Stephen, Per your presentation today at the TSC, for Policy we have removed the last 2 security issues from the codebase.
The code is delivered and I verified that nexus-iq has removed the identification of the vulnerability. We are going to do a round of testing today to verify functionality is still remaining and then close the JIRA’s. I will update the wiki when finished. Thanks, Pam From: Stephen Terrill <stephen.terr...@ericsson.com> Date: Monday, April 2, 2018 at 3:22 PM To: "DRAGOSH, PAMELA L (PAM)" <pdrag...@research.att.com> Cc: "onap-sec...@lists.onap.org" <onap-sec...@lists.onap.org>, onap-tsc <onap-tsc@lists.onap.org> Subject: RE: Review of Policy known vulnerability Analysis Hi Pam, Thanks for the reply. For the vulnerabilities that remain due to e.g. backwards compatibility, can we be clear about the exposure of the risk to ONAP in the impact analysis. BR, Steve From: DRAGOSH, PAMELA L (PAM) [mailto:pdrag...@research.att.com] Sent: Monday, April 02, 2018 1:31 PM To: Stephen Terrill <stephen.terr...@ericsson.com> Cc: onap-sec...@lists.onap.org; onap-tsc <onap-tsc@lists.onap.org> Subject: Re: Review of Policy known vulnerability Analysis Stephen, We are introducing a change in functionality that bypasses this code in Beijing, but it is a late addition. We will need to support the use of this code for backwards compatibility until we can fully vet the new functionality works and we can switch to it completely to deprecate the other code. We hope that we can test and fix the new functionality over the next few weeks. Pam From: Stephen Terrill <stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com>> Date: Friday, March 30, 2018 at 3:39 PM To: "DRAGOSH, PAMELA L (PAM)" <pdrag...@research.att.com<mailto:pdrag...@research.att.com>> Cc: "onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>" <onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>>, onap-tsc <onap-tsc@lists.onap.org<mailto:onap-tsc@lists.onap.org>> Subject: Review of Policy known vulnerability Analysis Hi Pam, I am reviewing the known vulnerability analysis for Policy (https://wiki.onap.org/pages/viewpage.action?pageId=25437092<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D25437092&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=jwTiArcEj6aUX0HjV0M3dT12gUtk7rC07xpgpVZkS_4&m=j8Gv-qzcAmG1BG1BuclfHzh7GfCbxaY5R60DavMb2rI&s=WpF6UwvR-KYtHRoZjoCSMv1ydKuVWjHviBKuTK6xWE4&e=> ), thankyou for the analysis. I had a question on “commons-client”, where the text indicates “We are building functionality that by-passes the code that uses this dependency into a new beijing template for control loops. We are targeting deprecation of the BRMS Gateway code in policy/engine over the next release or two”. Is this something that is to be fixed in Beijing? For Jacksonbind, please look at the example from MSB to assist you in your analysis. BR, Steve. [icsson]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=jwTiArcEj6aUX0HjV0M3dT12gUtk7rC07xpgpVZkS_4&m=j8Gv-qzcAmG1BG1BuclfHzh7GfCbxaY5R60DavMb2rI&s=-6uwrGj9mHXm0kdNlB_a5x_YMWfVGMilUPjhhpwNuCI&e=> STEPHEN TERRILL Technology Specialist POA Architecture and Solutions Business Unit Digital Services Ericsson Ericsson R&D Center, via de los Poblados 13 28033, Madrid, Spain Phone +34 339 3005 Mobile +34 609 168 515 stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com> www.ericsson.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com&d=DwQFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=jwTiArcEj6aUX0HjV0M3dT12gUtk7rC07xpgpVZkS_4&m=j8Gv-qzcAmG1BG1BuclfHzh7GfCbxaY5R60DavMb2rI&s=E7aTSWbIw4jahsq7Td3GzRWuDLyQHPjTSedCVdI9S6M&e=> [tp://www.ericsson.com/current_campaign]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_current-5Fcampaign&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=jwTiArcEj6aUX0HjV0M3dT12gUtk7rC07xpgpVZkS_4&m=j8Gv-qzcAmG1BG1BuclfHzh7GfCbxaY5R60DavMb2rI&s=Li1HoXDppF_VyTDGmtsCYwCqQ2asI7s5LHmG9USB4bk&e=> Legal entity: Ericsson España S.A, compay registration number ESA288568603. This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_email-5Fdisclaimer&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=jwTiArcEj6aUX0HjV0M3dT12gUtk7rC07xpgpVZkS_4&m=j8Gv-qzcAmG1BG1BuclfHzh7GfCbxaY5R60DavMb2rI&s=_9d1iQKBv7C70qCQckdHYFbCetguWZBkScYxIaXhOQE&e=>
_______________________________________________ ONAP-TSC mailing list ONAP-TSC@lists.onap.org https://lists.onap.org/mailman/listinfo/onap-tsc
