Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Remove requirement to provide effective/ineffective analysis until there are tools to support the analysis
  • Projects update direct dependencies in their applications to most recent version of packages
    • Projects identify the direct dependencies (packages) in each project component
      • NexusIQ provides a list of all packages used in a component
    • Projects open Jiras to update older package versions in direct dependencies and commit to upgrading by M4
      • NexusIQ provides package history - SECCOM recommendation is to use the latest GA release of a package available at M2
      • Include the new version number in the Jira ticket
    • No requirement to upgrade transitive dependent packages
  • SECCOM will  update oparent to include the most recent version of included packages as of the time of the oparent release for the ONAP release (mid December)
  • All known CVEs for each component will be listed in readthedocs for the release with no analysis.


  • CLAMP team to investigate writing a script to automatically generate of project Jira tickets for all direct dependencies for all project.
    • case 1: direct dependency at latest version
      • PTL indicates this in Jira comment and closes ticket
    • case 2: direct dependency at older version
      • case 1: project indicates in Jira comment that the package will be upgraded
      • case 2: project indicates in Jira comment that package will not be upgraded and provides reason