NOTE: This page is copy of /wiki/spaces/SV/pages/16093480 report created by SECCOM (excluded CVE info); any update should be done on parent page.

The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.

Priority 1 recommendations have at least one Critical vulnerability.
Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
There are four status values:
- Status
  title Open
  - required upgrade identified
- Status
  colour Blue
  title In Progress
  - project working on the upgrade
- Status
  colour Green
  title Complete
  - package has been upgraded to the recommended version
- Status
  colour Yellow
  title Waiver
  - project granted a waiver for the upgrade because of technical or resource constraints

When the upgrade of the package is complete change the status in the table to

Status

colour	Green
title	Complete

.

If a waiver is granted, change the status to

Status

colour	Yellow
title	Waiver

.

When the status of all direct dependency replacements is

Status

colour	Green
title	Complete

or NOTE: This page is copy of /wiki/spaces/SV/pages/16094094 report created by SECCOM under DCAEGEN2-3318 (excluded CVE info); any update should be done on parent page.

The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.

Priority 1 recommendations have at least one Critical vulnerability.
Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
There are four status values:
- Status
  title Open
  - required upgrade identified
- Status
  colour Blue
  title In Progress
  - project working on the upgrade
- Status
  colour Green
  title Complete
  - package has been upgraded to the recommended version
- Status
  colour Yellow
  title Waiver

...

dcaegen2-analytics-tca-gen2

...

Status

...

Priority

...

Component name and version

...

Threat level

...

Recommended version

...

Project’s assessment (Target for J)

...

Status

title	OPEN

...

2

...

io.springfox : springfox-swagger2 : 3.0.0

...

???

...

Status

title	OPEN

...

2

...

undertow-core : 2.2.7.Final

...

5

...

2.2.14

...

- - project granted a waiver for the upgrade because of technical or resource constraints

When the upgrade of the package is complete change the status in the table to

Status

colour	Green
title	Complete

.

If a waiver is granted, change the status to

Status

colour	Yellow
title	Waiver

.

When the status of all direct dependency replacements is

Status

colour	Green
title	Complete

or

Status

colour	Yellow
title	Waiver

, the Jira ticket should be closed.

dcaegen2-analytics-tca-gen2

Recommended versionOPEN assessment (Target for J)-swagger2 0

Status

Priority

Component name and version

Recommended version

Threat level

Status

title

Project’s

Status

title	OPEN

1

spring-web : 5.3.6

9

7

4

5.3.13

5.3.13 or 5.3.14

assessment

COMPLETE

1

com.fasterxml.jackson.core : jackson-databind : 2.13.3

2.14.1

COMPLETE

1

io.undertow : undertow-core : 2.2.17.Final

2.3.0.Final

COMPLETE

2

io.springfox : springfox-swagger-ui : 2.10.5

3.0.0

COMPLETE

2

io.springfox : springfox

-swagger2 : 3.0.0

3.0.0

SECCOM: 3.0.

5

???

Already on latest; no non-vulnerable version available

...

is the latest version

dcaegen2-collectors-

...

datafile

Recommended version assessment (Target for J)

Status

Priority

Component name and version

Recommended version

Threat level

Project’s

Status

title	OPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

8

1.2.10

Status

title	OPEN

1

com.google.code.gson : gson : 2.8.5

7

2.8.9

Status

title	OPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5

???

Already on latest; no non-vulnerable version available

1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

10

2.12.6

dcaegen2-collectors-hv-ves

...

Status

...

Priority

...

Component name and version

...

Threat level

...

Recommended version

...

Project’s assessment (Target for J)

...

Status

title	OPEN

...

com.google.code.gson : gson : 2.8.6

...

assessment
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1
COMPLETE	1	org.apache.tomcat.embed : tomcat-embed-core : 9.0.65	10.1.2	This is transient dependency from spring-boot; upgraded to tomcat 9.0.65 which is default in the spring-boot 2.7.2. Recommended version requires Springboot-3 and Spring-6 which in turn require Java-17. In London release, version 9.0.72 will be upgraded to.
COMPLETE	1	org.springframework : spring-web : 5.3.22	6.0.2	Recommended version requires Java-17. In London release, version 5.3.25 will be upgraded to.
COMPLETE	2	io.springfox : springfox-swagger-ui : 3.0.0	3.0.0	SECCOM: 3.0. is the latest version
COMPLETE	2	io.springfox : springfox-swagger2 : 3.0.0	3.0.0	SECCOM: 3.0. is the latest version

dcaegen2-collectors-hv-ves

...

