| Name | Dan Timoney |
| Milestone or Requirements Exception? | Requirement |
Project or Requirement Name and JIRA | | Jira Legacy |
|---|
| server | System Jira |
|---|
| columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
|---|
| serverId | 4733707d-2057-3a0f-ae5e-4fd8aff50176 |
|---|
| key | REQ-323 |
|---|
|
: Each project will update the vulnerable direct dependencies in their code base |
| Milestones affected | N/A |
| Projects affected | N/A
|
| Background description | Components deployed within OpenDaylight's karaf container must use the version of third party libraries that come preinstalled in order to avoid version conflicts. We have updated all the direct dependencies that we can without creating version conflicts and noted those that cannot be addressed in the appropriate secure wiki page for third party vulnerabilites for CCSDK and SDNC. |
| Schedule impact | N/A
|
| Recovery plan | Many of these vulnerabilities should be resolved in Honolulu, when we upgrade to the next Opendaylight release. Also, we are making changes in CCSDK and SDNC to create new pods that run outside OpenDaylight to eliminate the need to be bound by OpenDaylight versions.
|
| Milestone schedule change | N.A
|
| Risk | As long as we need to support deploying our code within OpenDaylight, we are going to be constrained by its third party versions. Once we get to the point where we no longer run within the ODL karaf container, that risk will no longer exist. |
| Status | |
| Decision | |