Re: [onap-tsc] Casablanca Release Timeline draft proposal for review

[Gildas Lanilis]

Hi Vladimir,

Since I wrote this email, a bit of changes came into play (cf attached email). 
There is the introduction of end-user advisory committee who help into defining 
priorities and will feed in the usecase committee.
The "E2E Release Use Case Approval" milestone help into streamlining the work 
before we do project planning.

More to come on this during TSC meeting this Thursday.
In case you have not seen this, Casablanca goals are being defined here 
https://wiki.onap.org/display/DW/Casablanca+goals

Thanks,
Gildas
ONAP Release Manager
1 415 238 6287

From: Vladimir Yanover (vyanover) [mailto:vyano...@cisco.com]
Sent: Tuesday, March 27, 2018 1:25 AM
To: Gildas Lanilis ; onap-tsc@lists.onap.org; 
onap-release 
Subject: RE: Casablanca Release Timeline draft proposal for review

Gildas,
Can you please clarify what is "E2E Release Use Case approved"?
Thanks
Vladimir

From: onap-tsc-boun...@lists.onap.org 
> On 
Behalf Of Gildas Lanilis
Sent: Tuesday, March 27, 2018 2:33 AM
To: onap-tsc@lists.onap.org; onap-release 
>
Subject: [onap-tsc] Casablanca Release Timeline draft proposal for review

Hi All,

During ONAP Break out session at ONS Los Angeles on March 26, 2018 a draft 
proposal for Casablanca Release Timeline was presented.
Find 
here
 the link toward the materials for your reviews and comments.
Please post your reviews and comments directly at the bottom of the wiki, that 
will help everyone for transparency, avoid of duplicates and make our inboxes 
lighter :).
Thanks for your honest feedback

Thanks,
Gildas

[HuaweiLogowithName].
Gildas Lanilis
ONAP Release Manager
Santa Clara CA, USA
gildas.lani...@huawei.com
Mobile: 1 415 238 6287

--- Begin Message ---
Chris

As Phil mentioned, this is a subcommittee of the LFN end-user advisory 
committee and does not need the approval, scope or charter
of our TSC. Phil can share status and plan.

Nevertheless, I agree that it is important for our TSC to review but we will 
not slow down the process.
thanks
Mazin


   On Mar 30, 2018, at 10:45 PM, Christopher Donley (Chris) 
> wrote:

   Mazin,

   As we discussed, please make sure that we follow the charter in proposing 
the end-user advisory committee (I.e, formal documentation of the purpose, 
scope, membership, etc) so that the TSC can review and vote on it. I think it’s 
a good idea, but I want to see the details and make sure we follow our 
documented procedure.

   Thanks,
   Chris



   From: GILBERT, MAZIN E (MAZIN E)
   To: Alla Goldner;
   Cc: onap-disc...@lists.onap.org; 
onap-usecase...@lists.onap.org; 
onap-tsc@lists.onap.org P;
   Subject: Re: [onap-tsc] [onap-discuss] Action Plan towards Casablanca
   Time: 2018-03-30 17:57:00


   Thanks Alla for the summary.

   Here is what we agreed to at the TSC meeting.
   There are three work plans for Casablanca. The theme is increase 
deployability of ONAP.

   1. Functional requirements and use cases. We agreed to establish an end-user 
advisory committee that will be driven by the equivalent of product managers 
across operators who will help to set priorties that can accelerate 
deployability of ONAP. The work of your committee on use cases and 5G 
solutioning will help to provide options for the end-user advisory committee.

   2. Platform Evolution. This includes some of your list items
   a. S3P new target (including code coverage)
   b. Backward compatibility
   c. Improve modularity and simplicity of using ONAP.

   3. Broader learning and education of ONAP.
   The Education committee will develop a proposal for weekly Webinars.

   I am working to assemble 1. My hope is to have 3-4 operators signed up next 
week so they can meet with your team and get the work started.
   Phil will make that committee official as a subgroup under LFN end-user 
advisory committee. Until then, let’s not slow down.

