...

NOTE: This page is copy of /wiki/spaces/SV/pages/16094118 report

The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.

Priority 1 recommendations have at least one Critical vulnerability.
Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
There are four status values:
- Status
  title Open
  - required upgrade identified
- Status
  colour Blue
  title In Progress
  - project working on the upgrade
- Status
  colour Green
  title Complete
  - package has been upgraded to the recommended version
- Status
  colour Yellow
  title Waiver
  - project granted a waiver for the upgrade because of technical or resource constraints

When the upgrade of the package is complete change the status in the table to

Status

colour	Green
title	Complete

.

If a waiver is granted, change the status to

Status

colour	Yellow
title	Waiver

.

When the status of all direct dependency replacements is

Status

colour	Green
title	Complete

or

Status

colour	Yellow
title	Waiver

, the Jira ticket should be closed.

so-adapters-so-etsi-sol003-adapter

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

Status

colour	Green
title	Complete

1

com.fasterxml.jackson.core : jackson-databind : 2.11.3

2.14.1

This is indirect dependency coming from the o-parent.

25 Jul 2023
The version 2.14.2 is updated and available in Master branch

Status

colour	Blue
title	In Progress

1

org.yaml : snakeyaml : 1.26

1.33

This needs further analysis and is being checked in detail. We have a resource crunch at the moment.

...

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

Status

colour	Green
title	Complete

1

com.fasterxml.jackson.core : jackson-databind : 2.11.3

2.14.1

This is indirect dependency coming from the o-parent.

25 Jul 2023
The version 2.14.2 is updated and available in Master branch

Status

colour	Green
title	Complete

1

com.fasterxml.jackson.core : jackson-databind : 2.9.8

2.14.1

Same as above

Status

colour	Blue
title	In Progress

1

com.google.protobuf : protobuf-java : 3.10.0

4.0.0-rc-2

This needs further analysis and is being checked in detail. We have a resource crunch at the moment.

Status

colour	Blue
title	In Progress

1

com.h2database : h2 : 1.4.200

0.16.4

We dont use this code in the production and is only built for testing code.

Status

colour	Blue
title	In Progress

1

org.apache.tomcat : tomcat-catalina : 9.0.45

9.0.37.1

This needs further analysis and We are facing resource issue at the moment, request a waiver.

Status

colour	Green
title	Complete

1

org.json : json : 20140107

20220924

The change would bring in a major testing to be performed across the projects and we have a resource crunch.

25 Jul 2023
The version 2.14.2 is updated and available in Master branch

Status

colour	Green
title	Complete

1

org.json : json : 20160212

20220924

The change would bring in a major testing to be performed across the projects and we have a resource crunch.

25 Jul 2023
The version 2.14.2 is updated and available in Master branch

Status

colour	Blue
title	In Progress

1

org.springframework : spring-web : 5.2.14.RELEASE

6.0.2

The change would bring in a major testing to be performed across the projects and we have a resource crunch

Status

colour	Blue
title	In Progress

1

org.springframework.data : spring-data-rest-hal-browser : 3.3.9.RELEASE

3.3.9.RELEASE

This needs further analysis and We are facing resource issue at the moment, request a waiver.

Status

colour	Blue
title	In Progress

1

org.springframework.security : spring-security-web : 5.4.6

3.0.11-oss

This needs further analysis and We are facing resource issue at the moment, request a waiver.

Status

colour	Blue
title	In Progress

1

org.yaml : snakeyaml : 1.26

1.33

This needs further analysis and We are facing resource issue at the moment, request a waiver.

Status

colour	Blue
title	In Progress

2

org.glassfish.jersey.core : jersey-common : 2.22.1

Indirect dependency,

Status

colour	Blue
title	In Progress

2

org.glassfish.jersey.core : jersey-common : 2.30.1

Indirect dependency.

Status

colour	Blue
title	In Progress

2

org.springframework : spring-webmvc : 5.2.12.RELEASE

6.0.2

This needs further analysis and We are facing resource issue at the moment, request a waiver.

...

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

Status

colour	Green
title	Complete

1

com.fasterxml.jackson.core : jackson-databind : 2.11.1

2.14.1

This is indirect dependency coming from the o-parent. The change would bring in a major testing to be performed across the projects and we have a resource crunch

25 Jul 2023
The version 2.14.2 is updated and available in Master branch

so-so-etsi-nfvo

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

Status

colour	Green
title	Complete

1

com.fasterxml.jackson.core : jackson-databind : 2.11.1

2.14.1

This is indirect dependency coming from the o-parent. The change would bring in a major testing to be performed across the projects and we have a resource crunch.

25 Jul 2023
The version 2.14.2 is updated and available in Master branch

Status

colour	Blue
title	In Progress

1

org.yaml : snakeyaml : 1.26

1.33

This needs further analysis and is being checked in detail. We have a resource crunch at the moment.

...

Version	Old Version 6	New Version 7
Changes made by	Sanchita Pathak	Sanchita Pathak
Saved on	Jul 26, 2023	Jul 26, 2023

Versions Compared

Key

so-adapters-so-etsi-sol003-adapter

so-so-etsi-nfvo

Content Comparison

Versions Compared

Key

so-adapters-so-etsi-sol003-adapter

so-so-etsi-nfvo