Status

title	OPEN

...

nifi-utils : 1.9.2

...

dcaegen2-platform-mod2-auth

...

Status

...

Priority

...

Component name and version

...

Threat level

...

Recommended version

...

Project’s assessment (Target for J)

...

Status

title	OPEN

...

com.google.code.gson : gson : 2.8.6

...

Status

title	OPEN

...

dcaegen2-platform-mod2-catalog

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status

title	OPEN

1

com.google.code.gson : gson : 2.8.6

72.8.9POC components; not part of ONAP deployment

Status

title	OPEN

1com.squareup.okhttp3 : okhttp : 4.0.174.9.3

POC components; not part of ONAP deployment

Status

title	OPEN

1

io.springfox : springfox-swagger-ui : 2.9.2

9

6

3.0.0POC components; not part of ONAP deployment

Status

title	OPEN

2io.springfox : springfox-swagger2 : 2.9.253.0.0POC components; not part of ONAP deployment version

Status

Priority

Component name and

Threat level

Recommended version

Project’s assessment (Target for J)

Status

title	OPEN

1

com.google.code.gson : gson : 2.8.6

7

2.8.9

Status

title	OPEN

2

io.netty : netty-codec-http : 4.1.59.Final

5

4.1.70.Final

4.1.73.Final

Status

title	OPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5

???

Already on latest; no non-vulnerable version available

org.apache.logging.log4j: log4j-core:2.16.0

2.17.1

dcaegen2-platform-mod-genprocessor

...

Status

...

Priority

...

Component name and version

...

Threat level

...

Recommended version

...

Project’s assessment (Target for J)

...

com.fasterxml.jackson.core : jackson-databind : 2.11.0

...

version	CVE	Threat level	Recommended version	Project’s assessment
						No vulnerable components

onap-dcaegen2-collectors-restconf

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1
COMPLETE	1	org.codehaus.jettison : jettison : 1.3.7	1.5.2
COMPLETE	2	io.springfox : springfox-swagger-ui : 2.10.5	3.0.0
COMPLETE	2	io.springfox : springfox-swagger2 : 3.0.0	3.0.0		SECCOM: 3.0. is the latest version

dcaegen2-collectors-ves

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	2	io.springfox : springfox-swagger-ui : 3.0.0	3.0.0		SECCOM: 3.0. is the latest version
COMPLETE	2	io.springfox : springfox-swagger2 : 3.0.0	3.0.0		SECCOM: 3.0. is the latest version

dcaegen2-platform-mod-genprocessor

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

Status

colour	Yellow
title	Waiver

1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

2.14.1

The component will be retired in London release, hence no upgrade is needed.

Status

colour	Yellow
title	Waiver

1

org.apache.commons : commons-text : 1.7

1.10.0

Status

colour	Yellow
title	Waiver

2

org.apache.nifi : nifi-utils : 1.9.2

1.19.0

dcaegen2-platform-mod-runtimeapi

Status

Priority

Component name and version

CVE

Threat level

Recommended

version

Project’s assessment (Target for J)

caegen2-services-kpi-computation-ms

Status

Priority

Component name and

version

Threat level

Recommended version

Status

title	OPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.2.101.2.10

Status

title	OPEN

1org.springframework : spring-web : 5.3.7

9

4

5.3.135.3.14

Project’s

assessment (Target for J)

assessment

Status

colour	Yellow
title	Waiver

1

org.yaml : snakeyaml : 1.26

1.33

The component will be retired in London release, hence no upgrade is needed.

Status

colour	Yellow
title	Waiver

2

io.springfox : springfox-swagger-ui : 3.0.0

3.0.0

dcaegen2-platform-mod2-helm-generator

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

Status

colour	Yellow
title	Waiver

1

com.fasterxml.jackson.core : jackson-databind : 2.

11

10.

0

3

102

2.

12

14.

62.12.6

Status

title	OPEN

2io.undertow : undertow-core : 2.2.8.Final

5

2.2.14.Final2.2.14.Finalorg.springframework : spring-webmvc : 5.3.765.3.14

1

The component will be retired in London release, hence no upgrade is needed.

dcaegen2-platform-ves-openapi-manager

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1

dcaegen2-services-

...

kpi-

...

computation-

...

ms

Status

Priority

Component name and version

CVE

Recommended version

Threat level

Recommended version

Project’s assessment

dcaegen2-services-mapper

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)


COMPLETE	1	ch.qos.logback : logback-core : 1.3.0-alpha0	1.4.5
COMPLETE	1	com.fasterxml.jackson.core

