Hey Brain, Robert replied. If you didn't see it it's likely it bounced because he's not subscribed to ONAP's TSC list.
Copied below: ---------------- Hello Alexis, I have finally found the report and it's quite a few issues, so it's hard to break them down. First of all, I don't believe the list of issues flagged as coming from OpenDaylight is accurate, as I compared the artifacts we are shipped in karaf-0.8.3. We also did not ship netty-4.0.30, we shipped 4.1.22. We did not ship the following artifacts at all: commons-fileupload artemis-commons faces-impl sendgrid-java netty-4.0.30 -- we are shipped 4.1.22.Final I could not find a public repository for the SONATYPE advisories -- does anyone have a pointer? Without that I cannot evaluate them... We have upgraded org.bouncycastle in Oxygen SR4, so at least those two CVEs have been fixed. Finally, it seems that quite a few issues are affecting ccsdk/distribution, which are coming from ODL projects like TSDR, SXP and similar. I am not sure whether ONAP really uses them, so it may be worthwhile to take a look at how the distribution is assembled. Regards, Robert ---------------- Thanks, Daniel On Tue, Jan 22, 2019 at 3:30 PM Brian <bf1...@att.com> wrote: > Alexis, > > > > Did you get a reply ? > > > > Brian > > > > > > *From:* onap-tsc@lists.onap.org <onap-tsc@lists.onap.org> *On Behalf Of > *Alexis > de Talhouet > *Sent:* Thursday, January 10, 2019 1:34 PM > *To:* Luke Hinds <lhi...@redhat.com> > *Cc:* Michael Vorburger <vorbur...@redhat.com>; Stephen Kitt < > sk...@redhat.com>; <t...@lists.opendaylight.org> < > t...@lists.opendaylight.org>; Stephen Terrill <stephen.terr...@ericsson.com>; > onap-tsc@lists.onap.org > > > *Subject:* Re: [OpenDaylight TSC] [onap-tsc] CII Badging - Vulnerabilities > > > > Luke, all > > > > Following up on this. What is the current status? > > > > Regards, > > Alexis > > > > On Dec 10, 2018, at 8:13 AM, Luke Hinds <lhi...@redhat.com> wrote: > > > > Hi Alexis, > > > > We can see your email and you will see replies as your email will be in > the reply all list , a reply is till pending, but its on our desk so to > speak. > > > > I discussed this with Stephen this morning and a reply will follow. > initial analysis shows that a good number of false positives are reported. > > > > Regards, > > > > Luke > > On Mon, Dec 10, 2018 at 1:10 PM Alexis de Talhouët < > adetalhoue...@gmail.com> wrote: > > Everyone, Daniel, > > > > So I did send the mail to ODL security list, but message is getting held > waiting for “moderator approval” > > > > Your mail to 'security' with the subject > > CII Badging - Vulnerabilities > > Is being held until the list moderator can review it for approval. > > The reason it is being held: > > Post by non-member to a members-only list > > > > I don’t know if this is intended or not, but as there is no way to > register to such list I’m wondering if I missed something.. > > > > *Stephen T*, in this case, I’m following ODL process are I’m reporting > vulnerabilities to their project; vulnerabilities we have identified within > ONAP as part of the CII Badging requirement. > > > > Regards, > > Alexis > > > > > > On Dec 10, 2018, at 6:44 AM, Michael Vorburger <vorbur...@redhat.com> > wrote: > > > > Hello everyone, > > > > It's great to see that we do have a working formal security vulnerability > disclosure process in place in ODL. > > > > I'll therefore let the members of that strucuture deal with this. If I can > be of any help for anything specific, please reach out to me. > > > Tx, > > M. > > -- > > Michael Vorburger, Red Hat > vorbur...@redhat.com | IRC: vorburger @freenode | ~ = http://vorburger.ch > <https://urldefense.proofpoint.com/v2/url?u=http-3A__vorburger.ch_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=lkut2Gd7rNtrI1s8KchApvgGCeHZMGyF5QMYF82Fyr0&s=_dHRF9scL5BKLaaXhGO0vos-bteexfJ9jJYjE8UbBj4&e=> > > > > > > On Sun, Dec 9, 2018 at 2:52 AM Stephen Terrill < > stephen.terr...@ericsson.com> wrote: > > Hi, > > > > Thanks. This maybe a good opportunity to point to this wiki for this > process. https://wiki.onap.org/display/DW/ONAP+Vulnerability+Management > <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_DW_ONAP-2BVulnerability-2BManagement&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=lkut2Gd7rNtrI1s8KchApvgGCeHZMGyF5QMYF82Fyr0&s=yLStnDSucQbFn9Nha7nLUfIEthbxB1QzhuZGTt1vwHU&e=> > > > > This will be a good opportunity to test it out. > > > > BR, > > > > Steve > > > > *From:* onap-tsc@lists.onap.org <onap-tsc@lists.onap.org> *On Behalf Of *Kenny > Paul > *Sent:* Friday 7 December 2018 22:15 > *To:* onap-tsc@lists.onap.org; Daniel Farrell <dfarr...