Versions Compared

Old Version 3

changes.mady.by.user Vijay Kumar

Saved on

compared with

New Version Current

changes.mady.by.user Vijay Kumar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


NOTE: This page is copy of /wiki/spaces/SV/pages/16093480 report created by SECCOM (excluded CVE info); any update should be done on parent page.

The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.

  • Priority 1 recommendations have at least one Critical vulnerability.
  • Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
  • There are four status values:
    • Status
      titleOpen
      - required upgrade identified
    • Status
      colourBlue
      titleIn Progress
      - project working on the upgrade
    • Status
      colourGreen
      titleComplete
      - package has been upgraded to the recommended version
    • Status
      colourYellow
      titleWaiver
      - project granted a waiver for the upgrade because of technical or resource constraints

When the upgrade of the package is complete change the status in the table to

Status
colourGreen
titleComplete
.

If a waiver is granted, change the status to

Status
colourYellow
titleWaiver
.

When the status of all direct dependency replacements is

Status
colourGreen
titleComplete
or
Status
colourYellow
titleWaiver
, the Jira ticket should be closed.

...


NOTE: This page is copy of /wiki/spaces/SV/pages/16093480 report created by SECCOM (excluded CVE info); any update should be done on parent page.


The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.

  • Priority 1 recommendations have at least one Critical vulnerability.
  • Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
  • There are four status values:
    • Status
      titleOpen
      - required upgrade identified
    • Status
      colourBlue
      titleIn Progress
      - project working on the upgrade
    • Status
      colourGreen
      titleComplete
      - package has been upgraded to the recommended version
    • Status
      colourYellow
      titleWaiver
      - project granted a waiver for the upgrade because of technical or resource constraints

When the upgrade of the package is complete change the status in the table to

Status
colourGreen
titleComplete
.

If a waiver is granted, change the status to

Status
colourYellow
titleWaiver
.

When the status of all direct dependency replacements is

Status
colourGreen
titleComplete
or
Status
colourYellow
titleWaiver
, the Jira ticket should be closed.

dcaegen2-analytics-tca-gen2

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5

???

Already on latest; no non-vulnerable version available

Status
titleOPEN

2

undertow-core : 2.2.7.Final

5

5

2.2.14

2.2.14.Final

dcaegen2-collectors-datafile

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

1

spring-web : 5.3.6

9

7

4

5.3.135.3.13 or 5.3.14

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5???Already on latest; no non-vulnerable version available

onap-dcaegen2-collectors-restconf

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.2.101.2.10

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.5

72.8.92.8.9

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5???Already on latest; no non-vulnerable version available


1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

dcaegen2-collectors-hv-ves

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.6

72.8.92.8.9

dcaegen2-collectors-ves

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.6

72.8.92.8.9

Status
titleOPEN

2io.netty : netty-codec-http : 4.1.59.Final54.1.70.Final4.1.73.Final

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5???Already on latest; no non-vulnerable version available


org.apache.logging.log4j: log4j-core:2.16.0

2.17.1

dcaegen2-platform-mod-genprocessor

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)


1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

Status
titleOPEN

2

nifi-utils : 1.9.2

5
retain current version due to dependency with upstream nifi version on designer module

dcaegen2-platform-mod2-auth

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment  (Target for J)

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5???1

com.google.code.gson : gson : 2.8.6

72.8.9POC components; not part of ONAP deployment

Status
titleOPEN

2

undertow-core : 2.2.7.Final

5

5

2.2.14

...

1com.squareup.okhttp3 : okhttp : 4.0.174.9.3POC components; not part of ONAP deployment

dcaegen2-platform-mod2-catalog

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment

Status
titleOPEN

1

spring-web : 5.3.6

9

7

4

5.3.13

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment

Recommended version

Project’s assessment  (Target for J)

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5???

onap-dcaegen2-collectors-restconf

1

com.google.code.gson : gson : 2.8.6

72.8.9POC components; not part of ONAP deployment

Status
titleOPEN

1
ch
com.
qos
squareup.
logback
okhttp3 :
logback-core
okhttp :
1
4.
3
0.
0-alpha0
1
8
7
1
4.
2.10
9.3

POC components; not part of ONAP deployment

Status
titleOPEN

1
com.google.code.gson : gson

io.springfox : springfox-swagger-ui : 2.

8.572.8.9

9.2

9

6

6

3.0.0POC components; not part of ONAP deployment

Status
titleOPEN

2io.springfox : springfox-swagger2 : 2.9.253.0.0
5???

...

POC components; not part of ONAP deployment

dcaegen2-platform-mod-runtimeapi

Status

Priority

Component name and version

CVE

Threat level

Recommended version

Project’s assessment

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.6

72.8.9

...

 (Target for J)








caegen2-services-kpi-computation-ms

com.googlecodegson gson 28678.9

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment  (Target for J)

Status
titleOPEN

1

ch.

qos.

logback :

logback-core :

1.

3.

