-
Task
-
Resolution: Done
-
High
-
None
-
None
-
Policy Beijing 2 - 01-24, Policy Beijing 3 - 2-13, Policy Beijing 4 - 3-14
The following security issues have been identified by Nexus IQ Server (tool used by LF) on 2017-12-23. See the attached report - RED Security issues.
- swagger-ui - not used anywhere. Not sure how it is detecting this.
- collections - pulled in from several other dependencies
- springcore - will upgrade to 2.3.3-RELEASE
- io.springfox - will upgrade to 2.8.0
- xstream - will upgrade 1.4.10
- jackson-databind - will upgrade to 2.9.3
- commons-fileupload - will upgrade to 1.3.3
- maven-model - will upgrade to 3.3.9
- maven-invoker - will upgrade to 3.0.0
Lucene-query-parser is pulled in from elastic search dependency - I think this is disabled
License issues with: org.owasp.esapi:esapi:jar:2.1.0.1 --> this pulls in xalan, beanutils, xerces
EELF will have to fix qos logback
Portal SDK will have to upgrade:
- bouncy castle
*
- is blocked by
-
POLICY-620 Downgrading the ONAP-SDK Spring version
- Closed
- relates to
-
PORTAL-214 Fix the license issue detected in portal - esapi (org.owasp.esapi)
- Closed
1.
|
Upgrade to xacml 1.0.1 | Closed | pdragosh | |
2.
|
Upgrade dmaap - when their security issues are fixed | Closed | pdragosh | |
3.
|
Downgrading the ONAP-SDK Spring version | Closed | rb7147 |