Hi Dan, Thank-you for the clarification. When going over the status of my review with the security sub-committee I received a question that made me realize that I couldn’t quite answer, so I have a follow-up question.
The sdnc-oam is in gerrit so it is downloadable, however from the description below it is not included in SDNC when it is instantiated with OOM – is that correct? Could any of the vulnerabilities allow malicious code to be created as an output of the dgbuilder and find their way into SDNC as part of a DG? The vulnerabilities that subject dgbuilder to DDoS wouldn’t but potential malicious code insertion could …. BR, Steve From: TIMONEY, DAN [mailto:dt5...@att.com] Sent: Monday, April 02, 2018 7:13 PM To: Stephen Terrill <stephen.terr...@ericsson.com> Cc: onap-sec...@lists.onap.org; onap-tsc <firstname.lastname@example.org> Subject: Re: Review of SDC known vulnerability Analysis Steve, The dgbuilder is a design time tool. We use it to create and update the directed graphs, which then get stored in Gerrit and managed from there as source code. Eventually we’d like to support using the dgbuilder as an editor integrated with SDC at run time to update and deploy new versions of directed graphs – especially to allow rapid deployment of patches. However, in its current form, dgbuilder is really only appropriate as a design time tool. Dan -- Dan Timoney SDN-CP / OpenECOMP SDN-C SSO Please go to D2 ECOMP Release Planning Wiki<https://wiki.web.att.com/display/DERP/D2+ECOMP+Release+Planning+Home> for D2 ECOMP Project In-take, 2016 Release Planning, Change Management, and find key Release Planning Contact Information. From: Stephen Terrill <stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com>> Date: Monday, April 2, 2018 at 3:45 AM To: "TIMONEY, DAN" <dt5...@att.com<mailto:dt5...@att.com>> Cc: "onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>" <onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>>, onap-tsc <email@example.com<mailto:firstname.lastname@example.org>> Subject: Review of SDC known vulnerability Analysis Hi Dan, Thank-you for the report on the SDC known vulernabilities - https://wiki.onap.org/pages/viewpage.action?pageId=28379582<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D28379582&d=DwQFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=x8Wp_D96pTUjVbq-IlNOKq0bcI_Q7jStYYn85kwu5ng&s=KFQ0VD5WzMK0Uee8vdmax_TTVkvrWD4B7pQUz48a3QI&e=> . For most of the impacts it states that low risk – only occurs in design tool (dgbuilder). How is this tool used by SDNC? Is it used in the runtime environment, or can it be called in the run-time environment? Best Regards, Steve [Ericsson]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=x8Wp_D96pTUjVbq-IlNOKq0bcI_Q7jStYYn85kwu5ng&s=dvIuAGk7lYrgBW79T5b84l0tES3M_WCdVC-iSh_iIIw&e=> STEPHEN TERRILL Technology Specialist POA Architecture and Solutions Business Unit Digital Services Ericsson Ericsson R&D Center, via de los Poblados 13 28033, Madrid, Spain Phone +34 339 3005 Mobile +34 609 168 515 stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com> www.ericsson.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com&d=DwQFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=x8Wp_D96pTUjVbq-IlNOKq0bcI_Q7jStYYn85kwu5ng&s=Rj15sDWPAmSm8uvT67wxWVGcsrSht4bSJlLSwpFoVZ8&e=> [http://www.ericsson.com/current_campaign]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_current-5Fcampaign&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=x8Wp_D96pTUjVbq-IlNOKq0bcI_Q7jStYYn85kwu5ng&s=Hyh61ley0RtumqI-7OhH694lkDNAm2Ikh_WgkctKeag&e=> Legal entity: Ericsson España S.A, compay registration number ESA288568603. This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_email-5Fdisclaimer&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=x8Wp_D96pTUjVbq-IlNOKq0bcI_Q7jStYYn85kwu5ng&s=cvBx3VQtp9l5EsGasxUgp9ZlGJqxAoTDsEAllFjqIWk&e=>
_______________________________________________ ONAP-TSC mailing list ONAP-TSC@lists.onap.org https://lists.onap.org/mailman/listinfo/onap-tsc