To reduce the number of ONAP security vulnerabilities, ONAP is using the O-Parent project to provide centralized version management of common 3rd party Java libraries. This has the benefit of reducing the number of disparate versions of the same 3rd party package that is being used across ONAP, and reduces the attack surface correspondingly. More detailed discussion on this thread is here.
How to Use
- Import Dependency Versions
- Remove Specific Library Versions from Project pom
Step 1: Import Dependency Versions
Option 1.A: Inherit from O-Parent
The managed package versions are automatically imported into your project poms if you inherit from the latest version of oparent: O-Parent (oparent). Most ONAP projects should implement this option.
Set the parent POM in your pom.xml as follows. Be sure to use the current version of oparent as declared in the version manifest; see ONAP Version Manifest Maven Plugin.
Code Block |
---|
<parent> <groupId>org.onap.oparent</groupId> <artifactId>oparent</artifactId> <version>1.2.0</version> <relativePath/> </parent> |
Option
...
1.B: Manually Import Dependency Versions
If your project has specific technical reasons that prevents it from being able to inherit from O-Parent (e.g. CCSDK), you can manually import the dependency versions. To do so:
Add the following dependency to the dependencyManagement section in your pom.xml. Be sure to use the current version of oparent:dependencies as declared in the version manifest; see ONAP Version Manifest Maven Plugin.
Code Block |
---|
<dependencyManagement> <dependencies> <dependency> <groupId>org.onap.oparent</groupId> <artifactId>dependencies</artifactId> <version>1.2.0</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement> |
...