Before every release, a scan of vulnerabilities on 3pp must be done.
Dependency Management
NexusIQ
Committers have access to NexusIQ reports, where a more straightforward list of vulnerabilities and its levels is available, showing if it’s a direct dependency or transient. The report is generated on maven-clm-master jenkins job (i.e: https://jenkins.onap.org/view/policy/job/policy-api-maven-clm-master/ ). NexusIQ can be installed as a plugin in IntelliJ. Log into ONAP nexus (https://nexus-iq.wl.linuxfoundation.org/ ) and generate an user token. Use that as User Authentication and test with Connect. If it works, then for each repository, select the correct Application.
...
After that, when opening pom.xml files, it will highlight any dependency with issues. Not all issues can be fixed, but it gives a good idea of how many dependencies need to be watched.
SonarLint / SonarCloud
Any member of ONAP can get SonarLint plugin in IntelliJ to be connected to ONAP SonarCloud.
...
To run, click on each module (don’t run analysis over the whole project, it will take too long and will analyse unnecessary files from target folder) and go SonarLint → Analyse with SonarLint. Fix anything you deem fixable.
Updating Maven Dependencies
Most of Policy dependencies are at the parent/integration/pom.xml file. Versions can be changed at property level (i.e <version.spring>) or at dependency version tag. Other dependencies are on project level, so be careful when changing something from integration pom.xml that causes conflict with project level dependencies. Upgrade both if necessary.
...
How to run CSITs using docker compose: https://docsgithub.com/onap.org/projects/onap-policy-parentdocker/en/latest/development/devtools/testingtree/master/csit.html#id2
Rinse and repeat.
Sonar Issues
...