   We also discussed what we want to accomplish prior to the Beijing meeting in 
June. We will discuss that further at the TSC meeting this week,
   and also vote on the release planning for Casablanca.

   Great progress by the team on Beijing. Most projects hit M4 already. 
Momentum is amazing.

   Mazin


  On Mar 30, 2018, at 5:03 AM, Alla Goldner 
> wrote:

  Hi all,

  I re-attach the picture which describes high level priorities as 
discussed during the meeting called by me on Wednesday evening. I understand 
this was 

Re: [onap-tsc] Known vulnerability analysis of AAF

[KOYA, RAMPRASAD]

Sai, Jonathan - Any thoughts on this?

From: Stephen Terrill [mailto:stephen.terr...@ericsson.com]
Sent: Monday, April 02, 2018 2:59 AM
To: KOYA, RAMPRASAD 
Cc: onap-sec...@lists.onap.org; onap-tsc 
Subject: Known vulnerability analysis of AAF

Hi Ram,

Thanks for the review of the known vulnerabilities for AAF: 
https://wiki.onap.org/pages/viewpage.action?pageId=28380057

I note that the actions are still work in progress - do you have an estimated 
time for the analysis.  In the analysis, it would be great if you consider 
whether the way that AAF uses the imported artefacts to be clear on whether AAF 
is exposed to the vulnerability.

Best Regards,

Steve

[Ericsson]
STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[http://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

[onap-tsc] ONAP-University : ONAP Webinars for experience/knowledge sharing.

[Dhananjay Pavgi]

Dear All,

As discussed in TSC meeting last week at ONS; ONAP-University sub-committee 
will lead the effort to share ONAP experience/learnings. I will be in transit 
this Thursday and hence will have delegate attend TSC. However, would like to 
start the process of arriving at calendar/schedule.

ONAP University subcommittee weekly call is scheduled Monday. Will announce 
revised timing through WiKi page of ONAP University.

All those interested are requested to join this call on Monday, 9th April 2018 
so that we can publish calendar/schedule in TSC meeting scheduled for Thursday, 
12th April 2018.

Look forward to work with you all.

thanks & regards,
Dhananjay Pavgi
+91 98220 22264



Disclaimer:  This message and the information contained herein is proprietary 
and confidential and subject to the Tech Mahindra policy statement, you may 
review the policy at http://www.techmahindra.com/Disclaimer.html 
 externally 
http://tim.techmahindra.com/tim/disclaimer.html 
 internally within 
TechMahindra.


___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

Re: [onap-tsc] Casablanca release goals Venn diagram

[Gildas Lanilis]

Thanks Ranny for creating the Gliffy diagram.
You deciphered properly all my handwritting:)

Thanks,
Gildas
ONAP Release Manager
1 415 238 6287

From: Haiby, Ranny (Nokia - US/San Jose) [mailto:ranny.ha...@nokia.com]
Sent: Friday, March 30, 2018 11:20 AM
To: onap-tsc 
Cc: Perala, Timo (Nokia - FI/Espoo) ; Gildas Lanilis 

Subject: Casablanca release goals Venn diagram

I had a hard time reading the handwritten diagram, so I created a Gliffy 
version on the wiki:
https://wiki.onap.org/display/DW/Casablanca+goals

I would appreciate it if the participants of the meeting where the diagram was 
created will add some details to the "Legend" section of the wiki page.

Regards,

Ranny.



[Kuva]


Sent from Nokia8

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

Re: [onap-tsc] Review of Policy known vulnerability Analysis

[Stephen Terrill]

Hi Pam,

Thanks for the reply.  For the vulnerabilities that remain due to e.g. 
backwards compatibility, can we be clear about the exposure of the risk to ONAP 
in the impact analysis.

BR,

Steve

From: DRAGOSH, PAMELA L (PAM) [mailto:pdrag...@research.att.com]
Sent: Monday, April 02, 2018 1:31 PM
To: Stephen Terrill 
Cc: onap-sec...@lists.onap.org; onap-tsc 
Subject: Re: Review of Policy known vulnerability Analysis

Stephen,

We are introducing a change in functionality that bypasses this code in 
Beijing, but it is a late addition. We will need to support the use of this 
code for backwards compatibility until we can fully vet the new functionality 
works and we can switch to it completely to deprecate the other code. We hope 
that we can test and fix the new functionality over the next few weeks.

