Thank you for the update. Please update the vulnerability analysis for CLI at 
 with this information.

From: Kanagaraj Manickam []
Sent: Monday, April 02, 2018 2:07 AM
Cc:; onap-tsc <>
Subject: RE: [onap-tsc] Known vulnerability analysis of CLI

Hi Amy,

Pls find my answers inline and let me know if additional details required. 

Kanagaraj M
Be transparent! Win together !!

This e-mail and its attachments contain confidential information from HUAWEI, 
which is intended only for the person  or entity whose address is listed above. 
Any use of the information contained herein in any way (including, but not   
limited to, total or partial disclosure, reproduction, or dissemination) by 
persons other than the intended recipient(s) is  prohibited. If you receive 
this e-mail in error, please notify the sender by phone or email immediately 
and delete it!

Sent: Saturday, March 31, 2018 11:34 PM
To: Kanagaraj Manickam
Cc:<>; onap-tsc
Subject: [onap-tsc] Known vulnerability analysis of CLI

Hi Kanagaraj,
I was reviewing the CLI known vulnerability analysis – thank-you for providing 

1.       You stated that the use of the commons-codec library in commons-codec 
is a False Positive because it is not a direct dependency and is caused via 3rd 
party library dependency.

•         How did you test this in CLI?

[Kanagaraj M]  This library is used by http-client, which is used at the 
back-end of cli project. As part of the build, this is being iterated when 
cli-vlidation project validates all Beijing clis.

•         What package is using commons-codec?

[Kanagaraj M] dependency libaray: httpclient 4.3.5

Used by: cli-validation artifact

•         Is there a version of this package that uses the most recent version 
of commons-codec (1.11 released in 2017)? Version 1.6 of commons-codec was 
released in 2011.

[Kanagaraj M] Yes, but CLI does not directly use this library.

2.       The CVE for jline 1.8 indicates that the vulnerability is in hawtjni.

•         How did you test that 
hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/  is 
not used in jline?

[Kanagaraj M] Jline is 3rd party library used in CLI at the console access 
level where no programming level access is possible. And For attacker, they 
need access /tmp for this vulnerability. In ONAP, we provide the console level 
access over the browser, where there is no possibility for accessing the file 
system .
Thanks so much,

​​​​​Amy Zwarico, LMTS
Chief Security Office / Enterprise Security Support / Cloud Security Services
AT&T Services
(205) 403-2241

"This e-mail and any files transmitted with it are the property of AT&T,  and 
are intended solely for the use of the individual or entity to whom this e-mail 
is addressed. If you are not one of the named recipient(s) or otherwise have 
reason to believe that you have received this message in error, please notify 
the sender and delete this message immediately from your electronic device. Any 
other use, retention, dissemination, forwarding, printing, or copying of this 
e-mail is strictly prohibited."

ONAP-TSC mailing list

Reply via email to