Michael, Stephen, I sent you the information privately, as we should not share vulnerabilities publicly. Please only distribute internally to PTL and/or TSC.
Regards, Alexis > On Dec 6, 2018, at 2:20 PM, Abhijit Kumbhare <abhijitk...@gmail.com> wrote: > > Thanks Alexis, Stephen and Michael. > > On Thu, Dec 6, 2018 at 10:16 AM Alexis de Talhouët <adetalhoue...@gmail.com > <mailto:adetalhoue...@gmail.com>> wrote: > Michael, Stephen, > > Thank you for prompt response. I’ll get clarification on the vulnerabilities > we have identified and will come back to you on the points you mentioned. > > Alexis > > > On Dec 6, 2018, at 1:06 PM, Stephen Kitt <sk...@redhat.com > > <mailto:sk...@redhat.com>> wrote: > > > > Hi Alexis, > > > > On Thu, 6 Dec 2018 17:57:29 +0100 > > Michael Vorburger <vorbur...@redhat.com <mailto:vorbur...@redhat.com>> > > wrote: > >>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët > >>> <adetalhoue...@gmail.com <mailto:adetalhoue...@gmail.com>> wrote: > >>> > >>> Greeting ODL community, TSC, > >>> > >>> Within the ONAP community, we’re seeking CII badging. For that, we > >>> need to eradicate critical vulnerabilities. > >>> > >>> Few ONAP projects are depending on OpenDaylight artifacts, such as > >>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming > >>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM > >>> reports that were found in the ODL Oxygen SR3 distribution, > >>> documented here > >>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857 > >>> <https://wiki.onap.org/pages/viewpage.action?pageId=45300857>. The > >>> document is high level information providing only the groupId of > >>> the maven artifact. I don’t have permission to see ODL projects in > >>> LF Nexus-ID: https://nexus-iq.wl.linuxfoundation.org > >>> <https://nexus-iq.wl.linuxfoundation.org/>, so I can't > >>> link directly reports here. > >>> > >>> Point is, we would like to know where ODL stands with regards to CII > >>> Badging; is that something you’re seeking? > > > > Not actively, but we do care about fixing vulnerabilities. > > > >>> Regardless, we would like to know if ODL is willing to address > >>> critical vulnerabilities impacting ONAP? > > > > Yes, we are. > > > >> I just had a (quick) look at wiki.onap.org <http://wiki.onap.org/>, and > >> was wondering if you > >> guys would be willing to help us help you more, by: > >> > >> - clarifying details about the vulnerability, like a link to a CVE > > > > +1 > > > >> - first check out Fluorine or even better already Neon; at least some > >> of the Karaf related ones likely are already solved > > > > At least, check Oxygen SR4 when it’s available. I’m also not entirely > > sure how the analysis matches up with Oxygen SR3; for example, the > > version of Guava in SR3 is 23.6.1, which fixes the known > > vulnerabilities. CLM also flags a number of false positives, e.g. > > commons-fileupload (1.3.3 in SR3) which is fixed AFAIK. > > > >> - clarify where you found the artifact... there are (to me) some > >> surprises in your list; e.g. sendgrid or angular I wouldn't know > >> where that is used by what project in ODL > > > > +1 > > > >> - dedupe your list - it looks a lot longer than it really is, many > >> dupes ;) > > > > I think this is because the artifacts aren’t fully described: we need > > the artifactId as well as the groupId, and ideally the version. > > > > Regards, > > > > Stephen > > _______________________________________________ > TSC mailing list > t...@lists.opendaylight.org <mailto:t...@lists.opendaylight.org> > https://lists.opendaylight.org/mailman/listinfo/tsc > <https://lists.opendaylight.org/mailman/listinfo/tsc> -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4277): https://lists.onap.org/g/onap-tsc/message/4277 Mute This Topic: https://lists.onap.org/mt/28628360/21656 Group Owner: onap-tsc+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-