Pam


From: Stephen Terrill 
>
Date: Friday, March 30, 2018 at 3:39 PM
To: "DRAGOSH, PAMELA L (PAM)" 
>
Cc: "onap-sec...@lists.onap.org" 
>, onap-tsc 
>
Subject: Review of Policy known vulnerability Analysis

Hi Pam,

I am reviewing the known vulnerability analysis for Policy 
(https://wiki.onap.org/pages/viewpage.action?pageId=25437092
 ), thankyou for the analysis.


I had a question on “commons-client”, where the text indicates “We are building 
functionality that by-passes the code that uses this dependency into a new 
beijing template for control loops. We are targeting deprecation of the BRMS 
Gateway code in policy/engine over the next release or two”.  Is this something 
that is to be fixed in Beijing?

For Jacksonbind, please look at the example from MSB to assist you in your 
analysis.

BR,

Steve.


[ricsson]

STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[ttp://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

Re: [onap-tsc] Review of SDC known vulnerability Analysis

[TIMONEY, DAN]

Steve,

The dgbuilder is a design time tool.  We use it to create and update the 
directed graphs, which then get stored in Gerrit and managed from there as 
source code.

Eventually we’d like to support using the dgbuilder as an editor integrated 
with SDC at run time to update and deploy new versions of directed graphs – 
especially to allow rapid deployment of patches.  However, in its current form, 
dgbuilder is really only appropriate as a design time tool.

Dan

--
Dan Timoney
SDN-CP / OpenECOMP SDN-C SSO

Please go to  D2 ECOMP Release Planning 
Wiki for 
D2 ECOMP Project In-take, 2016 Release Planning, Change Management, and find 
key Release Planning Contact Information.

From: Stephen Terrill 
Date: Monday, April 2, 2018 at 3:45 AM
To: "TIMONEY, DAN" 
Cc: "onap-sec...@lists.onap.org" , onap-tsc 

Subject: Review of SDC known vulnerability Analysis

Hi Dan,

Thank-you for the report on the SDC known vulernabilities - 
https://wiki.onap.org/pages/viewpage.action?pageId=28379582
 .

For most of the impacts it states that low risk – only occurs in design tool 
(dgbuilder).  How is this tool used by SDNC?  Is it used in the runtime 
environment, or can it be called in the run-time environment?

Best Regards,

Steve


[Ericsson]


STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[http://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

Re: [onap-tsc] f2f meeting in June

[Kenny Paul]

Hi Alla,
It will be the week of June 19th in Beijing. The site should be finalized this 
week.


Best Regards, 
-kenny

Kenny Paul, Technical Program Manager, The Linux Foundation
kp...@linuxfoundation.org, 510.766.5945
San Francisco Bay Area, Pacific Time Zone

> On Mar 31, 2018, at 11:18 PM, Alla Goldner  wrote:
> 
> Hi Kenny,
>  
> Is there information about f2f meeting in June available on wiki?
> If not, could you, please, share it?
>  
> Best regards,
>  
> Alla Goldner
>  
> Open Network Division
> Amdocs Technology
>  
>  
> 
>  
> This message and the information contained herein is proprietary and 
> confidential and subject to the Amdocs policy statement,
> you may review at https://www.amdocs.com/about/email-disclaimer 
> 
___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

Re: [onap-tsc] Review of Policy known vulnerability Analysis

[DRAGOSH, PAMELA L (PAM)]

Stephen,

We are introducing a change in functionality that bypasses this code in 
Beijing, but it is a late addition. We will need to support the use of this 
code for backwards compatibility until we can fully vet the new functionality 
works and we can switch to it completely to deprecate the other code. We hope 
that we can test and fix the new functionality over the next few weeks.

