Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

2018-12-08 Thread Stephen Terrill 
Hi,

Thanks. This maybe a good opportunity to point to this wiki for this process.  
https://wiki.onap.org/display/DW/ONAP+Vulnerability+Management

This will be a good opportunity to test it out.

BR,

Steve

From: onap-tsc@lists.onap.org  On Behalf Of Kenny Paul
Sent: Friday 7 December 2018 22:15
To: onap-tsc@lists.onap.org; Daniel Farrell 
Cc: Abhijit Kumbhare ;  

Subject: Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

Perfect! Thanks Daniel!

Thanks!
-kenny


From: mailto:onap-tsc@lists.onap.org>> on behalf of 
Alexis de Talhouet mailto:adetalhoue...@gmail.com>>
Reply-To: mailto:onap-tsc@lists.onap.org>>
Date: Friday, December 7, 2018 at 12:58 PM
To: Daniel Farrell mailto:dfarr...@redhat.com>>
Cc: Abhijit Kumbhare mailto:abhijitk...@gmail.com>>, 
"mailto:t...@lists.opendaylight.org>>" 
mailto:t...@lists.opendaylight.org>>, 
mailto:ONAP-TSC@lists.onap.org>>
Subject: Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

Awesome. Thank you for the reminder Daniel. I’ll loop in that list.

Regards,
Alexis

On Dec 7, 2018, at 3:56 PM, Daniel Farrell 
mailto:dfarr...@redhat.com>> wrote:

No, this list is exactly meant for this type of secret information. It's the 
group of people the TSC has appointed as trusted to handle security issues. 
They will follow all the normal security embargo best practices.

Thanks,
Daniel
On Fri, Dec 7, 2018 at 9:52 PM Alexis de Talhouët 
mailto:adetalhoue...@gmail.com>> wrote:
Daniel,

Is the content of information provided through that mailing list publicly 
available? If yes, then I can’t provide the information to that list, as we 
don’t want to share publicly the vulnerabilities.

Alexis


On Dec 7, 2018, at 3:50 PM, Daniel Farrell 
mailto:dfarr...@redhat.com>> wrote:

Hey Alexis,

Reminder that we have a security response team that's meant to handle these 
types of things. Stephen is on the security response team, but you might still 
be better off sharing with that group vs Stephen and Michael directly. We asked 
for these details to be sent to that list months ago when ONAP folks first 
mentioned these scanning issues, but last time I talked to Stephen about it 
they still hadn't been sent.

secur...@lists.opendaylight.org<mailto:secur...@lists.opendaylight.org>

We appreciate ONAP working with us to make sure we're the best upstream we can 
be. Looking forward to benefiting both projects by working together more 
closely.

Daniel

On Fri, Dec 7, 2018 at 8:16 PM Alexis de Talhouët 
mailto:adetalhoue...@gmail.com>> wrote:
Michael, Stephen,

I sent you the information privately, as we should not share vulnerabilities 
publicly.
Please only distribute internally to PTL and/or TSC.

Regards,
Alexis

On Dec 6, 2018, at 2:20 PM, Abhijit Kumbhare 
mailto:abhijitk...@gmail.com>> wrote:

Thanks Alexis, Stephen and Michael.
On Thu, Dec 6, 2018 at 10:16 AM Alexis de Talhouët 
mailto:adetalhoue...@gmail.com>> wrote:
Michael, Stephen,

Thank you for prompt response. I’ll get clarification on the vulnerabilities we 
have identified and will come back to you on the points you mentioned.

Alexis

> On Dec 6, 2018, at 1:06 PM, Stephen Kitt 
> mailto:sk...@redhat.com>> wrote:
>
> Hi Alexis,
>
> On Thu, 6 Dec 2018 17:57:29 +0100
> Michael Vorburger mailto:vorbur...@redhat.com>> wrote:
>>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët
>>> mailto:adetalhoue...@gmail.com>> wrote:
>>>
>>> Greeting ODL community, TSC,
>>>
>>> Within the ONAP community, we’re seeking CII badging. For that, we
>>> need to eradicate critical vulnerabilities.
>>>
>>> Few ONAP projects are depending on OpenDaylight artifacts, such as
>>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming
>>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM
>>> reports that were found in the ODL Oxygen SR3 distribution,
>>> documented here
>>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857. The
>>> document is high level information providing only the groupId of
>>> the maven artifact. I don’t have permission to see ODL projects in
>>> LF Nexus-ID: 
>>> https://nexus-iq.wl.linuxfoundation.org<https://nexus-iq.wl.linuxfoundation.org/>,
>>>  so I can't
>>> link directly reports here.
>>>
>>> Point is, we would like to know where ODL stands with regards to CII
>>> Badging; is that something you’re seeking?
>
> Not actively, but we do care about fixing vulnerabilities.
>
>>> Regardless, we would like to know if ODL is willing to address
>>> critical vulnerabilities impacting ONAP?
>
> Yes, we are.
>
>> I just had a (quick) look at wiki.onap.org<http://wiki.onap.org/>,

Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

2018-12-07 Thread Kenny Paul 
Perfect! Thanks Daniel!

 

Thanks!

-kenny

 

 

From:  on behalf of Alexis de Talhouet 

Reply-To: 
Date: Friday, December 7, 2018 at 12:58 PM
To: Daniel Farrell 
Cc: Abhijit Kumbhare , "" 
, 
Subject: Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

 

Awesome. Thank you for the reminder Daniel. I’ll loop in that list.

 

Regards,

Alexis



On Dec 7, 2018, at 3:56 PM, Daniel Farrell  wrote:

 

No, this list is exactly meant for this type of secret information. It's the 
group of people the TSC has appointed as trusted to handle security issues. 
They will follow all the normal security embargo best practices.

 

Thanks,

Daniel

On Fri, Dec 7, 2018 at 9:52 PM Alexis de Talhouët  
wrote:

Daniel,

 

Is the content of information provided through that mailing list publicly 
available? If yes, then I can’t provide the information to that list, as we 
don’t want to share publicly the vulnerabilities.

 

Alexis

 



On Dec 7, 2018, at 3:50 PM, Daniel Farrell  wrote:

 

Hey Alexis,

 

Reminder that we have a security response team that's meant to handle these 
types of things. Stephen is on the security response team, but you might still 
be better off sharing with that group vs Stephen and Michael directly. We asked 
for these details to be sent to that list months ago when ONAP folks first 
mentioned these scanning issues, but last time I talked to Stephen about it 
they still hadn't been sent.

 

secur...@lists.opendaylight.org

 

We appreciate ONAP working with us to make sure we're the best upstream we can 
be. Looking forward to benefiting both projects by working together more 
closely.


Daniel

 

On Fri, Dec 7, 2018 at 8:16 PM Alexis de Talhouët  
wrote:

Michael, Stephen, 

 

I sent you the information privately, as we should not share vulnerabilities 
publicly.

Please only distribute internally to PTL and/or TSC.

 

Regards,

Alexis



On Dec 6, 2018, at 2:20 PM, Abhijit Kumbhare  wrote:

 

Thanks Alexis, Stephen and Michael.

On Thu, Dec 6, 2018 at 10:16 AM Alexis de Talhouët  
wrote:

Michael, Stephen,

Thank you for prompt response. I’ll get clarification on the vulnerabilities we 
have identified and will come back to you on the points you mentioned.

Alexis

> On Dec 6, 2018, at 1:06 PM, Stephen Kitt  wrote:
> 
> Hi Alexis,
> 
> On Thu, 6 Dec 2018 17:57:29 +0100
> Michael Vorburger  wrote:
>>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët
>>>  wrote:
>>> 
>>> Greeting ODL community, TSC,
>>> 
>>> Within the ONAP community, we’re seeking CII badging. For that, we
>>> need to eradicate critical vulnerabilities.
>>> 
>>> Few ONAP projects are depending on OpenDaylight artifacts, such as
>>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming
>>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM
>>> reports that were found in the ODL Oxygen SR3 distribution,
>>> documented here
>>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857. The
>>> document is high level information providing only the groupId of
>>> the maven artifact. I don’t have permission to see ODL projects in
>>> LF Nexus-ID: https://nexus-iq.wl.linuxfoundation.org, so I can't
>>> link directly reports here.
>>> 
>>> Point is, we would like to know where ODL stands with regards to CII
>>> Badging; is that something you’re seeking?
> 
> Not actively, but we do care about fixing vulnerabilities.
> 
>>> Regardless, we would like to know if ODL is willing to address
>>> critical vulnerabilities impacting ONAP?
> 
> Yes, we are.
> 
>> I just had a (quick) look at wiki.onap.org, and was wondering if you
>> guys would be willing to help us help you more, by:
>> 
>> - clarifying details about the vulnerability, like a link to a CVE
> 
> +1
> 
>> - first check out Fluorine or even better already Neon; at least some
>> of the Karaf related ones likely are already solved
> 
> At least, check Oxygen SR4 when it’s available. I’m also not entirely
> sure how the analysis matches up with Oxygen SR3; for example, the
> version of Guava in SR3 is 23.6.1, which fixes the known
> vulnerabilities. CLM also flags a number of false positives, e.g.
> commons-fileupload (1.3.3 in SR3) which is fixed AFAIK.
> 
>> - clarify where you found the artifact... there are (to me) some
>> surprises in your list; e.g. sendgrid or angular I wouldn't know
>> where that is used by what project in ODL
> 
> +1
> 
>> - dedupe your list - it looks a lot longer than it really is, many
>> dupes ;)
> 
> I think this is because the artifacts aren’t fully described: we need
> the artifactId as well as the groupId, and ideally the version.
> 
&

Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

2018-12-07 Thread Daniel Farrell 
Great, thanks Alexis.

FYI, there are some details in the relevant docs:

https://www.opendaylight.org/technical-community/security

Thanks,
Daniel

On Fri, Dec 7, 2018 at 9:58 PM Alexis de Talhouët 
wrote:

> Awesome. Thank you for the reminder Daniel. I’ll loop in that list.
>
> Regards,
> Alexis
>
>
> On Dec 7, 2018, at 3:56 PM, Daniel Farrell  wrote:
>
> No, this list is exactly meant for this type of secret information. It's
> the group of people the TSC has appointed as trusted to handle security
> issues. They will follow all the normal security embargo best practices.
>
> Thanks,
> Daniel
>
> On Fri, Dec 7, 2018 at 9:52 PM Alexis de Talhouët 
> wrote:
>
>> Daniel,
>>
>> Is the content of information provided through that mailing list publicly
>> available? If yes, then I can’t provide the information to that list, as we
>> don’t want to share publicly the vulnerabilities.
>>
>> Alexis
>>
>>
>> On Dec 7, 2018, at 3:50 PM, Daniel Farrell  wrote:
>>
>> Hey Alexis,
>>
>> Reminder that we have a security response team that's meant to handle
>> these types of things. Stephen is on the security response team, but you
>> might still be better off sharing with that group vs Stephen and Michael
>> directly. We asked for these details to be sent to that list months ago
>> when ONAP folks first mentioned these scanning issues, but last time I
>> talked to Stephen about it they still hadn't been sent.
>>
>> secur...@lists.opendaylight.org
>>
>> We appreciate ONAP working with us to make sure we're the best upstream
>> we can be. Looking forward to benefiting both projects by working together
>> more closely.
>>
>> Daniel
>>
>> On Fri, Dec 7, 2018 at 8:16 PM Alexis de Talhouët <
>> adetalhoue...@gmail.com> wrote:
>>
>>> Michael, Stephen,
>>>
>>> I sent you the information privately, as we should not share
>>> vulnerabilities publicly.
>>> Please only distribute internally to PTL and/or TSC.
>>>
>>> Regards,
>>> Alexis
>>>
>>> On Dec 6, 2018, at 2:20 PM, Abhijit Kumbhare 
>>> wrote:
>>>
>>> Thanks Alexis, Stephen and Michael.
>>>
>>> On Thu, Dec 6, 2018 at 10:16 AM Alexis de Talhouët <
>>> adetalhoue...@gmail.com> wrote:
>>>
 Michael, Stephen,

 Thank you for prompt response. I’ll get clarification on the
 vulnerabilities we have identified and will come back to you on the points
 you mentioned.

 Alexis

 > On Dec 6, 2018, at 1:06 PM, Stephen Kitt  wrote:
 >
 > Hi Alexis,
 >
 > On Thu, 6 Dec 2018 17:57:29 +0100
 > Michael Vorburger  wrote:
 >>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët
 >>>  wrote:
 >>>
 >>> Greeting ODL community, TSC,
 >>>
 >>> Within the ONAP community, we’re seeking CII badging. For that, we
 >>> need to eradicate critical vulnerabilities.
 >>>
 >>> Few ONAP projects are depending on OpenDaylight artifacts, such as
 >>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming
 >>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM
 >>> reports that were found in the ODL Oxygen SR3 distribution,
 >>> documented here
 >>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857. The
 >>> document is high level information providing only the groupId of
 >>> the maven artifact. I don’t have permission to see ODL projects in
 >>> LF Nexus-ID: https://nexus-iq.wl.linuxfoundation.org, so I can't
 >>> link directly reports here.
 >>>
 >>> Point is, we would like to know where ODL stands with regards to CII
 >>> Badging; is that something you’re seeking?
 >
 > Not actively, but we do care about fixing vulnerabilities.
 >
 >>> Regardless, we would like to know if ODL is willing to address
 >>> critical vulnerabilities impacting ONAP?
 >
 > Yes, we are.
 >
 >> I just had a (quick) look at wiki.onap.org, and was wondering if you
 >> guys would be willing to help us help you more, by:
 >>
 >> - clarifying details about the vulnerability, like a link to a CVE
 >
 > +1
 >
 >> - first check out Fluorine or even better already Neon; at least some
 >> of the Karaf related ones likely are already solved
 >
 > At least, check Oxygen SR4 when it’s available. I’m also not entirely
 > sure how the analysis matches up with Oxygen SR3; for example, the
 > version of Guava in SR3 is 23.6.1, which fixes the known
 > vulnerabilities. CLM also flags a number of false positives, e.g.
 > commons-fileupload (1.3.3 in SR3) which is fixed AFAIK.
 >
 >> - clarify where you found the artifact... there are (to me) some
 >> surprises in your list; e.g. sendgrid or angular I wouldn't know
 >> where that is used by what project in ODL
 >
 > +1
 >
 >> - dedupe your list - it looks a lot longer than it really is, many
 >> dupes ;)
 >
 > I think this is because the artifacts aren’t fully described: we need
 > the artifactId as

Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

2018-12-07 Thread Daniel Farrell 
No, this list is exactly meant for this type of secret information. It's
the group of people the TSC has appointed as trusted to handle security
issues. They will follow all the normal security embargo best practices.

Thanks,
Daniel

On Fri, Dec 7, 2018 at 9:52 PM Alexis de Talhouët 
wrote:

> Daniel,
>
> Is the content of information provided through that mailing list publicly
> available? If yes, then I can’t provide the information to that list, as we
> don’t want to share publicly the vulnerabilities.
>
> Alexis
>
>
> On Dec 7, 2018, at 3:50 PM, Daniel Farrell  wrote:
>
> Hey Alexis,
>
> Reminder that we have a security response team that's meant to handle
> these types of things. Stephen is on the security response team, but you
> might still be better off sharing with that group vs Stephen and Michael
> directly. We asked for these details to be sent to that list months ago
> when ONAP folks first mentioned these scanning issues, but last time I
> talked to Stephen about it they still hadn't been sent.
>
> secur...@lists.opendaylight.org
>
> We appreciate ONAP working with us to make sure we're the best upstream we
> can be. Looking forward to benefiting both projects by working together
> more closely.
>
> Daniel
>
> On Fri, Dec 7, 2018 at 8:16 PM Alexis de Talhouët 
> wrote:
>
>> Michael, Stephen,
>>
>> I sent you the information privately, as we should not share
>> vulnerabilities publicly.
>> Please only distribute internally to PTL and/or TSC.
>>
>> Regards,
>> Alexis
>>
>> On Dec 6, 2018, at 2:20 PM, Abhijit Kumbhare 
>> wrote:
>>
>> Thanks Alexis, Stephen and Michael.
>>
>> On Thu, Dec 6, 2018 at 10:16 AM Alexis de Talhouët <
>> adetalhoue...@gmail.com> wrote:
>>
>>> Michael, Stephen,
>>>
>>> Thank you for prompt response. I’ll get clarification on the
>>> vulnerabilities we have identified and will come back to you on the points
>>> you mentioned.
>>>
>>> Alexis
>>>
>>> > On Dec 6, 2018, at 1:06 PM, Stephen Kitt  wrote:
>>> >
>>> > Hi Alexis,
>>> >
>>> > On Thu, 6 Dec 2018 17:57:29 +0100
>>> > Michael Vorburger  wrote:
>>> >>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët
>>> >>>  wrote:
>>> >>>
>>> >>> Greeting ODL community, TSC,
>>> >>>
>>> >>> Within the ONAP community, we’re seeking CII badging. For that, we
>>> >>> need to eradicate critical vulnerabilities.
>>> >>>
>>> >>> Few ONAP projects are depending on OpenDaylight artifacts, such as
>>> >>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming
>>> >>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM
>>> >>> reports that were found in the ODL Oxygen SR3 distribution,
>>> >>> documented here
>>> >>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857. The
>>> >>> document is high level information providing only the groupId of
>>> >>> the maven artifact. I don’t have permission to see ODL projects in
>>> >>> LF Nexus-ID: https://nexus-iq.wl.linuxfoundation.org, so I can't
>>> >>> link directly reports here.
>>> >>>
>>> >>> Point is, we would like to know where ODL stands with regards to CII
>>> >>> Badging; is that something you’re seeking?
>>> >
>>> > Not actively, but we do care about fixing vulnerabilities.
>>> >
>>> >>> Regardless, we would like to know if ODL is willing to address
>>> >>> critical vulnerabilities impacting ONAP?
>>> >
>>> > Yes, we are.
>>> >
>>> >> I just had a (quick) look at wiki.onap.org, and was wondering if you
>>> >> guys would be willing to help us help you more, by:
>>> >>
>>> >> - clarifying details about the vulnerability, like a link to a CVE
>>> >
>>> > +1
>>> >
>>> >> - first check out Fluorine or even better already Neon; at least some
>>> >> of the Karaf related ones likely are already solved
>>> >
>>> > At least, check Oxygen SR4 when it’s available. I’m also not entirely
>>> > sure how the analysis matches up with Oxygen SR3; for example, the
>>> > version of Guava in SR3 is 23.6.1, which fixes the known
>>> > vulnerabilities. CLM also flags a number of false positives, e.g.
>>> > commons-fileupload (1.3.3 in SR3) which is fixed AFAIK.
>>> >
>>> >> - clarify where you found the artifact... there are (to me) some
>>> >> surprises in your list; e.g. sendgrid or angular I wouldn't know
>>> >> where that is used by what project in ODL
>>> >
>>> > +1
>>> >
>>> >> - dedupe your list - it looks a lot longer than it really is, many
>>> >> dupes ;)
>>> >
>>> > I think this is because the artifacts aren’t fully described: we need
>>> > the artifactId as well as the groupId, and ideally the version.
>>> >
>>> > Regards,
>>> >
>>> > Stephen
>>>
>>> ___
>>> TSC mailing list
>>> t...@lists.opendaylight.org
>>> https://lists.opendaylight.org/mailman/listinfo/tsc
>>>
>>
>> ___
>> TSC mailing list
>> t...@lists.opendaylight.org
>> https://lists.opendaylight.org/mailman/listinfo/tsc
>>
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online

Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

2018-12-07 Thread Daniel Farrell 
Hey Alexis,

Reminder that we have a security response team that's meant to handle these
types of things. Stephen is on the security response team, but you might
still be better off sharing with that group vs Stephen and Michael
directly. We asked for these details to be sent to that list months ago
when ONAP folks first mentioned these scanning issues, but last time I
talked to Stephen about it they still hadn't been sent.

secur...@lists.opendaylight.org

We appreciate ONAP working with us to make sure we're the best upstream we
can be. Looking forward to benefiting both projects by working together
more closely.

Daniel

On Fri, Dec 7, 2018 at 8:16 PM Alexis de Talhouët 
wrote:

> Michael, Stephen,
>
> I sent you the information privately, as we should not share
> vulnerabilities publicly.
> Please only distribute internally to PTL and/or TSC.
>
> Regards,
> Alexis
>
> On Dec 6, 2018, at 2:20 PM, Abhijit Kumbhare 
> wrote:
>
> Thanks Alexis, Stephen and Michael.
>
> On Thu, Dec 6, 2018 at 10:16 AM Alexis de Talhouët <
> adetalhoue...@gmail.com> wrote:
>
>> Michael, Stephen,
>>
>> Thank you for prompt response. I’ll get clarification on the
>> vulnerabilities we have identified and will come back to you on the points
>> you mentioned.
>>
>> Alexis
>>
>> > On Dec 6, 2018, at 1:06 PM, Stephen Kitt  wrote:
>> >
>> > Hi Alexis,
>> >
>> > On Thu, 6 Dec 2018 17:57:29 +0100
>> > Michael Vorburger  wrote:
>> >>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët
>> >>>  wrote:
>> >>>
>> >>> Greeting ODL community, TSC,
>> >>>
>> >>> Within the ONAP community, we’re seeking CII badging. For that, we
>> >>> need to eradicate critical vulnerabilities.
>> >>>
>> >>> Few ONAP projects are depending on OpenDaylight artifacts, such as
>> >>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming
>> >>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM
>> >>> reports that were found in the ODL Oxygen SR3 distribution,
>> >>> documented here
>> >>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857. The
>> >>> document is high level information providing only the groupId of
>> >>> the maven artifact. I don’t have permission to see ODL projects in
>> >>> LF Nexus-ID: https://nexus-iq.wl.linuxfoundation.org, so I can't
>> >>> link directly reports here.
>> >>>
>> >>> Point is, we would like to know where ODL stands with regards to CII
>> >>> Badging; is that something you’re seeking?
>> >
>> > Not actively, but we do care about fixing vulnerabilities.
>> >
>> >>> Regardless, we would like to know if ODL is willing to address
>> >>> critical vulnerabilities impacting ONAP?
>> >
>> > Yes, we are.
>> >
>> >> I just had a (quick) look at wiki.onap.org, and was wondering if you
>> >> guys would be willing to help us help you more, by:
>> >>
>> >> - clarifying details about the vulnerability, like a link to a CVE
>> >
>> > +1
>> >
>> >> - first check out Fluorine or even better already Neon; at least some
>> >> of the Karaf related ones likely are already solved
>> >
>> > At least, check Oxygen SR4 when it’s available. I’m also not entirely
>> > sure how the analysis matches up with Oxygen SR3; for example, the
>> > version of Guava in SR3 is 23.6.1, which fixes the known
>> > vulnerabilities. CLM also flags a number of false positives, e.g.
>> > commons-fileupload (1.3.3 in SR3) which is fixed AFAIK.
>> >
>> >> - clarify where you found the artifact... there are (to me) some
>> >> surprises in your list; e.g. sendgrid or angular I wouldn't know
>> >> where that is used by what project in ODL
>> >
>> > +1
>> >
>> >> - dedupe your list - it looks a lot longer than it really is, many
>> >> dupes ;)
>> >
>> > I think this is because the artifacts aren’t fully described: we need
>> > the artifactId as well as the groupId, and ideally the version.
>> >
>> > Regards,
>> >
>> > Stephen
>>
>> ___
>> TSC mailing list
>> t...@lists.opendaylight.org
>> https://lists.opendaylight.org/mailman/listinfo/tsc
>>
>
> ___
> TSC mailing list
> t...@lists.opendaylight.org
> https://lists.opendaylight.org/mailman/listinfo/tsc
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4282): https://lists.onap.org/g/onap-tsc/message/4282
Mute This Topic: https://lists.onap.org/mt/28628360/21656
Group Owner: onap-tsc+ow...@lists.onap.org
Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

2018-12-07 Thread Alexis de Talhouet 
Awesome. Thank you for the reminder Daniel. I’ll loop in that list.

Regards,
Alexis

> On Dec 7, 2018, at 3:56 PM, Daniel Farrell  wrote:
> 
> No, this list is exactly meant for this type of secret information. It's the 
> group of people the TSC has appointed as trusted to handle security issues. 
> They will follow all the normal security embargo best practices.
> 
> Thanks,
> Daniel
> 
> On Fri, Dec 7, 2018 at 9:52 PM Alexis de Talhouët  > wrote:
> Daniel,
> 
> Is the content of information provided through that mailing list publicly 
> available? If yes, then I can’t provide the information to that list, as we 
> don’t want to share publicly the vulnerabilities.
> 
> Alexis
> 
> 
>> On Dec 7, 2018, at 3:50 PM, Daniel Farrell > > wrote:
>> 
>> Hey Alexis,
>> 
>> Reminder that we have a security response team that's meant to handle these 
>> types of things. Stephen is on the security response team, but you might 
>> still be better off sharing with that group vs Stephen and Michael directly. 
>> We asked for these details to be sent to that list months ago when ONAP 
>> folks first mentioned these scanning issues, but last time I talked to 
>> Stephen about it they still hadn't been sent.
>> 
>> secur...@lists.opendaylight.org 
>> 
>> We appreciate ONAP working with us to make sure we're the best upstream we 
>> can be. Looking forward to benefiting both projects by working together more 
>> closely.
>> 
>> Daniel
>> 
>> On Fri, Dec 7, 2018 at 8:16 PM Alexis de Talhouët > > wrote:
>> Michael, Stephen, 
>> 
>> I sent you the information privately, as we should not share vulnerabilities 
>> publicly.
>> Please only distribute internally to PTL and/or TSC.
>> 
>> Regards,
>> Alexis
>> 
>>> On Dec 6, 2018, at 2:20 PM, Abhijit Kumbhare >> > wrote:
>>> 
>>> Thanks Alexis, Stephen and Michael.
>>> 
>>> On Thu, Dec 6, 2018 at 10:16 AM Alexis de Talhouët >> > wrote:
>>> Michael, Stephen,
>>> 
>>> Thank you for prompt response. I’ll get clarification on the 
>>> vulnerabilities we have identified and will come back to you on the points 
>>> you mentioned.
>>> 
>>> Alexis
>>> 
>>> > On Dec 6, 2018, at 1:06 PM, Stephen Kitt >> > > wrote:
>>> > 
>>> > Hi Alexis,
>>> > 
>>> > On Thu, 6 Dec 2018 17:57:29 +0100
>>> > Michael Vorburger mailto:vorbur...@redhat.com>> 
>>> > wrote:
>>> >>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët
>>> >>> mailto:adetalhoue...@gmail.com>> wrote:
>>> >>> 
>>> >>> Greeting ODL community, TSC,
>>> >>> 
>>> >>> Within the ONAP community, we’re seeking CII badging. For that, we
>>> >>> need to eradicate critical vulnerabilities.
>>> >>> 
>>> >>> Few ONAP projects are depending on OpenDaylight artifacts, such as
>>> >>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming
>>> >>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM
>>> >>> reports that were found in the ODL Oxygen SR3 distribution,
>>> >>> documented here
>>> >>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857 
>>> >>> . The
>>> >>> document is high level information providing only the groupId of
>>> >>> the maven artifact. I don’t have permission to see ODL projects in
>>> >>> LF Nexus-ID: https://nexus-iq.wl.linuxfoundation.org 
>>> >>> , so I can't
>>> >>> link directly reports here.
>>> >>> 
>>> >>> Point is, we would like to know where ODL stands with regards to CII
>>> >>> Badging; is that something you’re seeking?
>>> > 
>>> > Not actively, but we do care about fixing vulnerabilities.
>>> > 
>>> >>> Regardless, we would like to know if ODL is willing to address
>>> >>> critical vulnerabilities impacting ONAP?
>>> > 
>>> > Yes, we are.
>>> > 
>>> >> I just had a (quick) look at wiki.onap.org , and 
>>> >> was wondering if you
>>> >> guys would be willing to help us help you more, by:
>>> >> 
>>> >> - clarifying details about the vulnerability, like a link to a CVE
>>> > 
>>> > +1
>>> > 
>>> >> - first check out Fluorine or even better already Neon; at least some
>>> >> of the Karaf related ones likely are already solved
>>> > 
>>> > At least, check Oxygen SR4 when it’s available. I’m also not entirely
>>> > sure how the analysis matches up with Oxygen SR3; for example, the
>>> > version of Guava in SR3 is 23.6.1, which fixes the known
>>> > vulnerabilities. CLM also flags a number of false positives, e.g.
>>> > commons-fileupload (1.3.3 in SR3) which is fixed AFAIK.
>>> > 
>>> >> - clarify where you found the artifact... there are (to me) some
>>> >> surprises in your list; e.g. sendgrid or angular I wouldn't know
>>> >> where that is used by what project in ODL
>>> > 
>>> > +1
>>> > 
>>> >> - dedupe your list - it looks a lot longer than it

Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

2018-12-07 Thread Alexis de Talhouet 
Daniel,

Is the content of information provided through that mailing list publicly 
available? If yes, then I can’t provide the information to that list, as we 
don’t want to share publicly the vulnerabilities.

Alexis

> On Dec 7, 2018, at 3:50 PM, Daniel Farrell  wrote:
> 
> Hey Alexis,
> 
> Reminder that we have a security response team that's meant to handle these 
> types of things. Stephen is on the security response team, but you might 
> still be better off sharing with that group vs Stephen and Michael directly. 
> We asked for these details to be sent to that list months ago when ONAP folks 
> first mentioned these scanning issues, but last time I talked to Stephen 
> about it they still hadn't been sent.
> 
> secur...@lists.opendaylight.org 
> 
> We appreciate ONAP working with us to make sure we're the best upstream we 
> can be. Looking forward to benefiting both projects by working together more 
> closely.
> 
> Daniel
> 
> On Fri, Dec 7, 2018 at 8:16 PM Alexis de Talhouët  > wrote:
> Michael, Stephen, 
> 
> I sent you the information privately, as we should not share vulnerabilities 
> publicly.
> Please only distribute internally to PTL and/or TSC.
> 
> Regards,
> Alexis
> 
>> On Dec 6, 2018, at 2:20 PM, Abhijit Kumbhare > > wrote:
>> 
>> Thanks Alexis, Stephen and Michael.
>> 
>> On Thu, Dec 6, 2018 at 10:16 AM Alexis de Talhouët > > wrote:
>> Michael, Stephen,
>> 
>> Thank you for prompt response. I’ll get clarification on the vulnerabilities 
>> we have identified and will come back to you on the points you mentioned.
>> 
>> Alexis
>> 
>> > On Dec 6, 2018, at 1:06 PM, Stephen Kitt > > > wrote:
>> > 
>> > Hi Alexis,
>> > 
>> > On Thu, 6 Dec 2018 17:57:29 +0100
>> > Michael Vorburger mailto:vorbur...@redhat.com>> 
>> > wrote:
>> >>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët
>> >>> mailto:adetalhoue...@gmail.com>> wrote:
>> >>> 
>> >>> Greeting ODL community, TSC,
>> >>> 
>> >>> Within the ONAP community, we’re seeking CII badging. For that, we
>> >>> need to eradicate critical vulnerabilities.
>> >>> 
>> >>> Few ONAP projects are depending on OpenDaylight artifacts, such as
>> >>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming
>> >>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM
>> >>> reports that were found in the ODL Oxygen SR3 distribution,
>> >>> documented here
>> >>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857 
>> >>> . The
>> >>> document is high level information providing only the groupId of
>> >>> the maven artifact. I don’t have permission to see ODL projects in
>> >>> LF Nexus-ID: https://nexus-iq.wl.linuxfoundation.org 
>> >>> , so I can't
>> >>> link directly reports here.
>> >>> 
>> >>> Point is, we would like to know where ODL stands with regards to CII
>> >>> Badging; is that something you’re seeking?
>> > 
>> > Not actively, but we do care about fixing vulnerabilities.
>> > 
>> >>> Regardless, we would like to know if ODL is willing to address
>> >>> critical vulnerabilities impacting ONAP?
>> > 
>> > Yes, we are.
>> > 
>> >> I just had a (quick) look at wiki.onap.org , and 
>> >> was wondering if you
>> >> guys would be willing to help us help you more, by:
>> >> 
>> >> - clarifying details about the vulnerability, like a link to a CVE
>> > 
>> > +1
>> > 
>> >> - first check out Fluorine or even better already Neon; at least some
>> >> of the Karaf related ones likely are already solved
>> > 
>> > At least, check Oxygen SR4 when it’s available. I’m also not entirely
>> > sure how the analysis matches up with Oxygen SR3; for example, the
>> > version of Guava in SR3 is 23.6.1, which fixes the known
>> > vulnerabilities. CLM also flags a number of false positives, e.g.
>> > commons-fileupload (1.3.3 in SR3) which is fixed AFAIK.
>> > 
>> >> - clarify where you found the artifact... there are (to me) some
>> >> surprises in your list; e.g. sendgrid or angular I wouldn't know
>> >> where that is used by what project in ODL
>> > 
>> > +1
>> > 
>> >> - dedupe your list - it looks a lot longer than it really is, many
>> >> dupes ;)
>> > 
>> > I think this is because the artifacts aren’t fully described: we need
>> > the artifactId as well as the groupId, and ideally the version.
>> > 
>> > Regards,
>> > 
>> > Stephen
>> 
>> ___
>> TSC mailing list
>> t...@lists.opendaylight.org 
>> https://lists.opendaylight.org/mailman/listinfo/tsc 
>> 
> 
> ___
> TSC mailing list
> t...@lists.opendaylight.org 
>

Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

2018-12-07 Thread Alexis de Talhouet 
Michael, Stephen, 

I sent you the information privately, as we should not share vulnerabilities 
publicly.
Please only distribute internally to PTL and/or TSC.

Regards,
Alexis

> On Dec 6, 2018, at 2:20 PM, Abhijit Kumbhare  wrote:
> 
> Thanks Alexis, Stephen and Michael.
> 
> On Thu, Dec 6, 2018 at 10:16 AM Alexis de Talhouët  > wrote:
> Michael, Stephen,
> 
> Thank you for prompt response. I’ll get clarification on the vulnerabilities 
> we have identified and will come back to you on the points you mentioned.
> 
> Alexis
> 
> > On Dec 6, 2018, at 1:06 PM, Stephen Kitt  > > wrote:
> > 
> > Hi Alexis,
> > 
> > On Thu, 6 Dec 2018 17:57:29 +0100
> > Michael Vorburger mailto:vorbur...@redhat.com>> 
> > wrote:
> >>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët
> >>> mailto:adetalhoue...@gmail.com>> wrote:
> >>> 
> >>> Greeting ODL community, TSC,
> >>> 
> >>> Within the ONAP community, we’re seeking CII badging. For that, we
> >>> need to eradicate critical vulnerabilities.
> >>> 
> >>> Few ONAP projects are depending on OpenDaylight artifacts, such as
> >>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming
> >>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM
> >>> reports that were found in the ODL Oxygen SR3 distribution,
> >>> documented here
> >>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857 
> >>> . The
> >>> document is high level information providing only the groupId of
> >>> the maven artifact. I don’t have permission to see ODL projects in
> >>> LF Nexus-ID: https://nexus-iq.wl.linuxfoundation.org 
> >>> , so I can't
> >>> link directly reports here.
> >>> 
> >>> Point is, we would like to know where ODL stands with regards to CII
> >>> Badging; is that something you’re seeking?
> > 
> > Not actively, but we do care about fixing vulnerabilities.
> > 
> >>> Regardless, we would like to know if ODL is willing to address
> >>> critical vulnerabilities impacting ONAP?
> > 
> > Yes, we are.
> > 
> >> I just had a (quick) look at wiki.onap.org , and 
> >> was wondering if you
> >> guys would be willing to help us help you more, by:
> >> 
> >> - clarifying details about the vulnerability, like a link to a CVE
> > 
> > +1
> > 
> >> - first check out Fluorine or even better already Neon; at least some
> >> of the Karaf related ones likely are already solved
> > 
> > At least, check Oxygen SR4 when it’s available. I’m also not entirely
> > sure how the analysis matches up with Oxygen SR3; for example, the
> > version of Guava in SR3 is 23.6.1, which fixes the known
> > vulnerabilities. CLM also flags a number of false positives, e.g.
> > commons-fileupload (1.3.3 in SR3) which is fixed AFAIK.
> > 
> >> - clarify where you found the artifact... there are (to me) some
> >> surprises in your list; e.g. sendgrid or angular I wouldn't know
> >> where that is used by what project in ODL
> > 
> > +1
> > 
> >> - dedupe your list - it looks a lot longer than it really is, many
> >> dupes ;)
> > 
> > I think this is because the artifacts aren’t fully described: we need
> > the artifactId as well as the groupId, and ideally the version.
> > 
> > Regards,
> > 
> > Stephen
> 
> ___
> TSC mailing list
> t...@lists.opendaylight.org 
> https://lists.opendaylight.org/mailman/listinfo/tsc 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4277): https://lists.onap.org/g/onap-tsc/message/4277
Mute This Topic: https://lists.onap.org/mt/28628360/21656
Group Owner: onap-tsc+ow...@lists.onap.org
Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

2018-12-06 Thread Alexis de Talhouet 
Michael, Stephen,

Thank you for prompt response. I’ll get clarification on the vulnerabilities we 
have identified and will come back to you on the points you mentioned.

Alexis

> On Dec 6, 2018, at 1:06 PM, Stephen Kitt  wrote:
> 
> Hi Alexis,
> 
> On Thu, 6 Dec 2018 17:57:29 +0100
> Michael Vorburger  wrote:
>>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët
>>>  wrote:
>>> 
>>> Greeting ODL community, TSC,
>>> 
>>> Within the ONAP community, we’re seeking CII badging. For that, we
>>> need to eradicate critical vulnerabilities.
>>> 
>>> Few ONAP projects are depending on OpenDaylight artifacts, such as
>>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming
>>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM
>>> reports that were found in the ODL Oxygen SR3 distribution,
>>> documented here
>>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857. The
>>> document is high level information providing only the groupId of
>>> the maven artifact. I don’t have permission to see ODL projects in
>>> LF Nexus-ID: https://nexus-iq.wl.linuxfoundation.org, so I can't
>>> link directly reports here.
>>> 
>>> Point is, we would like to know where ODL stands with regards to CII
>>> Badging; is that something you’re seeking?
> 
> Not actively, but we do care about fixing vulnerabilities.
> 
>>> Regardless, we would like to know if ODL is willing to address
>>> critical vulnerabilities impacting ONAP?
> 
> Yes, we are.
> 
>> I just had a (quick) look at wiki.onap.org, and was wondering if you
>> guys would be willing to help us help you more, by:
>> 
>> - clarifying details about the vulnerability, like a link to a CVE
> 
> +1
> 
>> - first check out Fluorine or even better already Neon; at least some
>> of the Karaf related ones likely are already solved
> 
> At least, check Oxygen SR4 when it’s available. I’m also not entirely
> sure how the analysis matches up with Oxygen SR3; for example, the
> version of Guava in SR3 is 23.6.1, which fixes the known
> vulnerabilities. CLM also flags a number of false positives, e.g.
> commons-fileupload (1.3.3 in SR3) which is fixed AFAIK.
> 
>> - clarify where you found the artifact... there are (to me) some
>> surprises in your list; e.g. sendgrid or angular I wouldn't know
>> where that is used by what project in ODL
> 
> +1
> 
>> - dedupe your list - it looks a lot longer than it really is, many
>> dupes ;)
> 
> I think this is because the artifacts aren’t fully described: we need
> the artifactId as well as the groupId, and ideally the version.
> 
> Regards,
> 
> Stephen


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4272): https://lists.onap.org/g/onap-tsc/message/4272
Mute This Topic: https://lists.onap.org/mt/28628360/21656
Group Owner: onap-tsc+ow...@lists.onap.org
Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-