Versions Compared

Old Version 1

changes.mady.by.user Vijay Kumar

Saved on

compared with

New Version Current

changes.mady.by.user Vijay Kumar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.

  • Priority 1 recommendations have at least one Critical vulnerability.
  • Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
  • There are four status values:
    • Status
      titleOpen
      - required upgrade identified
    • Status
      colourBlue
      titleIn Progress
      - project working on the upgrade
    • Status
      colourGreen
      titleComplete
      - package has been upgraded to the recommended version
    • Status
      colourYellow
      titleWaiver
      - project granted a waiver for the upgrade because of technical or resource constraints

When the upgrade of the package is complete change the status in the table to

Status
colourGreen
titleComplete
.

If a waiver is granted, change the status to

Status
colourYellow
titleWaiver
.

When the status of all direct dependency replacements is

Status
colourGreen
titleComplete
or
Status
colourYellow
titleWaiver
, the Jira ticket should be closed.

...


NOTE: This page is copy of /wiki/spaces/SV/pages/16093480 report created by SECCOM (excluded CVE info); any update should be done on parent page.


The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.

  • Priority 1 recommendations have at least one Critical vulnerability.
  • Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
  • There are four status values:
    • Status
      titleOpen
      - required upgrade identified
    • Status
      colourBlue
      titleIn Progress
      - project working on the upgrade
    • Status
      colourGreen
      titleComplete
      - package has been upgraded to the recommended version
    • Status
      colourYellow
      titleWaiver
      - project granted a waiver for the upgrade because of technical or resource constraints

When the upgrade of the package is complete change the status in the table to

Status
colourGreen
titleComplete
.

If a waiver is granted, change the status to

Status
colourYellow
titleWaiver
.

When the status of all direct dependency replacements is

Status
colourGreen
titleComplete
or
Status
colourYellow
titleWaiver
, the Jira ticket should be closed.

dcaegen2-analytics-tca-gen2

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5

???

Already on latest; no non-vulnerable version available

Status
titleOPEN

2

undertow-core : 2.2.7.Final

5

5

2.2.14

2.2.14.Final

dcaegen2-collectors-datafile

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

1

spring-web : 5.3.6

9

7

4

5.3.135.3.13 or 5.3.14

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5???Already on latest; no non-vulnerable version available

onap-dcaegen2-collectors-restconf

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.2.101.2.10

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.5

72.8.92.8.9

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5???Already on latest; no non-vulnerable version available


1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

dcaegen2-collectors-hv-ves

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.6

72.8.92.8.9

dcaegen2-collectors-ves

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.6

72.8.92.8.9

Status
titleOPEN

2io.netty : netty-codec-http : 4.1.59.Final54.1.70.Final4.1.73.Final

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5???Already on latest; no non-vulnerable version available


org.apache.logging.log4j: log4j-core:2.16.0

2.17.1

dcaegen2-platform-mod-genprocessor

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5???


1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

Status
titleOPEN

2
undertow

nifi-

core

utils :

2

1.9.2

.7.Final

5

5

2.2.14

...


retain current version due to dependency with upstream nifi version on designer module

dcaegen2-platform-mod2-auth

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment9

Project’s assessment  (Target for J)

Status
titleOPEN

1
spring-web : 5.3.6

com.google.code.gson : gson : 2.8.6

7

4

5
2.
3.13
8.9POC components; not part of ONAP deployment

Status
titleOPEN

2
1
io
com.squareup.
springfox
okhttp3 :
springfox-swagger2
okhttp :
3
4.0.
05???

...

174.9.3POC components; not part of ONAP deployment

dcaegen2-platform-mod2-catalog

Recommended version

Project’s assessment

Status

Priority

Component name and version

Threat

level

level

Recommended version

Project’s assessment  (Target for J)

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.6

72.8.9POC components; not part of ONAP deployment

Status
titleOPEN

1
ch
com.
qos
squareup.
logback
okhttp3 :
logback-core
okhttp :
1
4.
3
0.
0-alpha0
1
8
7
1.3.0-alpha10
4.9.3

POC components; not part of ONAP deployment

Status
titleOPEN

1
com.google.code.gson : gson

io.springfox : springfox-swagger-ui : 2.

8.572.8.9

9.2

9

6

6

3.0.0POC components; not part of ONAP deployment

Status
titleOPEN

2io.springfox : springfox-swagger2 : 2.9.253.0.0
5???

...

POC components; not part of ONAP deployment

dcaegen2-platform-mod-runtimeapi

Status

Priority

Component name and version

CVE

Threat level

Recommended version

Project’s assessment

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.6

72.8.9

...

 (Target for J)








caegen2-services-kpi-computation-ms

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment  (Target for J)

Status
titleOPEN

1
com.google

ch.

code

qos.

gson

logback :

gson

logback-core :

2

1.

8

3.

6

0-alpha0

7
81.2.
8.9
101.2.10

Status
titleOPEN

2
1
io
org.
netty
springframework :
netty
spring-
codec-http
web :
4
5.
1
3.
59.Final
7
5

9

4

.1.70.Final

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5???

dcaegen2-platform-mod-genprocessor

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment

5.3.135.3.14


1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

Status
titleOPEN

2

nifi-utils : 1.9.2

51.15.0

...

io.undertow : undertow-core : 2.2.8.Final

5

5

2.2.14.Final2.2.14.Final


org.springframework : spring-webmvc : 5.3.76
5.3.14

dcaegen2-services-bbs-event-processor

Status

Priority

Component name and version

CVE

Threat level

Recommended version

Project’s assessment

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.6

72.8.9 StatustitleOPEN







dcaegen2-services-mapper

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)


1

com.fasterxml.

squareup

jackson.

okhttp3

core :

okhttp

jackson-databind :

4

2.

0

11.

174.9.3

dcaegen2-platform-mod2-catalog

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment

2

102.12.62.12.6


org.apache.logging.log4j: log4j-core:2.16.0

2.17.1

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.

6

5

72.8.9

Status
titleOPEN

1com.squareup.okhttp3 : okhttp : 4.0.174.9.33.0.0
2.8.9

Status
titleOPEN

1

io.springfox : springfox-swagger-ui : 2.9.2

9

6

6

xstream : 1.4.16

8

1.4.181.4.18

Status
titleOPEN

2

io.springfox : springfox-swagger2 :
 xercesImpl : 2.
9
12.
2
15
3.0.0

dcaegen2-platform-mod-runtimeapi

...

Status

...

Priority

...

Component name and version

...

CVE

...

Threat level

...

Recommended version

...

Project’s assessment

...

???Already on latest; no non-vulnerable version available

dcaegen2-services-pm-mapper

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment

Status
titleOPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.3.0-alpha10

(Target for J)

Status
titleOPEN

1
org.springframework : spring-web : 5.3.7

9

4

5.3.13

com.google.code.gson : gson : 2.8.5

72.8.92.8.9

Status
titleOPEN

2

io.

undertow

: undertow

-core : 2.2.

8

9.Final

5

5

4

4

2.2.14.Final

2.2.14.Final

2.2.

14

16.Final

dcaegen2-services-

...

prh

Status

Priority

Component name and version

CVE

Threat level

Recommended version

Project’s assessment

dcaegen2-services-mapper

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment

(Target for J)

Status
titleOPEN

1

org.apache.tomcat.embed : tomcat-embed-websocket : 9.0.48

7

10.1.0M7

Either 10.1.0-M8 or  9.0.56 

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.5

72.8.9

Status
titleOPEN

1xstream : 1.4.16

8

1.4.18

org.springframework : spring-web : 5.3.8

9

4

5.3.13 RELEASE

5.3.14

dcaegen2-services-sdk

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment

Status
titleOPEN

2

 xercesImpl : 2.12.15???

dcaegen2-services-pm-mapper

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.2.101.2.10

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.5

72.8.9
StatustitleOPEN
2

undertow-core : 2.2.9.Final

5

4

4

2.2.14.Final
.8.9


org.springframework : spring-webflux : 5.3.16
5.3.14

dcaegen2-services-son-

...

handler

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment


1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

Status
titleOPEN

1

org

ch.

apache

qos.

tomcat.embed

logback :

tomcat

logback-

embed-websocket : 9

core : 1.3.0

.48

-alpha0

7
81.2.101.
1
2.
0M7
10

Status
titleOPEN

1

org.springframework : spring-web : 5.3.

8.RELEASE

9

4

5.3.13 RELEASE

dcaegen2-services-sdk

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment

Status
titleOPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.3.0-alpha10

7.RELEASE

9

4

5.3.13 RELEASE

5.3.14


org.springframework : spring-webmvc : 5.3.76
5.3.14

Status
titleOPEN

1

com

org.

google

apache.

code

tomcat.

gson : gson : 2.8.572.8.9

embed : tomcat-embed-core : 9.0.46

6

10.1.0-M7

9.0.50 or 10.1.0-M8

dcaegen2-services-slice-

...

analysis-

...

ms

Recommended version

Project’s assessment

Status

Priority

Component name and version

Threat

level

level

Recommended version

Project’s assessment


1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

Status
titleOPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.2.101.
3
2.
0-alpha10
10

Status
titleOPEN

1

1

org.springframework : spring-web : 5.3.7.RELEASE

9

4

5.3.13 RELEASE

5.3.14


org.springframework : spring-
web
webmvc : 5.3.7
.RELEASE

9

4
6
5.3.
13 RELEASE
14

Status
titleOPEN

1

2

org.apache.tomcat.embed : tomcat-embed-core : 9.0.46

6

10.1.0-M7

9.0.50 or 10.1.0-M8


dcaegen2-

...

platform-

...

mod2-

...

helmgenerator

Status

Priority

Component name and version

Threat level

Recommended version

Project’s

assessment

Status
titleOPEN

1

org.springframework : spring-web : 5.3.7.RELEASE

9

4

5.3.13 RELEASE

Status
titleOPEN

2

org.apache.tomcat.embed : tomcat-embed-core : 9.0.46

6

10.1.0-M7

assessment (Target for J)



com.fasterxml.jackson.core : jackson-databind : 2.10.3

10
2.12.6



com.squareup.okhttp3 : okhttp : 4.0.1

5
4.9.3


commons-io : commons-io : 2.4

2.11.0


dcaegen2-platform-ves-openapi-manager

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)



com.fasterxml.jackson.core : jackson-databind : 2.9.4

10
2.12.6