: jackson-databind : 2.11.2102.12.62.12.6org.apache.logging.log4j: log4j-core:2.16.02.17.1

Status

title	OPEN

1

com.google.code.gson : gson : 2.8.5

72.8.92.8.9

Status

title	OPEN

1xstream : 1.4.16

8

1.4.181.4.18

Status

title	OPEN

2

xercesImpl : 2.12.15???Already on latest; no non-vulnerable version available

dcaegen2-services-pm-mapper

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status

title	OPEN

1

com.google.code.gson : gson : 2.8.5

72.8.92.8.9

Status

title	OPEN

2

undertow-core : 2.2.9.Final

5

4

2.2.14.Final

~~2.2.14.Final~~

2.2.16

: jackson-databind : 2.13.3	2.14.1
COMPLETE	1	io.undertow : undertow-core : 2.2.17.Final	2.3.0.Final
COMPLETE	1	org.springframework : spring-web : 5.3.20	6.0.2	Recommended version requires Java-17. In London release, version 5.3.25 will be upgraded to.
COMPLETE	2	org.eclipse.jetty : jetty-server : 9.4.41.v20210516	11.0.12

dcaegen2-services-mapper

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1
COMPLETE	1	com.thoughtworks.xstream : xstream : 1.4.19	1.4.19
COMPLETE	1	org.postgresql : postgresql : 42.3.6	42.5.1
COMPLETE	2	io.projectreactor.netty : reactor-netty : 0.9.12.RELEASE	1.1.0
COMPLETE	2	xerces : xercesImpl : 2.12.2	2.12.2

dcaegen2-services-pm-mapper

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	io.undertow : undertow-core : 2.2.17.Final	2.3.0.Final

dcaegen2-services-prh

Status

Priority

Component name and version

Recommended version

Threat level

Recommended version StatustitleOPEN

Project’s

assessment (Target for J)

assessment
COMPLETE	1	org.apache.commons : commons-text : 1.6	1.10.0
COMPLETE	1	org.apache.tomcat.embed : tomcat-embed-

websocket

core : 9.0

.48

7

10.1.0M7

Either

.65

10.1.

0-M8 or

2

Recommended version requires Springboot-3 and Spring-6 which in turn require Java-17. In London release, version 9.0.72 will be upgraded to.

56

Statustitle

COMPLETE

OPEN

1	org.springframework : spring-web : 5.3.

8

9

4

22

6.0.2

Recommended version requires Java-17. In London release, version 5.3.

13 RELEASE5.3.14

25 will be upgraded to.

dcaegen2-services-sdk

Status

Priority

Component

name and version

Threat level

Recommended version

Project’s assessment

Status

title	OPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.2.101.2.10 StatustitleOPEN

name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	com.google.

code.gson : gson : 2.8.572.8.92.8.9org.springframework : spring-webflux : 5.3.165.3.14

protobuf : protobuf-java : 3.21.1

4.0.0-rc-2

dcaegen2-services-slice-

...

analysis-

...

ms

Status

Priority

Component name and version

Recommended version

Threat level

Recommended version

Project’s assessment
COMPLETE	1	ch.qos.logback : logback-core : 1.3.0-alpha0	1.4.5
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.

11

13.

010

3

2.

12.62.12.6

Status

title	OPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.2.101.2.10

Status

title	OPEN

1

org.springframework : spring-web : 5.3.7.RELEASE

9

4

5.3.13 RELEASE

5.3.14

14.1
COMPLETE	1	org.apache.tomcat.embed : tomcat-embed-core : 9.0.65	10.1.2	Recommended version requires Springboot-3 and Spring-6 which in turn require Java-17. In London release, version 9.0.72 will be upgraded to.
COMPLETE	1	org.postgresql : postgresql : 42.3.6	42.5.1
COMPLETE	1	org.springframework : spring-

webmvc

web : 5.3.

7

20

6.0.2

Recommended version requires Java-17. In London release, version 5.3.

14

Status

title	OPEN

1

25 will be upgraded to.
COMPLETE	2	org.

apache

eclipse.

tomcat.embed

jetty :

tomcat

jetty-

embed-core

server : 9.4.41.

