In order to fulfill REQ-265 TSC Approval at M2 with Epic Link Software Composition Analysisimprove the security of the ONAP code base, projects are to focus on upgrading the packages that are direct dependencies instead of analyzing the actual vulnerabilities.
...
. This change has been implemented in the Frankfurt release. Previous releases required vulnerability analysis in addition to package upgrades. Beginning with the Frankfurt release, the remediation of known vulnerabilities in third party packages will be tracked as follows.
- Projects update direct dependencies in their applications to most recent version of packages that are available at M2.
- Projects identify the direct dependencies (packages) in each project component.
- NexusIQ provides a list of all packages used in a component.
- Maven creates dependency tree that identifies direct dependencies as the "left-most packages".
- By M2 SECCOM will update oparent.pom to include the most recent version of included packages that are available at M2.
- By M2 Projects each project must open Jiras tickets to update older package versions in direct dependencies and commits to upgrading by M4 or provides .
- There must be a separate Jira for each package to be upgraded.
- Required information in Jira ticket:
- Old and new version numbers
- Label of "ComponentUpgrade"
- Fix Version is release under development
- Exceptions: The project must request a TSC exception for each direct dependency that cannot be upgraded by M4.
- Jira ticket for the upgrade must contain:
- The reason that the package cannot be upgraded
- NexusIQ provides package history - SECCOM recommendation is to use the latest GA release of a package available at M2
- Include the new version number in the Jira ticket
- Jira ticket for the upgrade must contain:
- No requirement to upgrade transitive dependent packages
- ,
- Fix Version is the next release to be developed
- Tools to help choose the upgrade version
- NexusIQ
- Maven (https://mvnrepository.com)
- Projects identify the direct dependencies (packages) in each project component.
- At M4 all projects will list all CVEs (CVE number only) associated with third party packages in the readthedocs in the Third Party Vulnerabilities section.
- Vulnerabilities are listed in the NexusIQ reports for each project repository scanned
- All known CVEs for each component will be listed in readthedocs for the release with no analysis.CLAMP team to
- Note
- There is no requirement to provide effective/ineffective analysis until there are tools to support the analysis.
- There is no requirement to create vulnerability review tables.
- There is no requirement to upgrade transitive dependent packages.
The CLAMP team will investigate writing a script to automatically generate
...
project-level Jira tickets for all direct dependencies
...
.
- Include label "ComponentUpgrade"
...
- PTL creates Jira comment stating that the package is at the latest version with the version number, and closes ticket
...