Help with AAI-1970 #vulnerability #aai


Keong Lim
 

Based on the security scan of ESR, the JIRA case https://jira.onap.org/browse/AAI-1970 was raised to resolve it by removing zipkin-example.

We have attempted to find the zipkin-example jar file somewhere within ESR, but have failed to identify it.
It is not a JAR file directly mentioned by ESR.
It is not a JAR file within another JAR file mentioned by ESR.
It is not referenced by a pom or a pom within a JAR.
It is not in the m2repository after rebuilding ESR.

Does the security scan report pinpoint the actual file?
Is it possible that the "zipkin-example" has been misidentified due to some similarity with another JAR?
Is it really a jackson-databind problem?


Thanks,
Keong