Pam


From: Stephen Terrill 
Date: Friday, March 30, 2018 at 3:39 PM
To: "DRAGOSH, PAMELA L (PAM)" 
Cc: "onap-sec...@lists.onap.org" , onap-tsc 

Subject: Review of Policy known vulnerability Analysis

Hi Pam,

I am reviewing the known vulnerability analysis for Policy 
(https://wiki.onap.org/pages/viewpage.action?pageId=25437092
 ), thankyou for the analysis.


I had a question on “commons-client”, where the text indicates “We are building 
functionality that by-passes the code that uses this dependency into a new 
beijing template for control loops. We are targeting deprecation of the BRMS 
Gateway code in policy/engine over the next release or two”.  Is this something 
that is to be fixed in Beijing?

For Jacksonbind, please look at the example from MSB to assist you in your 
analysis.

BR,

Steve.


[ricsson]


STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[ttp://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

Re: [onap-tsc] Review of VID known vulnerability analysis

[Sonsino, Ofir]

Hi Steve,

Thanks for your comment.
I've updated the wiki page 
(https://wiki.onap.org/pages/viewpage.action?pageId=28378623) with the relevant 
impact on most of the issues.
A few issues are still under investigation (marked TBD), as we still try to 
upgrade as many dependencies to a non-vulnerable version. I'll update again in 
the next couple of days.

Thanks,
Ofir

From: Stephen Terrill [mailto:stephen.terr...@ericsson.com]
Sent: Monday, April 02, 2018 10:48 AM
To: Hemli, Amichai ; Sonsino, Ofir 
Cc: onap-sec...@lists.onap.org; onap-tsc 
Subject: Review of VID known vulnerability analysis

Hi Amichai and Ofir,

Thank-you for your known vulnerability analysis of vid 
(https://wiki.onap.org/pages/viewpage.action?pageId=28378623).

For the vulnerabilities for where there is no fix, do you have an analysis of 
how VID uses the imported code so that the implications of the risk can be 
evaluated?  For example for the Jackson mapper, see: 
https://wiki.onap.org/pages/viewpage.action?pageId=25439016

Best Regards,

Steve

[Ericsson]
STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[http://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

[onap-tsc] Known vulnerability analysis for AAI

[Stephen Terrill]

Hi Jimmy,

Thank-you for the impressive known vulnerability analysis of AAI.  You have 
informed me that a lot of the vulnerabilities are associated with components 
that you are upgrading/replacing.  Can you please inform me when that is done.

I note that aai/gizmo (org.apache.httpcomponents) (row 38) is still under 
investigation, it would be good to know when that is complete.  The same for 
rows 48, 212.

The ones that you have marked as false positive seem OK to me.

Best Regards,

Steve


[Ericsson]

STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[http://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

[onap-tsc] Known vulnerability analysis of AAF

[Stephen Terrill]

Hi Ram,

Thanks for the review of the known vulnerabilities for AAF: 
https://wiki.onap.org/pages/viewpage.action?pageId=28380057

I note that the actions are still work in progress - do you have an estimated 
time for the analysis.  In the analysis, it would be great if you consider 
whether the way that AAF uses the imported artefacts to be clear on whether AAF 
is exposed to the vulnerability.

Best Regards,

Steve

[Ericsson]

STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[http://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

[onap-tsc] Review of VID known vulnerability analysis

[Stephen Terrill]

Hi Amichai and Ofir,

Thank-you for your known vulnerability analysis of vid 
(https://wiki.onap.org/pages/viewpage.action?pageId=28378623).

For the vulnerabilities for where there is no fix, do you have an analysis of 
how VID uses the imported code so that the implications of the risk can be 
evaluated?  For example for the Jackson mapper, see: 
https://wiki.onap.org/pages/viewpage.action?pageId=25439016
Best Regards,

Steve

[Ericsson]

STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[http://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

[onap-tsc] Review of SDC known vulnerability Analysis

[Stephen Terrill]

Hi Dan,

Thank-you for the report on the SDC known vulernabilities - 
https://wiki.onap.org/pages/viewpage.action?pageId=28379582 .

