Hi Amy, Pls find my answers inline and let me know if additional details required. Thanks
Regards Kanagaraj M ------------------------------------- Be transparent! Win together !! 本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件! This e-mail and its attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! From: ZWARICO, AMY [mailto:[email protected]] Sent: Saturday, March 31, 2018 11:34 PM To: Kanagaraj Manickam Cc: [email protected]; onap-tsc Subject: [onap-tsc] Known vulnerability analysis of CLI Hi Kanagaraj, I was reviewing the CLI known vulnerability analysis – thank-you for providing that (https://wiki.onap.org/pages/viewpage.action?pageId=28377287) 1. You stated that the use of the commons-codec library in commons-codec is a False Positive because it is not a direct dependency and is caused via 3rd party library dependency. • How did you test this in CLI? [Kanagaraj M] This library is used by http-client, which is used at the back-end of cli project. As part of the build, this is being iterated when cli-vlidation project validates all Beijing clis. • What package is using commons-codec? [Kanagaraj M] dependency libaray: httpclient 4.3.5 Used by: cli-validation artifact • Is there a version of this package that uses the most recent version of commons-codec (1.11 released in 2017)? Version 1.6 of commons-codec was released in 2011. [Kanagaraj M] Yes, but CLI does not directly use this library. 2. The CVE for jline 1.8 indicates that the vulnerability is in hawtjni. • How did you test that hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java is not used in jline? [Kanagaraj M] Jline is 3rd party library used in CLI at the console access level where no programming level access is possible. And For attacker, they need access /tmp for this vulnerability. In ONAP, we provide the console level access over the browser, where there is no possibility for accessing the file system . . Thanks so much, Amy Amy Zwarico, LMTS Chief Security Office / Enterprise Security Support / Cloud Security Services AT&T Services (205) 403-2241 "This e-mail and any files transmitted with it are the property of AT&T, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."
_______________________________________________ ONAP-TSC mailing list [email protected] https://lists.onap.org/mailman/listinfo/onap-tsc
