NOTE: This page is copy of /wiki/spaces/SV/pages/16093480 report created by SECCOM (excluded CVE info); any update should be done on parent page.
The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.
- Priority 1 recommendations have at least one Critical vulnerability.
- Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
- There are four status values:
- required upgrade identifiedStatus title Open
- project working on the upgradeStatus colour Blue title In Progress
- package has been upgraded to the recommended versionStatus colour Green title Complete
- project granted a waiver for the upgrade because of technical or resource constraintsStatus colour Yellow title Waiver
When the upgrade of the package is complete change the status in the table to
| Status | ||||
|---|---|---|---|---|
|
If a waiver is granted, change the status to
| Status | ||||
|---|---|---|---|---|
|
When the status of all direct dependency replacements is
| Status | ||||
|---|---|---|---|---|
|
| Status | ||||
|---|---|---|---|---|
|
dcaegen2-analytics-tca-gen2
...
Status
...
Priority
...
Component name and version
...
Threat level
...
Recommended version
...
NOTE: This page is copy of /wiki/spaces/SV/pages/16093480 report created by SECCOM (excluded CVE info); any update should be done on parent page.
The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.
- Priority 1 recommendations have at least one Critical vulnerability.
- Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
- There are four status values:
- required upgrade identifiedStatus title Open
- project working on the upgradeStatus colour Blue title In Progress
- package has been upgraded to the recommended versionStatus colour Green title Complete
- project granted a waiver for the upgrade because of technical or resource constraintsStatus colour Yellow title Waiver
When the upgrade of the package is complete change the status in the table to
| Status | ||||
|---|---|---|---|---|
|
If a waiver is granted, change the status to
| Status | ||||
|---|---|---|---|---|
|
When the status of all direct dependency replacements is
| Status | ||||
|---|---|---|---|---|
|
| Status | ||||
|---|---|---|---|---|
|
dcaegen2-analytics-tca-gen2
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment (Target for J) | ||||
| 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? | Already on latest; no non-vulnerable version available | ||||
| 2 | undertow-core : 2.2.7.Final | 5 5 | 2.2.14 | 2.2.14.Final |
dcaegen2-collectors-datafile
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment (Target for J) | ||||
| 1 | spring-web : 5.3.6 | 9 7 4 | 5.3.13 | 5.3.13 or 5.3.14 | ||||
| 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? | Already on latest; no non-vulnerable version available |
onap-dcaegen2-collectors-restconf
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment (Target for J) | ||||
| 1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 8 | 1.2.10 | 1.2.10 | ||||
| 1 | com.google.code.gson : gson : 2.8.5 | 7 | 2.8.9 | 2.8.9 | ||||
| 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? | Already on latest; no non-vulnerable version available | ||||
| 1 | com.fasterxml.jackson.core : jackson-databind : 2.11.0 | 10 | 2.12.6 | 2.12.6 |
dcaegen2-collectors-hv-ves
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment (Target for J) | ||||
| 1 | com.google.code.gson : gson : 2.8.6 | 7 | 2.8.9 | 2.8.9 |
dcaegen2-collectors-ves
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment (Target for J) | ||||||||||
| 1 | com.google.code.gson : gson : 2.8.6 | 7 | 2.8.9 | 2.8.9 | ||||||||||
| 2 | io.netty : netty-codec-http : 4.1.59.Final | 5 | 4.1.70.Final | 4.1.73.Final | ||||||||||
| 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? |
| 2 | undertowAlready on latest; no non-vulnerable version available | ||||||||
| org.apache.logging.log4j: log4j-core:2. | 216. | 7.Final5 5 | 0 | 2. | 217. | 141 |
dcaegen2-platform-
...
mod-
...
genprocessor
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment | |||
| Status | title | OPEN(Target for J) | ||||||
|---|---|---|---|---|---|---|---|---|
| 1 | spring-web : 5.3.6 | 9 7 4 | 5.3.13com.fasterxml.jackson.core : jackson-databind : 2.11.0 | 10 | 2.12.6 | 2.12.6 | ||
| 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? |
...