0-alpha0

81.2.101.2.10

Status
titleOPEN

21ioorg.netty springframework : nettyspring-codec-http : 4.1.59.Final54.1.70.Final

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5???

dcaegen2-platform-mod-genprocessor

Project’s assessment

Status

Priority

Component name and version

Threat level

Recommended version

web : 5.3.7

9

4

5.3.135.3.14


1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

Status
titleOPEN

2

nifi-utils : 1.9.2

51.15.0

...

io.undertow : undertow-core : 2.2.8.Final

5

5

2.2.14.Final2.2.14.Final


org.springframework : spring-webmvc : 5.3.76
5.3.14

dcaegen2-services-bbs-event-processor

OPEN

Status

Priority

Component name and version

CVE

Threat level

Recommended version

Project’s assessment

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.6

72.8.9
Status
title







dcaegen2-services-mapper

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessmentsquareupokhttp3 okhttp 401

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)


1

com.fasterxml.

jackson.

core :

jackson-databind :

2.

11.

74.9.3

dcaegen2-platform-mod2-catalog

2

102.12.62.12.6


org.apache.logging.log4j: log4j-core:2.16.0

2.17.1

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.

6

5

72.8.9

Status
titleOPEN

1com.squareup.okhttp3 : okhttp : 4.0.174.9.33.0.0
2.8.9

Status
titleOPEN

1

io.springfox : springfox-swagger-ui : 2.9.2

9

6

6

xstream : 1.4.16

8

1.4.181.4.18

Status
titleOPEN

2

io.springfox : springfox-swagger2
 xercesImpl : 2.
9
12.
2
15
3.0.0

dcaegen2-platform-mod-runtimeapi

...

Status

...

Priority

...

Component name and version

...

CVE

...

Threat level

...

Recommended version

...

Project’s assessment

...

???Already on latest; no non-vulnerable version available

dcaegen2-services-pm-mapper

1.2.10io. : undertow8514

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment

Status
titleOPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

8

(Target for J)

Status
titleOPEN

1org.springframework : spring-web : 5.3.7

9

4

5.3.13

com.google.code.gson : gson : 2.8.5

72.8.92.8.9

Status
titleOPEN

2

undertow

-core : 2.2.

9.Final

5

4

4

2.2.14.Final

2.2.14.Final

2.2.

16.Final

dcaegen2-services-

...

prh

Status

Priority

Component name and version

CVE

Threat level

Recommended version

Project’s assessment

dcaegen2-services-mapper

1.4.18

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment(Target for J)

Status
titleOPEN

1

org.apache.tomcat.embed : tomcat-embed-websocket : 9.0.48

7

10.1.0M7

Either 10.1.0-M8 or  9.0.56 

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.5

72.8.9

Status
titleOPEN

1xstream : 1.4.16

8

org.springframework : spring-web : 5.3.8

9

4

5.3.13 RELEASE

5.3.14

dcaegen2-services-sdk

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment

Status
titleOPEN

2

 xercesImpl : 2.12.15???

dcaegen2-services-pm-mapper

OPEN

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.2.101.2.10

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.5

72.8.9
Status
title2

undertow-core : 2.2.9.Final

5

4

4

2.2.14.Final.8.9


org.springframework : spring-webflux : 5.3.16
5.3.14

dcaegen2-services-son-

...

handler

orgapachetomcat.embed tomcatembed-websocket : 9.48710M78.RELEASE

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment


1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

Status
titleOPEN

1

ch.

qos.

logback :

logback-

core : 1.3.0

-alpha0

81.2.101.2.10

Status
titleOPEN

1

org.springframework : spring-web : 5.3.

9

4

5.3.13 RELEASE

dcaegen2-services-sdk

1.2.10

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment

Status
titleOPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

8

7.RELEASE

9

4

5.3.13 RELEASE

5.3.14


org.springframework : spring-webmvc : 5.3.76
5.3.14

Status
titleOPEN

1com

org.

google

apache.

code

tomcat.

gson : gson : 2.8.5		72.8.9

embed : tomcat-embed-core : 9.0.46

6

10.1.0-M7

9.0.50 or 10.1.0-M8

dcaegen2-services-slice-

...

analysis-

...

ms

web .RELEASE13 RELEASE

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessmentand version

Threat level

Recommended version

Project’s assessment


1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

Status
titleOPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.2.101.2.10

Status
titleOPEN

1

1

org.springframework : spring-web : 5.3.7.RELEASE

9

4

5.3.13 RELEASE

5.3.14


org.springframework : spring-webmvc : 5.3.7

9

4		6
5.3.14

Status
titleOPEN

12

org.apache.tomcat.embed : tomcat-embed-core : 9.0.46

6

10.1.0-M7

9.0.50 or 10.1.0-M8


dcaegen2-

...

platform-

...

mod2-

...

helmgenerator

10.1.0-M7

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment

Status
titleOPEN

1

org.springframework : spring-web : 5.3.7.RELEASE

9

4

5.3.13 RELEASE

Status
titleOPEN

2

org.apache.tomcat.embed : tomcat-embed-core : 9.0.46

6

assessment (Target for J)



com.fasterxml.jackson.core : jackson-databind : 2.10.3

10
2.12.6



com.squareup.okhttp3 : okhttp : 4.0.1

5
4.9.3


commons-io : commons-io : 2.4

2.11.0


dcaegen2-platform-ves-openapi-manager

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)



com.fasterxml.jackson.core : jackson-databind : 2.9.4

10
2.12.6