To reduce the number of ONAP security vulnerabilities, ONAP is using the O-Parent project to provide centralized version management of common 3rd party Java libraries. This has the benefit of reducing the number of disparate versions of the same 3rd party package that is being used across ONAP, and reduces the attack surface correspondingly.
Managed 3rd Party Libraries
The current list of standard 3rd party library package versions can be seen here:
https://git.onap.org/oparent/tree/dependencies/pom.xml
...
How to Use
- Import Dependency Versions
- Remove Specific Library Versions from Project pom
Step 1: Import Dependency Versions
Option 1: Inherit from O-Parent
...
| Code Block |
|---|
<parent>
<groupId>org.onap.oparent</groupId>
<artifactId>oparent</artifactId>
<version>1.2.0</version>
<relativePath/>
</parent> |
Option 2: Manually Import Dependency Versions
If your project has specific technical reasons that prevents it from being able to inherit from O-Parent (e.g. CCSDK), you can manually import the dependency versions. To do so:
...
| Code Block |
|---|
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.onap.oparent</groupId>
<artifactId>dependencies</artifactId>
<version>1.2.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement> |
Step 2: Remove Specific Library Versions from Project pom
Once the the dependency library versions have been imported using Step 1 above, you should remove the specific library versions of the management libraries from your own project pom files. This will ensure that you will always use the centrally managed and vetted dependency library versions.
Managed 3rd Party Libraries
The current list of standard 3rd party library package versions can be seen here: