Please note: Report is as per London releaseNOTE: This page is copy of /wiki/spaces/SV/pages/16094118 report
The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.
- Priority 1 recommendations have at least one Critical vulnerability.
- Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
- There are four status values:
- required upgrade identifiedStatus title Open
- project working on the upgradeStatus colour Blue title In Progress
- package has been upgraded to the recommended versionStatus colour Green title Complete
- project granted a waiver for the upgrade because of technical or resource constraintsStatus colour Yellow title Waiver
When the upgrade of the package is complete change the status in the table to
| Status | ||||
|---|---|---|---|---|
|
If a waiver is granted, change the status to
| Status | ||||
|---|---|---|---|---|
|
When the status of all direct dependency replacements is
| Status | ||||
|---|---|---|---|---|
|
| Status | ||||
|---|---|---|---|---|
|
so-adapters-so-etsi-sol003-adapter
| Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment | ||||||
| 1 | com.fasterxml.jackson.core : jackson-databind : 2.11.3 | 2.14.1 | This is indirect dependency coming from the o-parent. |
There is no o-parent dependency present in the pom.xml
| |||||||||||
| 1 | org.yaml : snakeyaml : 1.26 | 1.33 | This needs further analysis and is being checked in detail. We have a resource crunch at the moment. |
25 Jul
So |
The version |
1.31 is updated and available in Master branch |
so-libs
| Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment | ||||||
| 1 | com.fasterxml.jackson.core : jackson-databind : 2.11.1 | 2.14.1 | This is indirect dependency coming from the o-parent. |
so
| Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment | ||||
| 1 | com.fasterxml.jackson.core : jackson-databind : 2.11.3 | 2.14.1 |
7
7
77
This is indirect dependency coming from the o-parent. | |||||||||
| 1 | com.fasterxml.jackson.core : jackson-databind : 2.9.8 | 2.14.1 |
| Same as above |
|
|
|
|
| 1 | com.google.protobuf : protobuf-java : 3.10.0 | 4.0.0-rc-2 |
7
7
5This needs further analysis and is being checked in detail. We have a resource crunch at the moment. |
|
This dependancy is excluded in SO pom.xml therefor no impact, require no change in SO | |||||||||
| 1 | com.h2database : h2 : 1.4.200 | 0.16.4 |
9
98
8
6
We dont use this code in the production and is only built for testing code. |
|
1) As per analysis the recommend version is lowest which is not available in Maven dependency. | |||||||
| 1 | org.apache.tomcat : tomcat-catalina : 9.0.45 | 9.0.37.1 |
7
6This needs further analysis and We are facing resource issue at the moment, request a waiver. |
|
We are not able to find this dependency. | |||||||||
| 1 | org.json : json : 20140107 | 20220924 |
The change would bring in a major testing to be performed across the projects and we have a resource crunch. |
|
version 2.14.2 is updated and available in Master branch | |||||||||
| 1 | org.json : json : 20160212 | 20220924 |
The change would bring in a major testing to be performed across the projects and we have a resource crunch. |
|
not found
version 2.14.2 is updated and available in Master branch | |||||||
| 1 | org.springframework : spring-web : 5.2.14.RELEASE | 6.0.2 |
9
7
4
| |||||||||
| 1 | org.springframework.data : spring-data-rest-hal-browser : 3.3.9.RELEASE | 3.3.9.RELEASE |
7
7
6
6
6
6
6
6
6
6
6
6
5
5
not found
change is pushed | |||||||
| 1 | org.springframework.security : spring-security-web : 5.4.6 | 3.0.11-oss |
This needs further analysis and We are facing resource issue at the moment, request a waiver. |
|
7
6
6
6
6
51) As per our analysis the recommended version 3.0.11-oss is not related to Spring-Security-Web. It is related to AJSC Archetype Parent which is not used in our SO Project (atleast we did not find it). | |||||||||||
| 1 | org.yaml : snakeyaml : 1.26 | 1.33 | This needs further analysis and We are facing resource issue at the moment, request a waiver. | |||||||
| 2 | org.glassfish.jersey.core : jersey-common : 2.22.1 |
change is pushed | ||||||||
| 2 | org.glassfish.jersey.core : jersey-common : 2.30.1 |
change is pushed | |||||||
| 2 | org.springframework : spring-webmvc : 5.2.12.RELEASE | 6.0.2 |
|
so-so-admin-cockpit
| Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment | ||||||
| 1 | com.fasterxml.jackson.core : jackson-databind : 2.11.1 | 2.14.1 | This is indirect dependency coming from the o-parent. The change would bring in a major testing to be performed across the projects and we have a resource crunch |
There is no o-parent dependency present in the pom.xml
|
so-so-etsi-nfvo
| Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment | ||||||
| 1 | com.fasterxml.jackson.core : jackson-databind : 2.11.1 | 2.14.1 | This is indirect dependency coming from the o-parent. The change would bring in a major testing to be performed across the projects and we have a resource crunch. |
There is no o-parent dependency present in the pom.xml
| |||||||||||
| 1 | org.yaml : snakeyaml : 1.26 | 1.33 | This needs further analysis and is being checked in detail. We have a resource crunch at the moment |
25 Jul
. |
The version |
1.31 is updated and available in Master branch |