version is recommended
- apache.karaf.jaas.modules 4.0.10: same as above (reported in thread wiki)
- bcprov-jdk15on 1.56: version 1.57 and later are reported as secure
Best regards,
Pierre
- mentioned in
-
Page Loading...