Hi Dan,

Thank-you for the clarification.  When going over the status of my review with 
the security sub-committee I received a question that made me realize that I 
couldn’t quite answer, so I have a follow-up question.

The sdnc-oam is in gerrit so it is downloadable, however from the description 
below it is not included in SDNC when it is instantiated with OOM – is that 

Could any of the vulnerabilities allow malicious code to be created as an 
output of the dgbuilder and find their way into SDNC as part of a DG?  The 
vulnerabilities that subject dgbuilder to DDoS wouldn’t but potential malicious 
code insertion could ….



From: TIMONEY, DAN [mailto:dt5...@att.com]
Sent: Monday, April 02, 2018 7:13 PM
To: Stephen Terrill <stephen.terr...@ericsson.com>
Cc: onap-sec...@lists.onap.org; onap-tsc <onap-tsc@lists.onap.org>
Subject: Re: Review of SDC known vulnerability Analysis


The dgbuilder is a design time tool.  We use it to create and update the 
directed graphs, which then get stored in Gerrit and managed from there as 
source code.

Eventually we’d like to support using the dgbuilder as an editor integrated 
with SDC at run time to update and deploy new versions of directed graphs – 
especially to allow rapid deployment of patches.  However, in its current form, 
dgbuilder is really only appropriate as a design time tool.


Dan Timoney

Please go to  D2 ECOMP Release Planning 
Wiki<https://wiki.web.att.com/display/DERP/D2+ECOMP+Release+Planning+Home> for 
D2 ECOMP Project In-take, 2016 Release Planning, Change Management, and find 
key Release Planning Contact Information.

From: Stephen Terrill 
Date: Monday, April 2, 2018 at 3:45 AM
To: "TIMONEY, DAN" <dt5...@att.com<mailto:dt5...@att.com>>
Cc: "onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>" 
<onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>>, onap-tsc 
Subject: Review of SDC known vulnerability Analysis

Hi Dan,

Thank-you for the report on the SDC known vulernabilities - 

For most of the impacts it states that low risk – only occurs in design tool 
(dgbuilder).  How is this tool used by SDNC?  Is it used in the runtime 
environment, or can it be called in the run-time environment?

Best Regards,



Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson R&D Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515


Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 

ONAP-TSC mailing list

Reply via email to