nifi-utils : 1.9.2 | 5 | 1.15.0 | 1.15.2 |
dcaegen2-platform-mod2-auth
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
| 1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 8 | 1.2.10name and version | Threat level | Recommended version | Project’s assessment (Target for J) | ||||
| 1 | com.google.code.gson : gson : 2.8. | 56 | 7 | 2.8.9 | POC components; not part of ONAP deployment | |||||||||||
| 21 | iocom.squareup.springfox okhttp3 : springfox-swagger2 : 3.0.0 | 5 | ??? |
...
| okhttp : 4.0.1 | 7 | 4.9.3 | POC components; not part of ONAP deployment |
dcaegen2-platform-mod2-catalog
Status
Priority
Component name and version
Threat level
Recommended version
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment (Target for J) | |||
| 1 | com.google.code.gson : gson : 2.8.6 | 7 | 2.8.9 |
dcaegen2-collectors-ves
| POC components; not part of ONAP deployment | ||||||
| 1 | com. |
| squareup. |
| okhttp3 : |
| okhttp : |
| 4. |
| 0. |
| 1 | 7 |
| 4. |
| 9.3 | POC components; not part of ONAP deployment | |||
|
| 1 | io. |
springfox : |
springfox- |
swagger- |
ui : |
2. |
9.2 | 9 6 6 | 3.0.0 | POC components; not part of ONAP deployment | |||||
| 2 | io.springfox : springfox-swagger2 : 2.9.2 | 5 | 3.0.0 |
...
| POC components; not part of ONAP deployment |
dcaegen2-platform-mod-runtimeapi
Status | Priority | Component name and version | CVE | Threat level | Recommended version | Project’s assessment (Target for J) |
caegen2-services-kpi-computation-ms
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment assessment (Target for J) | ||||
| 1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 8 | 1.2.10 | 1.2.10 | ||||
| 2 | nifi-utils : 1.9.2 | 5 | 1.15.0 |
dcaegen2-platform-mod2-auth
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment | |||
| Status | title | OPEN1 | org.springframework : spring-web : 5.3.7 | 9 4 | 5.3.13 | 5.3.14 | ||
|---|---|---|---|---|---|---|---|---|
| 1 | com.googlefasterxml.codejackson.gson core : gson : jackson-databind : 2.11.0 | 10 | 2.812.67 | 2.812.96 | ||||
| 1 | com.squareup.okhttp3 : okhttp : 4.0.1 | 7 | 4.9.3 |
...
| 2 | io.undertow : undertow-core : 2.2.8.Final | 5 5 | 2.2.14.Final | 2.2.14.Final | |||
| org.springframework : spring-webmvc : 5.3.7 | 6 | 5.3.14 |
dcaegen2-services-bbs-event-processor
Status | Priority | Component name and version | CVE | Threat level | Recommended version | Project’s assessment |
dcaegen2-services-mapper
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment (Target for J) |
| 1 | com. |
fasterxml. |
jackson. |
core : |
jackson-databind : 2.11.2 | 10 | 2.12.6 | 2.12.6 | |||
| org.apache.logging.log4j: log4j-core:2.16.0 | 2.17.1 | |||||
| 1 | com. |
google.code. |
gson : |
gson : |
2. |
8. |
5 | 7 |
| 2.8.9 | 2.8. |
| 9 | |||||
| 1 |
io.springfox : springfox-swagger-ui : 2.9.2
9
6
6
| xstream : 1.4.16 | 8 | 1.4.18 | 1.4.18 | ||
| 2 |
| xercesImpl : 2. |
| 12. |
| 1 | 5 |
dcaegen2-platform-mod-runtimeapi
...
Status
...
Priority
...
Component name and version
...
CVE
...
Threat level
...
Recommended version
...
Project’s assessment
...
| ??? | Already on latest; no non-vulnerable version available |
dcaegen2-services-pm-mapper
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment (Target for J) | |||||||||||||
| 1 | chcom.google.qoscode.logback gson : logback-core gson : 12.38.0-alpha05 8 | 7 | 1.2.10 |
| 1 | org.springframework : spring-web : 5.3.7 | 9 4 | 5.3.138.9 | 2.8.9 | ||||||||
| 2 | io.undertow : undertow-core : 2.2. | 89.Final | 5 | 54 4 | 2.2.14.Final | 2.2.14.Final |
dcaegen2-services-
...
prh
Status | Priority | Component name and version | CVE | Threat level | Recommended version | Project’s assessment |
dcaegen2-services-mapper
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment(Target for J) | |||||||||||||||
| 1 | org.apache.tomcat.embed : tomcat-embed-websocket : 9.0.48 | 7 | 10.1.0M7 | Either 10.1.0-M8 or 9.0.56 | |||||||||||||||
| 1 | com.google.code.gson : gson : 2.8.5 | 7 | 2.8.9 |
| 1 | xstream : 1.4.16 | 8 | 1.4.18org.springframework : spring-web : 5.3.8 | 9 4 | 5.3.13 RELEASE | 5.3.14 |
dcaegen2-services-sdk
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment | |||
| 2 | xercesImpl : 2.12.1 | 5 | ??? |
dcaegen2-services-pm-mapper
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 8 | 1.2.10 | 1.2.10 | ||||||||
| 1 | com.google.code.gson : gson : 2.8.5 | 7 | 2.8.9 |
| 2 | undertow-core : 2.2.9.Final | 5 4 4 | 2.2.14.Final2.8.9 | ||||||||
| org.springframework : spring-webflux : 5.3.1 | 6 | 5.3.14 |
dcaegen2-services-son-
...
handler
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment | |||||||||||
| 1 | com.fasterxml.jackson.core : jackson-databind : 2.11.0 | 10 | 2.12.6 | 2.12.6 | ||||||||||||
| 1 | orgch. | apache.tomcatqos. | embed logback : | tomcatlogback- | embed-websocket : 9core : 1.3.0 | .48-alpha0 | 78 | 1.2.10 | 1. | 12. | 0M710 | ||||
| 1 | org.springframework : spring-web : 5.3. | 87.RELEASE | 9 4 | 5.3.13 RELEASE |
dcaegen2-services-sdk
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment5.3.14 | |||||||||
| org.springframework : spring-webmvc : 5.3.7 | 6 | 5.3.14 | ||||||||||||
| 1ch | org.apache. qostomcat. logbackembed : logbacktomcat-embed-core : 9.0.46 | 6 | 10.1.3.0-alpha0 | 8 | 1.2.10 | ||||||||
| Status | title | OPEN.0-M7 | 9.0.50 or 10.1.0-M8 |
|---|
dcaegen2-services-slice-analysis-ms
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
| 1 | com.googlefasterxml.codejackson.gson core : gson : 2.8.5 | 7 | 2.8.9 |
dcaegen2-services-son-handler
jackson-databind : 2.11.0 | 10 | 2.12.6 | 2.12.6 | ||||||
| 1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 8 | 1.2.10 | 1.2.10 | ||||
| 1 | org.springframework : spring-web : 5.3.7.RELEASE | 9 4 | 5.3.13 RELEASE | 5.3.14 | ||||
| org.springframework : spring-webmvc : 5.3.7 | 6 | 5.3.14 | |||||||
| 12 | org.apache.tomcat.embed : tomcat-embed-core : 9.0.46 | 6 | 10.1.0-M7 | 9.0.50 or 10.1.0-M8 |
dcaegen2-
...
platform-
...
mod2-
...
helmgenerator
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
| Status | ||
|---|---|---|
|
1
org.springframework : spring-web : 5.3.7.RELEASE
9
4
5.3.13 RELEASE
| Status | ||
|---|---|---|
|
2
org.apache.tomcat.embed : tomcat-embed-core : 9.0.46
6
(Target for J) | |||||
com.fasterxml.jackson.core : jackson-databind : 2.10.3 | 10 | 2.12.6 | |||
com.squareup.okhttp3 : okhttp : 4.0.1 | 5 | 4.9.3 | |||
| commons-io : commons-io : 2.4 | 2.11.0 |