NOTE: This page is copy of /wiki/spaces/SV/pages/16093480 report created by SECCOM (excluded CVE info); any update should be done on parent page.

The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.

Priority 1 recommendations have at least one Critical vulnerability.
Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
There are four status values:
- Status
  title Open
  - required upgrade identified
- Status
  colour Blue
  title In Progress
  - project working on the upgrade
- Status
  colour Green
  title Complete
  - package has been upgraded to the recommended version
- Status
  colour Yellow
  title Waiver
  - project granted a waiver for the upgrade because of technical or resource constraints

When the upgrade of the package is complete change the status in the table to

Status

colour	Green
title	Complete

.

If a waiver is granted, change the status to

Status

colour	Yellow
title	Waiver

.

When the status of all direct dependency replacements is

Status

colour	Green
title	Complete

or

Status

colour	Yellow
title	Waiver

, the Jira ticket should be closed.

dcaegen2-analytics-tca-gen2

...

Status

...

Priority

...

Component name and version

...

Threat level

...

Recommended version

...

Project’s assessment (Target for J)

...

Status

title	OPEN

...

2

...

io.springfox : springfox-swagger2 : 3.0.0

...

???

...

Status

title	OPEN

...

2

...

undertow-core : 2.2.7.Final

...

5

...

2.2.14

...

dcaegen2-collectors-datafile

...

Status

...

Priority

...

Component name and version

...

Threat level

...

Recommended version

...

Project’s assessment (Target for J)

...

Status

title	OPEN

...

1

...

9

7

4

...

Status

title	OPEN

...

io.springfox : springfox-swagger2 : 3.0.0

...

onap-dcaegen2-collectors-restconf

...

Status

...

Priority

...

Component name and version

...

Threat level

...

Recommended version

...

Project’s assessment (Target for J)

...

Status

title	OPEN

...

ch.qos.logback : logback-core : 1.3.0-alpha0

...

Status

title	OPEN

...

com.google.code.gson : gson : 2.8.5

...

Status

title	OPEN

...

io.springfox : springfox-swagger2 : 3.0.0

...

NOTE: This page is copy of /wiki/spaces/SV/pages/16094094 report created by SECCOM under DCAEGEN2-3318 (excluded CVE info); any update should be done on parent page.

The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.

Priority 1 recommendations have at least one Critical vulnerability.
Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
There are four status values:
- Status
  title Open
  - required upgrade identified
- Status
  colour Blue
  title In Progress
  - project working on the upgrade
- Status
  colour Green
  title Complete
  - package has been upgraded to the recommended version
- Status
  colour Yellow
  title Waiver
  - project granted a waiver for the upgrade because of technical or resource constraints

When the upgrade of the package is complete change the status in the table to

Status

colour	Green
title	Complete

.

If a waiver is granted, change the status to

Status

colour	Yellow
title	Waiver

.

When the status of all direct dependency replacements is

Status

colour	Green
title	Complete

or

Status

colour	Yellow
title	Waiver

, the Jira ticket should be closed.

dcaegen2-analytics-tca-gen2

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
OPEN	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1
OPEN	1	io.undertow : undertow-core : 2.2

.11

.17.Final

2.3.0

102.12.62.12.6

dcaegen2-collectors-hv-ves

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status

title	OPEN

1

com.google.code.gson : gson : 2.8.6

72.8.92.8.9

.Final
OPEN	2	io.springfox : springfox-swagger-ui : 2.10.5	3.0.0
COMPLETE	2	io.springfox : springfox-swagger2 : 3.0.0	3.0.0	SECCOM: 3.0. is the latest version

dcaegen2-collectors-

...

datafile

Status

Priority

Component name and version

Recommended version

Threat level

Recommended version

Project’s assessment (Target for J)

Statustitle

Project’s assessment
OPEN	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1
OPEN	1

com

org.

google

apache.

code

tomcat.

gson : gson : 2.8.672.8.92.8.9

Status

title	OPEN

2io.netty : netty-codec-http : 4.1.59.Final54.1.70.Final4.1.73.Final

Status

title	OPEN

embed : tomcat-embed-core : 9.0.65

10.1.2

This is transient dependency from spring-boot; upgraded

to tomcat 9.0.65 which is default in the spring-boot 2.7.2

OPEN

1

org.springframework : spring-web : 5.3.22

6.0.2

COMPLETE

2

io.springfox : springfox-

swagger2

swagger-ui : 3.0.0

5???Already on latest; no non-vulnerable version availableorg.apache.logging.log4j: log4j-core:2.16.02.17.1

...

3.0.0		SECCOM: 3.0. is the latest version
COMPLETE	2	io.springfox : springfox-swagger2 : 3.0.0	3.0.0		SECCOM: 3.0. is the latest version

dcaegen2-collectors-hv-ves

Status	Priority	Component name and version	CVE	Threat level	Recommended version	Project’s assessment
						No vulnerable components

onap-dcaegen2-collectors-restconf

Status

Priority

Component name and version

Recommended version

Threat level

Recommended version

Project’s

assessment (Target for J)1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

Status

title	OPEN

2

nifi-utils : 1.9.2

5retain current version due to dependency with upstream nifi version on designer module

...

assessment
OPEN	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1
OPEN	1	org.codehaus.jettison : jettison : 1.3.7	1.5.2
OPEN	2	io.springfox : springfox-swagger-ui : 2.10.5	3.0.0
COMPLETE	2	io.springfox : springfox-swagger2 : 3.0.0	3.0.0	SECCOM: 3.0. is the latest version

dcaegen2-collectors-ves

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status

title	OPEN

1

com.google.code.gson : gson : 2.8.6

72.8.9POC components; not part of ONAP deployment

Status

title	OPEN

1com.squareup.okhttp3 : okhttp : 4.0.174.9.3POC components; not part of ONAP deployment

...

Recommended version	Threat level	Project’s assessment
COMPLETE	2	io.springfox : springfox-swagger-ui : 3.0.0	3.0.0	SECCOM: 3.0. is the latest version
COMPLETE	2	io.springfox : springfox-swagger2 : 3.0.0	3.0.0	SECCOM: 3.0. is the latest version

dcaegen2-platform-mod-genprocessor

Status

Priority

Component name and version

Recommended version

Threat level

Recommended version

Project’s assessment

(Target for J)title

Status

OPEN

1

com.

google

fasterxml.

code

jackson.

gson

core :

gson

jackson-databind : 2.

8

11.

67

0

2.

8.9POC components; not part of ONAP deployment

Status

title	OPEN

1com.squareup.okhttp3 : okhttp : 4.0.174.9.3

POC components; not part of ONAP deployment

Status

title	OPEN

1

14.1
OPEN	1	org.apache.commons : commons-text : 1.7	1.10.0
OPEN	2	org.apache.nifi : nifi-utils : 1.9.2	1.19.0

dcaegen2-platform-mod-runtimeapi

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
OPEN	1	org.yaml : snakeyaml : 1.26	1.33
	2	io.springfox : springfox-swagger-ui :

2.9.2

9

6

3.0.0POC components; not part of ONAP deployment

Status

title	OPEN

2io.springfox : springfox-swagger2 : 2.9.253.0.0POC components; not part of ONAP deployment

...

3.0.0

dcaegen2-platform-mod2-helm-generator

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
OPEN	1	com.fasterxml.jackson.core : jackson-databind : 2.10.3	2.14.1

dcaegen2-platform-ves-openapi-manager

Status

Priority

Component name and version

CVE

Recommended version

Threat level

Recommended version

Project’s

assessment (Target for J)

...

assessment
OPEN	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1

dcaegen2-services-kpi-computation-ms

Status

Priority

Component name and version

Recommended version

Threat level

Recommended version

Statustitle

Project’s

assessment (Target for J)

assessment
OPEN	1	ch.qos.logback : logback-core :

1.3.0-alpha081.2.10

1

.2.10

Status

title	OPEN

1org.springframework : spring-web : 5

.3.

7

9

4

5.3.135.3.14

0-alpha0	1.4.5
OPEN	1	com.fasterxml.jackson.core : jackson-databind : 2.

11

13.

0

3

10

2.

12.62.12.6

Status

title	OPEN

2

14.1
OPEN	1	io.undertow : undertow-core : 2.2.

8

17.Final

5

2.

2.14.Final2.2.14.Final

3.0.Final
OPEN	1	org.springframework : spring-

webmvc

web : 5.3.

7

20

6

5

.

3

0.

14

dcaegen2-services-bbs-event-processor

Status

Priority

Component name and version

CVE

Threat level

Recommended version

Project’s assessment

2
OPEN	2	org.eclipse.jetty : jetty-server : 9.4.41.v20210516	11.0.12

dcaegen2-services-mapper

Status

Priority

Component name and version

Recommended version

Threat level

Recommended version

Project’s

assessment (Target for J)

assessment
OPEN	1	com

.fasterxml.jackson.core : jackson-databind : 2.11.2102.12.62.12.6org.apache.logging.log4j: log4j-core:2.16.02.17.1 Statustitle

.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1
OPEN	1	com.

google

thoughtworks.

code.gson

xstream :

gson : 2.8.572.8.92.8.9

Status

title	OPEN

1xstream : 1.4.16

8

1.4.181.4.18

Status

title	OPEN

2

xstream : 1.4.19	1.4.19
OPEN	1	org.postgresql : postgresql : 42.3.6	42.5.1
OPEN	2	io.projectreactor.netty : reactor-netty : 0.9.12.RELEASE	1.1.0
OPEN	2	xerces : xercesImpl : 2.12.

15???Already on latest; no non-vulnerable version available

2

2.12.2

dcaegen2-services-pm-mapper

undertow

Status

Priority

Component name

and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status

title	OPEN

1

com.google.code.gson : gson : 2.8.5

72.8.92.8.9

Status

title	OPEN

2

and version	Recommended version	Threat level	Project’s assessment
OPEN	1	io.undertow : undertow-core : 2.2.

9.Final

5

4

2.2.14

17.Final

2.

2

3.

14

0.Final

2.2.16.Final

dcaegen2-services-prh

Recommended version

Status

Priority

Component name and version

Recommended version

Threat

level

Project’s assessment

(Target for J)title

Status

OPEN

1

org.apache.

tomcat.embed

commons :

tomcat

commons-

embed-websocket

text :

9.0.48

7

10.1.0M7

Either 10.1.0-M8 or 9.0.56 Statustitle

1.6	1.10.0
OPEN	1	org

.springframework : spring-web : 5.3.8

9

4

5.3.13 RELEASE

5.3.14

dcaegen2-services-sdk

...

Status

...

Priority

...

Component name and version

...

Threat level

...

Recommended version

...

Project’s assessment

...

Status

title	OPEN

...

1

...

ch.qos.logback : logback-core : 1.3.0-alpha0

...

Status

title	OPEN

...

1

...

com.google.code.gson : gson : 2.8.5

...

.apache.tomcat.embed : tomcat-embed-core : 9.0.65	10.1.2
OPEN	1	org.springframework : spring-web : 5.3.22	6.0.2

dcaegen2-services-sdk

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
OPEN	1	com.google.protobuf : protobuf-java : 3.21.1	4.0.0-rc-2

dcaegen2-services-slice-analysis-ms

Status

Priority

Component name

and

and version

Recommended version

Threat level

Recommended version

	Project’s assessment
OPEN	1	ch.qos.logback : logback-core : 1.3.0-alpha0	1.4.5
OPEN	1	com.fasterxml.jackson.core : jackson-databind : 2.

11

13.

0

3

10

2.

12.62.12.6 Statustitle

14.1
OPEN	1

ch

org.apache.

qos

tomcat.

logback

embed :

logback

tomcat-embed-core :

1

9.

3

0.

0-alpha081.2.10

65

10.1.2

.10 Statustitle


OPEN	1	org.

springframework

postgresql :

spring-web

postgresql :

5

42.3.

7.RELEASE

9

4

5.3.13 RELEASE

5.3.14

6	42.5.1
OPEN	1	org.springframework : spring-

webmvc

web : 5.3.

7

20

6

5

.

3

0.

14

2

Statustitle


OPEN

1

2

org.

apache

eclipse.

tomcat.embed

jetty :

tomcat

jetty-

embed-core

server : 9.

0.46

6

10.1.0-M7

9.0.50 or 10.1.0-M8

4.41.v20210516

11.0.12

dcaegen2-services-

...

son-

...

handler

Status

Priority

Component name and version

Recommended version

Threat level

Recommended version

Project’s assessment
OPEN	1	ch.qos.logback : logback-core : 1.3.0-alpha0	1.4.5
OPEN	1	com.fasterxml.jackson.core : jackson-databind : 2.

11.0102.12.6

13.3

2.

12

14.

6status

1

title


OPEN	1

ch

org.apache.

qos

tomcat.

logback

embed :

logback

tomcat-embed-core :

1

9.

3

0.

0-alpha081.2.10

65

10.1.2

.10status

title


OPEN	1	org.

springframework : spring-web : 5.3.7.RELEASE

9

4

5

postgresql : postgresql : 42.3.

13 RELEASE

6

42.5.

3.14

1
OPEN	1	org.springframework : spring-

webmvc

web : 5.3.

7

20

6

5

.

3.14 Statustitle

0.2
OPEN	2

org

io.

apache

projectreactor.

tomcat.embed

netty :

tomcat

reactor-

embed-core

netty :

9.

0

.46

6

10.1

.

0-M7

9.

0.50 or 10

12.RELEASE

1.1.0

-M8

dcaegen2-platform-mod2-helmgenerator

...

Status

...

Priority

...

Component name and version

...

Threat level

...

Recommended version

...

Project’s assessment (Target for J)

...

com.fasterxml.jackson.core : jackson-databind : 2.10.3

...

com.squareup.okhttp3 : okhttp : 4.0.1

...

dcaegen2-platform-ves-openapi-manager

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

com.fasterxml.jackson.core : jackson-databind : 2.9.4

102.12.6


OPEN	2	org.eclipse.jetty : jetty-server : 9.4.40.v20210413	11.0.12

The following had no violations (or no direct violations):

dcaegen2-deployments
dcaegen2-platform-adapter-acumos
dcaegen2-platform-mod-designtool
dcaegen2-platform-mod-distributorapi
dcaegen2-platform-mod-onboardingapi
dcaegen2-platform-mod2-catalog-service
dcaegen2-platform-mod2-auth-service
dcaegen2-platform-mod2-ui
dcaegen2-services-heartbeat
dcaegen2-utils
dcaegen2

Versions Compared

Old Version 2

New Version 3

Key

dcaegen2-analytics-tca-gen2

dcaegen2-collectors-datafile

onap-dcaegen2-collectors-restconf

dcaegen2-analytics-tca-gen2

dcaegen2-collectors-hv-ves

dcaegen2-collectors-

datafile

dcaegen2-collectors-hv-ves

onap-dcaegen2-collectors-restconf

dcaegen2-collectors-ves

dcaegen2-platform-mod-genprocessor

dcaegen2-platform-mod-runtimeapi

dcaegen2-platform-mod2-helm-generator

dcaegen2-platform-ves-openapi-manager

dcaegen2-services-kpi-computation-ms

dcaegen2-services-bbs-event-processor

dcaegen2-services-mapper

dcaegen2-services-pm-mapper

dcaegen2-services-prh

dcaegen2-services-sdk

dcaegen2-services-sdk

dcaegen2-services-slice-analysis-ms

dcaegen2-services-

son-

handler

dcaegen2-platform-mod2-helmgenerator

dcaegen2-platform-ves-openapi-manager

The following had no violations (or no direct violations):

Page Comparison

Versions Compared

Old Version 2

New Version 3

Key

dcaegen2-analytics-tca-gen2

dcaegen2-collectors-datafile

onap-dcaegen2-collectors-restconf

dcaegen2-analytics-tca-gen2

dcaegen2-collectors-hv-ves

dcaegen2-collectors-

datafile

dcaegen2-collectors-hv-ves

onap-dcaegen2-collectors-restconf

dcaegen2-collectors-ves

dcaegen2-platform-mod-genprocessor

dcaegen2-platform-mod-runtimeapi

dcaegen2-platform-mod2-helm-generator

dcaegen2-platform-ves-openapi-manager

dcaegen2-services-kpi-computation-ms

dcaegen2-services-bbs-event-processor

dcaegen2-services-mapper

dcaegen2-services-pm-mapper

dcaegen2-services-prh

dcaegen2-services-sdk

dcaegen2-services-sdk

dcaegen2-services-slice-analysis-ms

dcaegen2-services-

son-

handler

dcaegen2-platform-mod2-helmgenerator

dcaegen2-platform-ves-openapi-manager

The following had no violations (or no direct violations):