In order to fulfill REQ-265 TSC Approval at M2 with Epic Link Software Composition Analysis, projects are to focus on upgrading the packages that are direct dependencies to the latest version at M2.
- Remove requirement to provide effective/ineffective analysis until there are tools to support the analysis
- Projects update direct dependencies in their applications to most recent version of packages
- Projects identify the direct dependencies (packages) in each project component
- NexusIQ provides a list of all packages used in a component
- Maven creates dependency tree that identifies direct dependencies as the "left-most packages"
- By M2 Projects open Jiras to update older package versions in direct dependencies and commit commits to upgrading by M4 or provides reason that the package cannot be upgraded
- NexusIQ provides package history - SECCOM recommendation is to use the latest GA release of a package available at M2
- Include the new version number in the Jira ticket
- No requirement to upgrade transitive dependent packages
- Projects identify the direct dependencies (packages) in each project component
- SECCOM will update oparent to include the most recent version of included packages as of the time of the oparent release for the ONAP release (mid December)
- All known CVEs for each component will be listed in readthedocs for the release with no analysis.
...