0.46

6

10.1.0-M7

9.0.50 or 10.1.0-M8

dcaegen2-services-slice-analysis-ms

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment

1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

Status

title	OPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.2.101.2.10

Status

title	OPEN

1

org.springframework : spring-web : 5.3.7.RELEASE

9

4

5.3.13 RELEASE

5.3.14

v20210516

11.0.12

dcaegen2-services-son-handler

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	ch.qos.logback : logback-core : 1.3.0-alpha0	1.4.5
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1
COMPLETE	1	org.apache.tomcat.embed : tomcat-embed-core : 9.0.65	10.1.2		Recommended version requires Springboot-3 and Spring-6 which in turn require Java-17. In London release, version 9.0.72 will be upgraded to.
COMPLETE	1	org.postgresql : postgresql : 42.3.6	42.5.1
COMPLETE	1	org.springframework : spring-

webmvc

web : 5.3.

7

20

6

5

.

3.14

Status

title	OPEN

2

org.apache.tomcat.embed : tomcat-embed-core : 9.0.46

6

10.1.0-M7

9.0.50 or 10.1.0-M8

dcaegen2-platform-mod2-helmgenerator

...

Status

...

Priority

...

Component name and version

...

Threat level

...

Recommended version

...

Project’s assessment (Target for J)

...

com.fasterxml.jackson.core : jackson-databind : 2.10.3

...

com.squareup.okhttp3 : okhttp : 4.0.1

...

dcaegen2-platform-ves-openapi-manager

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

com.fasterxml.jackson.core : jackson-databind : 2.9.4

102.12.6

0.2		Recommended version requires Java-17. In London release, version 5.3.25 will be upgraded to.
COMPLETE	2	io.projectreactor.netty : reactor-netty : 0.9.12.RELEASE	1.1.0
COMPLETE	2	org.eclipse.jetty : jetty-server : 9.4.40.v20210413	11.0.12

The following had no violations (or no direct violations):

dcaegen2-deployments
dcaegen2-platform-adapter-acumos
dcaegen2-platform-mod-designtool
dcaegen2-platform-mod-distributorapi
dcaegen2-platform-mod-onboardingapi
dcaegen2-platform-mod2-catalog-service
dcaegen2-platform-mod2-auth-service
dcaegen2-platform-mod2-ui
dcaegen2-services-heartbeat
dcaegen2-utils
dcaegen2

Versions Compared

Old Version 2

New Version Current

Key

dcaegen2-analytics-tca-gen2

dcaegen2-analytics-tca-gen2

dcaegen2-collectors-

datafile

dcaegen2-collectors-hv-ves

dcaegen2-collectors-hv-ves

dcaegen2-platform-mod2-auth

dcaegen2-platform-mod2-catalog

dcaegen2-platform-mod-genprocessor

onap-dcaegen2-collectors-restconf

dcaegen2-collectors-ves

dcaegen2-platform-mod-genprocessor

dcaegen2-platform-mod-runtimeapi

caegen2-services-kpi-computation-ms

dcaegen2-platform-mod2-helm-generator

dcaegen2-platform-ves-openapi-manager

dcaegen2-services-

kpi-

computation-

ms

dcaegen2-services-mapper

dcaegen2-services-pm-mapper

dcaegen2-services-mapper

dcaegen2-services-pm-mapper

dcaegen2-services-prh

dcaegen2-services-sdk

dcaegen2-services-slice-

analysis-

ms

dcaegen2-services-slice-analysis-ms

dcaegen2-services-son-handler

dcaegen2-platform-mod2-helmgenerator

dcaegen2-platform-ves-openapi-manager

The following had no violations (or no direct violations):

Page Comparison

Versions Compared

Old Version 2

New Version Current

Key

dcaegen2-analytics-tca-gen2

dcaegen2-analytics-tca-gen2

dcaegen2-collectors-

datafile

dcaegen2-collectors-hv-ves

dcaegen2-collectors-hv-ves

dcaegen2-platform-mod2-auth

dcaegen2-platform-mod2-catalog

dcaegen2-platform-mod-genprocessor

onap-dcaegen2-collectors-restconf

dcaegen2-collectors-ves

dcaegen2-platform-mod-genprocessor

dcaegen2-platform-mod-runtimeapi

caegen2-services-kpi-computation-ms

dcaegen2-platform-mod2-helm-generator

dcaegen2-platform-ves-openapi-manager

dcaegen2-services-

kpi-

computation-

ms

dcaegen2-services-mapper

dcaegen2-services-pm-mapper

dcaegen2-services-mapper

dcaegen2-services-pm-mapper

dcaegen2-services-prh

dcaegen2-services-sdk

dcaegen2-services-slice-

analysis-

ms

dcaegen2-services-slice-analysis-ms

dcaegen2-services-son-handler

dcaegen2-platform-mod2-helmgenerator

dcaegen2-platform-ves-openapi-manager

The following had no violations (or no direct violations):