@redhat.com> > *Cc:* Abhijit Kumbhare <abhijitk...@gmail.com>; < > t...@lists.opendaylight.org> <t...@lists.opendaylight.org> > *Subject:* Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities > > > > Perfect! Thanks Daniel! > > > > Thanks! > > -kenny > > > > > > *From: *<onap-tsc@lists.onap.org> on behalf of Alexis de Talhouet < > adetalhoue...@gmail.com> > *Reply-To: *<onap-tsc@lists.onap.org> > *Date: *Friday, December 7, 2018 at 12:58 PM > *To: *Daniel Farrell <dfarr...@redhat.com> > *Cc: *Abhijit Kumbhare <abhijitk...@gmail.com>, "< > t...@lists.opendaylight.org>" <t...@lists.opendaylight.org>, < > ONAP-TSC@lists.onap.org> > *Subject: *Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities > > > > Awesome. Thank you for the reminder Daniel. I’ll loop in that list. > > > > Regards, > > Alexis > > > > On Dec 7, 2018, at 3:56 PM, Daniel Farrell <dfarr...@redhat.com> wrote: > > > > No, this list is exactly meant for this type of secret information. It's > the group of people the TSC has appointed as trusted to handle security > issues. They will follow all the normal security embargo best practices. > > > > Thanks, > > Daniel > > On Fri, Dec 7, 2018 at 9:52 PM Alexis de Talhouët <adetalhoue...@gmail.com> > wrote: > > Daniel, > > > > Is the content of information provided through that mailing list publicly > available? If yes, then I can’t provide the information to that list, as we > don’t want to share publicly the vulnerabilities. > > > > Alexis > > > > > > On Dec 7, 2018, at 3:50 PM, Daniel Farrell <dfarr...@redhat.com> wrote: > > > > Hey Alexis, > > > > Reminder that we have a security response team that's meant to handle > these types of things. Stephen is on the security response team, but you > might still be better off sharing with that group vs Stephen and Michael > directly. We asked for these details to be sent to that list months ago > when ONAP folks first mentioned these scanning issues, but last time I > talked to Stephen about it they still hadn't been sent. > > > > secur...@lists.opendaylight.org > > > > We appreciate ONAP working with us to make sure we're the best upstream we > can be. Looking forward to benefiting both projects by working together > more closely. > > > Daniel > > > > On Fri, Dec 7, 2018 at 8:16 PM Alexis de Talhouët <adetalhoue...@gmail.com> > wrote: > > Michael, Stephen, > > > > I sent you the information privately, as we should not share > vulnerabilities publicly. > > Please only distribute internally to PTL and/or TSC. > > > > Regards, > > Alexis > > > > On Dec 6, 2018, at 2:20 PM, Abhijit Kumbhare <abhijitk...@gmail.com> > wrote: > > > > Thanks Alexis, Stephen and Michael. > > On Thu, Dec 6, 2018 at 10:16 AM Alexis de Talhouët < > adetalhoue...@gmail.com> wrote: > > Michael, Stephen, > > Thank you for prompt response. I’ll get clarification on the > vulnerabilities we have identified and will come back to you on the points > you mentioned. > > Alexis > > > On Dec 6, 2018, at 1:06 PM, Stephen Kitt <sk...@redhat.com> wrote: > > > > Hi Alexis, > > > > On Thu, 6 Dec 2018 17:57:29 +0100 > > Michael Vorburger <vorbur...@redhat.com> wrote: > >>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët > >>> <adetalhoue...@gmail.com> wrote: > >>> > >>> Greeting ODL community, TSC, > >>> > >>> Within the ONAP community, we’re seeking CII badging. For that, we > >>> need to eradicate critical vulnerabilities. > >>> > >>> Few ONAP projects are depending on OpenDaylight artifacts, such as > >>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming > >>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM > >>> reports that were found in the ODL Oxygen SR3 distribution, > >>> documented here > >>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D45300857&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=lkut2Gd7rNtrI1s8KchApvgGCeHZMGyF5QMYF82Fyr0&s=DNGj9HixiRDwc6a-827RrCoLk2aa9FfzuOJ0_QOxDwc&e=>. > The > >>> document is high level information providing only the groupId of > >>> the maven artifact. I don’t have permission to see ODL projects in > >>> LF Nexus-ID: https://nexus-iq.wl.linuxfoundation.org > <https://urldefense.proofpoint.com/v2/url?u=https-3A__nexus-2Diq.wl.linuxfoundation.org_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=lkut2Gd7rNtrI1s8KchApvgGCeHZMGyF5QMYF82Fyr0&s=c8aE8Emw2AjBzZ7akRlhp4grUFvrqsQSxGc7NDjpjh8&e=>, > so I can't > >>> link directly reports here. > >>> > >>> Point is, we would like to know where ODL stands with regards to CII > >>> Badging; is that something you’re seeking? > > > > Not actively, but we do care about fixing vulnerabilities. > > > >>> Regardless, we would like to know if ODL is willing to address > >>> critical vulnerabilities impacting ONAP? > > > > Yes, we are. > > > >> I just had a (quick) look at wiki.onap.org > <https://urldefense.proofpoint.com/v2/url?u=http-3A__wiki.onap.org_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=lkut2Gd7rNtrI1s8KchApvgGCeHZMGyF5QMYF82Fyr0&s=e9PnKofG8zpxmQULOEHZjhYjXVYHe2YtLMsZC5c7we4&e=>, > and was wondering if you > >> guys would be willing to help us help you more, by: > >> > >> - clarifying details about the vulnerability, like a link to a CVE > > > > +1 > > > >> - first check out Fluorine or even better already Neon; at least some > >> of the Karaf related ones likely are already solved > > > > At least, check Oxygen SR4 when it’s available. I’m also not entirely > > sure how the analysis matches up with Oxygen SR3; for example, the > > version of Guava in SR3 is 23.6.1, which fixes the known > > vulnerabilities. CLM also flags a number of false positives, e.g. > > commons-fileupload (1.3.3 in SR3) which is fixed AFAIK. > > > >> - clarify where you found the artifact... there are (to me) some > >> surprises in your list; e.g. sendgrid or angular I wouldn't know > >> where that is used by what project in ODL > > > > +1 > > > >> - dedupe your list - it looks a lot longer than it really is, many > >> dupes ;) > > > > I think this is because the artifacts aren’t fully described: we need > > the artifactId as well as the groupId, and ideally the version. > > > > Regards, > > > > Stephen > > _______________________________________________ > TSC mailing list > t...@lists.opendaylight.org > https://lists.opendaylight.org/mailman/listinfo/tsc > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.opendaylight.org_mailman_listinfo_tsc&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=lkut2Gd7rNtrI1s8KchApvgGCeHZMGyF5QMYF82Fyr0&s=CZm33QveIUfmSlHCLu8knxR4uIQpmOSxxphHrOH64L8&e=> > > > > _______________________________________________ > TSC mailing list > t...@lists.opendaylight.org > https://lists.opendaylight.org/mailman/listinfo/tsc > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.opendaylight.org_mailman_listinfo_tsc&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=lkut2Gd7rNtrI1s8KchApvgGCeHZMGyF5QMYF82Fyr0&s=CZm33QveIUfmSlHCLu8knxR4uIQpmOSxxphHrOH64L8&e=> > > > > > > _______________________________________________ > TSC mailing list > t...@lists.opendaylight.org > https://lists.opendaylight.org/mailman/listinfo/tsc > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.opendaylight.org_mailman_listinfo_tsc&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=lkut2Gd7rNtrI1s8KchApvgGCeHZMGyF5QMYF82Fyr0&s=CZm33QveIUfmSlHCLu8knxR4uIQpmOSxxphHrOH64L8&e=> > > _______________________________________________ > TSC mailing list > t...@lists.opendaylight.org > https://lists.opendaylight.org/mailman/listinfo/tsc > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.opendaylight.org_mailman_listinfo_tsc&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=lkut2Gd7rNtrI1s8KchApvgGCeHZMGyF5QMYF82Fyr0&s=CZm33QveIUfmSlHCLu8knxR4uIQpmOSxxphHrOH64L8&e=> > > > > _______________________________________________ > TSC mailing list > t...@lists.opendaylight.org > https://lists.opendaylight.org/mailman/listinfo/tsc > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.opendaylight.org_mailman_listinfo_tsc&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=lkut2Gd7rNtrI1s8KchApvgGCeHZMGyF5QMYF82Fyr0&s=CZm33QveIUfmSlHCLu8knxR4uIQpmOSxxphHrOH64L8&e=> > > > > > -- > > Luke Hinds | NFV Partner Engineering | CTO Office | Red Hat > e: lhi...@redhat.com | irc: lhinds @freenode | t: +44 12 52 36 2483 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4506): https://lists.onap.org/g/onap-tsc/message/4506 Mute This Topic: https://lists.onap.org/mt/28708638/21656 Group Owner: onap-tsc+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