For most of the impacts it states that low risk - only occurs in design tool 
(dgbuilder).  How is this tool used by SDNC?  Is it used in the runtime 
environment, or can it be called in the run-time environment?

Best Regards,

Steve


[Ericsson]

STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[http://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

[onap-tsc] Review of SDC known vulnerability analysis

[Stephen Terrill]

Hi Michael,

Thanks for the known vulnerability analysis 
(https://wiki.onap.org/pages/viewpage.action?pageId=28377537).  I had a few 
questions:

For aaf-authz-docker (com.thoughtworks.xstream), I couldn't quite understand 
the analysis and your understanding of the exposure that SDC has to the 
vulnerability?  Are the JIRA numbers SDC-805 & SDC-807?

For sdc-sdc-tosca (com.fasterxml.jackson.core), are you using jakson-databind 
in such a way that the vulnerability is exposed?  See the msb analysis for 
reference: (https://wiki.onap.org/pages/viewpage.action?pageId=25439016)?

BR,

Steve

[Ericsson]

STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[http://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

Re: [onap-tsc] Known vulnerability analysis of CLI

[Kanagaraj Manickam]

Hi Amy,

Pls find my answers inline and let me know if additional details required. 
Thanks


Regards
Kanagaraj M
-
Be transparent! Win together !!

本邮件及其附件含有华为公司的保密信息，仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用（包括但不限于全部或部分地泄露、复制、或散发）本邮件中的信息。如果您错收了本邮件，请您立即电话或邮件通知发件人并删除本邮件！
This e-mail and its attachments contain confidential information from HUAWEI, 
which is intended only for the person  or entity whose address is listed above. 
Any use of the information contained herein in any way (including, but not   
limited to, total or partial disclosure, reproduction, or dissemination) by 
persons other than the intended recipient(s) is  prohibited. If you receive 
this e-mail in error, please notify the sender by phone or email immediately 
and delete it!


From: ZWARICO, AMY [mailto:az9...@att.com]
Sent: Saturday, March 31, 2018 11:34 PM
To: Kanagaraj Manickam
Cc: onap-sec...@lists.onap.org; onap-tsc
Subject: [onap-tsc] Known vulnerability analysis of CLI

Hi Kanagaraj,
I was reviewing the CLI known vulnerability analysis – thank-you for providing 
that (https://wiki.onap.org/pages/viewpage.action?pageId=28377287)

1.   You stated that the use of the commons-codec library in commons-codec 
is a False Positive because it is not a direct dependency and is caused via 3rd 
party library dependency.

• How did you test this in CLI?

[Kanagaraj M]  This library is used by http-client, which is used at the 
back-end of cli project. As part of the build, this is being iterated when 
cli-vlidation project validates all Beijing clis.

• What package is using commons-codec?

[Kanagaraj M] dependency libaray: httpclient 4.3.5

Used by: cli-validation artifact



• Is there a version of this package that uses the most recent version 
of commons-codec (1.11 released in 2017)? Version 1.6 of commons-codec was 
released in 2011.

[Kanagaraj M] Yes, but CLI does not directly use this library.



2.   The CVE for jline 1.8 indicates that the vulnerability is in hawtjni.

• How did you test that 
hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java  is 
not used in jline?

[Kanagaraj M] Jline is 3rd party library used in CLI at the console access 
level where no programming level access is possible. And For attacker, they 
need access /tmp for this vulnerability. In ONAP, we provide the console level 
access over the browser, where there is no possibility for accessing the file 
system .
.
Thanks so much,
Amy

​Amy Zwarico, LMTS
Chief Security Office / Enterprise Security Support / Cloud Security Services
AT Services
(205) 403-2241

"This e-mail and any files transmitted with it are the property of AT,  and 
are intended solely for the use of the individual or entity to whom this e-mail 
is addressed. If you are not one of the named recipient(s) or otherwise have 
reason to believe that you have received this message in error, please notify 
the sender and delete this message immediately from your electronic device. Any 
other use, retention, dissemination, forwarding, printing, or copying of this 
e-mail is strictly prohibited."


___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc