Versions Compared

Version Old Version 1 New Version Current
Changes made by

Sanchita Pathak

Rupali Shirode

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please note: Report is as per London releaseNOTE: This page is copy of /wiki/spaces/SV/pages/16094118 report

The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.

  • Priority 1 recommendations have at least one Critical vulnerability.
  • Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
  • There are four status values:
    • Status
      titleOpen
      - required upgrade identified
    • Status
      colourBlue
      titleIn Progress
       - project working on the upgrade
    • Status
      colourGreen
      titleComplete
      - package has been upgraded to the recommended version
    • Status
      colourYellow
      titleWaiver
      - project granted a waiver for the upgrade because of technical or resource constraints

When the upgrade of the package is complete change the status in the table to

Status
colourGreen
titleComplete
.

If a waiver is granted, change the status to

Status
colourYellow
titleWaiver
.

When the status of all direct dependency replacements is

Status
colourGreen
titleComplete
or
Status
colourYellow
titleWaiver
, the Jira ticket should be closed.

so-adapters-so-etsi-sol003-adapter

Status

Priority

Component name and version

CVE

Recommended version

Threat level

Project’s assessment

Status
colourGreen
titleComplete

1com.fasterxml.jackson.core : jackson-databind : 2.11.3
CVE-2020-36518
CVE-2022-42003
CVE-2022-42004
SONATYPE-2021-4682
2.14.1

This is indirect dependency coming from the o-parent. 


The version 2.14.2 is updated and available in Master branch   

Status
colourGreen
titleCOMPLETE

1org.yaml : snakeyaml : 1.26
CVE-2022-25857
CVE-2022-38749
CVE-2022-38751
CVE-2022-38752
CVE-2022-41854
CVE-2022-38750
1.33

This needs further analysis and is being checked in detail. We have a resource crunch at the moment.

 
As per our analysis 1.33 version not supported it required Spring Boot 3.0.0 version. So 
we try update it 1.31 version its working so we push the code changes.

 
 The version 1.31 is updated and available in Master branch 

so-libs

Status

Priority

Component name and version

CVE

Recommended version

Threat level

Project’s assessment

Status
colourGreen
titleComplete

1com.fasterxml.jackson.core : jackson-databind : 2.11.1
CVE-2020-36518
CVE-2022-42003
CVE-2022-42004
SONATYPE-2021-4682
2.14.1

This is indirect dependency coming from the o-parent. 

 
The version 2.14.2 is updated and available in Master branch 

so

Status

Priority

Component name and version

CVE

Recommended version

Threat level

Project’s assessment

Status
colourGreen
titleComplete

1com.fasterxml.jackson.core : jackson-databind : 2.11.3

CVE-2020-36518

CVE-2022-42003

CVE-2022-42004

SONATYPE-2021-4682
2.14.1

7

7

7

7


This is indirect dependency coming from the o-parent.


The version 2.14.2 is updated and available in Master branch   

Status
colourGreen
titleComplete

1com.fasterxml.jackson.core : jackson-databind : 2.9.8

CVE-2019-12086

CVE-2020-25649

CVE-2020-36518

CVE-2022-42003

CVE-2022-42004

2.14.1
7

Same as above
7

Status

7

colour

7

Green

7

title

Same as above

Complete

1com.google.protobuf : protobuf-java : 3.10.0

CVE-2022-3171

CVE-2022-3509

CVE-2021-22569
4.0.0-rc-2

7

7

5


This needs further analysis and is being checked in detail. We have a resource crunch at the moment.
 
This dependancy is excluded in SO pom.xml therefor no impact, require no change in SO

Status
colourGreen
titleCOMPLETE

1com.h2database : h2 : 1.4.200

CVE-2021-42392

CVE-2022-23221

SONATYPE-2021-1681

SONATYPE-2022-6243

SONATYPE-2018-0863

0.16.4

9

9

8

8

6

We dont use this code in the production and is only built for testing code.

 
1) As per analysis the recommend version is lowest which is not available in Maven dependency.
2) We update the latest version 2.1.214 and its work i.e. code build successfully. Reference link:  https://mvnrepository.com/artifact/com.h2database/h2

 
The version 2.1.214 is updated and available in Master branch 

Status
titleOPEN

1org.apache.tomcat : tomcat-catalina : 9.0.45

CVE-2022-23181

CVE-2021-30640
9.0.37.1
7

6


This needs further analysis and We are facing resource issue at the moment, request a waiver.

 
We are not able to find this dependency.

Status
colourGreen
titleComplete

1org.json : json : 20140107

SONATYPE-2022-3061

20220924
7


The change would bring in a major testing to be performed across the projects and we have a resource crunch. 


The version 2.14.2 is updated and available in Master branch   

Status
colourGreen
titleComplete

1org.json : json : 20160212
SONATYPE-2022-3061
20220924
7

The change would bring in a major testing to be performed across the projects and we have a resource crunch


The version 2.14.2 is updated and available in Master branch   

Status
titleOpen

1org.springframework : spring-web : 5.2.14.RELEASE

CVE-2016-1000027

CVE-2021-22118

CVE-2021-22096
6.0.2

9

7

4

The change would bring in a major testing to be performed across the projects and we have a resource crunch.

 
Spring Framework 6 requires Java 17 

Status
colourGreen
titleCOMPLETE

1

org.springframework.data : spring-data-rest-hal-browser : 3.3.9.RELEASE

CVE-2021-23358

CVE-2021-23358

CVE-2018-14042

CVE-2019-11358

CVE-2019-8331

CVE-2020-11023

CVE-2020-26291

CVE-2021-3647

CVE-2022-1233

SONATYPE-2014-0026

SONATYPE-2020-0187

SONATYPE-2022-2019

CVE-2022-24723

SONATYPE-2016-0129

3.3.9.RELEASE

change is pushed

 
The version 3.3.9.RELEASE

7

7

6

6

6

6

6

6

6

6

6

6

5

5

This needs further analysis and We are facing resource issue at the moment, request a waiver.

is updated and available in Master branch 

Status
titleOPEN

1org.springframework.security : spring-security-web : 5.4.6
CVE-2022-22978
3.0.11-oss
9


This needs further analysis and We are facing resource issue at the moment, request a waiver.
 
1

org.yaml : snakeyaml : 1.26

CVE-2022-25857

CVE-2022-38749

CVE-2022-38751

CVE-2022-38752

CVE-2022-41854

CVE-2022-38750

1.33

7

6

6

6

6

5

) As per our analysis the recommended version 3.0.11-oss  is not related to Spring-Security-Web. It is related to AJSC Archetype Parent which is not used in our SO Project (atleast we did not find it).
2) Therefore we can update the latest version of spring-security-web version 6.1.2 and its work i.e. code build successfully. Reference links https://mvnrepository.com/artifact/com.att.ajsc/ajsc-archetype-parent/3.0.11-oss  
and  https://mvnrepository.com/artifact/org.springframework.security/spring-security-web/6.1.2

 
The version 6.1.2 is updated and available in Master branch 
 
We have removed  spring-security-web : 6.1.2 version because it required Java-17  

Status
colourGreen
titleCOMPLETE

1org.yaml : snakeyaml : 1.261.33


This needs further analysis and We are facing resource issue at the moment, request a waiver.

 
As per our analysis 1.33 version not supported it required Spring Boot 3.0.0 version. So 
we try update it 1.31 version its working so we push the code changes.

 
The version 1.31 is updated and available in Master branch 
 

Status
colourGreen
titleCOMPLETE

2org.glassfish.jersey.core : jersey-common : 2.22.1
CVE-2021-281685Indirect dependency,Indirect dependency.


 change is pushed

 
The version is updated and available in Master branch 

Status
colourGreen
titleCOMPLETE

2org.glassfish.jersey.core : jersey-common : 2.30.1
CVE-2021-281685


 change is pushed

 
The version is updated and available in Master branch 

Status
titleOpen

2org.springframework : spring-webmvc : 5.2.12.RELEASE
CVE-2021-22060
6.0.2
4This needs further analysis and We are facing resource issue at the moment, request a waiver.

 
Spring Framework 6 requires Java 17 

so-so-admin-cockpit

Status

Priority

Component name and version

CVE

Recommended version

Threat level

Project’s assessment

Status
colourGreen
titleComplete

1com.fasterxml.jackson.core : jackson-databind : 2.11.1
CVE-2020-36518
CVE-2022-42003
CVE-2022-42004
SONATYPE-2021-4682
2.14.1

This is indirect dependency coming from the o-parent. The change would bring in a major testing to be performed across the projects and we have a resource crunch


The version 2.14.2 is updated and available in Master branch   

so-so-etsi-nfvo

Status

Priority

Component name and version

CVE

Recommended version

Threat level

Project’s assessment

Status
colourGreen
titleComplete
1com.fasterxml.jackson.core : jackson-databind : 2.11.1
CVE-2020-36518
CVE-2022-42003
CVE-2022-42004
SONATYPE-2021-4682
2.14.1

This is indirect dependency coming from the o-parent. The change would bring in a major testing to be performed across the projects and we have a resource crunch.


The version 2.14.2 is updated and available in Master branch   

Status
colourGreen
titleCOMPLETE

1org.yaml : snakeyaml : 1.26
CVE-2022-25857
CVE-2022-38749
CVE-2022-38751
CVE-2022-38752
CVE-2022-41854
CVE-2022-38750
1.33

This needs further analysis and is being checked in detail. We have a resource crunch at the moment.

 
As per our analysis 1.33 version not supported it required Spring Boot 3.0.0 version. So 
we try update it 1.31 version its working so we push the code changes.

 
The version 1.31 is updated and available in Master branch