Uploaded image for project: 'Application Controller'
  1. Application Controller
  2. APPC-1103

Assess APPC - Nexus Build Report

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Medium Medium
    • Casablanca Release
    • Casablanca Release
    • APPC
    • None

      current nexus IQ report shows the below. and I am getting help from Pierre. This task should be revisited after ODL Oxygen upgrade which is finished by 8/10/2018

      ===

      Please find below my analysis:

       

      • Licenses

       

      • tomcat-embed-core 8.5.31 is CDDL 1.1 or GPL2-with-CPE (classpath exception).  Should be OK from a legal perspective but as usual it is reported as a high risk because it belongs to the family of GPL licenses. APPC will need to have an approval for this component, if not already.

       

      • Security

       

      Threat/vulnerabilities wiki page: https://wiki.onap.org/pages/viewpage.action?pageId=25438971

       

      • appc-cdt:

       

      Critical

      • jackson-databind 2.9.6: same as already known for other Jackson databind issues (reported in threat wiki page)
      • httpclient 4.5: it has a different version as the one reported in the Beijing Vulnerabilities/Threats wiki page but I assume the issue is the same.  A safe version exists, starting from 4.5.3, so upgrade is recommended.

       

      Severe

      • guava 18.0: more recent versions exist, and a few of them appear to be safe (23.6.1-jre, 24.1.1-jre and later)

       

      • appc-deployment:

       

      Critical

      • jackson-databind 2.9.6: see above
      • commons-beanutils 1.8.3: more recent versions exist, but no safe versions exist. A way to address the vulnerability is proposed in Nexus IQ
      • httpclient 4.5: same as above (recommend upgrade to 4.5.3 or more recent)

       

      Severe

      • shiro-core 1.3.2: no safe versions exist
      • guava 18.0: same as above (recommend upgrade)

       

      • appc:

       

      Critical

      • jackson-mapper-asl 1.9.13, 1.9.2: no safe versions exist; reported as being a false positive as stated in the wiki page
      • jackson-databind 2.8.1, 2.3.2: no safe versions exist; anyway 2.3.2 should be upgraded to a more recent version, as this library version is getting old
      • h2 database 1.4.196: no safe versions exist
      • jackson-core 2.3.2, 2.8.1: threat page reports the issue as false positive. Safe versions exist so upgrade should be evaluated.
      • apache.karaf.jaas.modules 4.0.10: reported in threat wiki page as false positive
      • httpclient 4.5.2: as above, recommend upgrade to 4.5.3 or later
      • grizzly-http 2.3.28: safe versions seem to exist but the licenses for those are reported as GPLv2. Threat wiki page says it’s a false positive.

       

      Severe

      • guava 18.0, 22.0: as above, some safe versions exist
      • netty-handler 4.1.8.Final: all version after that one until 5.0.0.Alpha1 are reported as safe, so upgrade is recommended
      • jsch 0.1.51, 0.1.52: version 0.1.54 is reported as secure, so upgrade to that version is recommended
      • apache.karaf.jaas.modules 4.0.10: same as above (reported in thread wiki)
      • bcprov-jdk15on 1.56: version 1.57 and later are reported as secure

       

      Best regards,

      Pierre

            takamune_cho takamune_cho
            takamune_cho takamune_cho
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: