Hi Kanagaraj, I was reviewing the CLI known vulnerability analysis – thank-you for providing that (https://wiki.onap.org/pages/viewpage.action?pageId=28377287)
1. You stated that the use of the commons-codec library in commons-codec is a False Positive because it is not a direct dependency and is caused via 3rd party library dependency. · How did you test this in CLI? · What package is using commons-codec? · Is there a version of this package that uses the most recent version of commons-codec (1.11 released in 2017)? Version 1.6 of commons-codec was released in 2011. 2. The CVE for jline 1.8 indicates that the vulnerability is in hawtjni. · How did you test that hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java is not used in jline? . Thanks so much, Amy Amy Zwarico, LMTS Chief Security Office / Enterprise Security Support / Cloud Security Services AT&T Services (205) 403-2241 "This e-mail and any files transmitted with it are the property of AT&T, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."
_______________________________________________ ONAP-TSC mailing list [email protected] https://lists.onap.org/mailman/listinfo/onap-tsc
