In order to fulfill REQ-265 TSC Approval at M2 with Epic Link Software Composition Analysis, projects are to focus on upgrading the packages that are direct dependencies to the latest version at M2.
- Remove requirement to provide effective/ineffective analysis until there are tools to support the analysis
- Projects update direct dependencies in their applications to most recent version of packages
- Projects identify the direct dependencies (packages) in each project component
- NexusIQ provides a list of all packages used in a component
- Projects open Jiras to update older package versions in direct dependencies and commit to upgrading by M4
- NexusIQ provides package history - SECCOM recommendation is to use the latest GA release of a package available at M2
- Include the new version number in the Jira ticket
- No requirement to upgrade transitive dependent packages
- Projects identify the direct dependencies (packages) in each project component
- SECCOM will update oparent to include the most recent version of included packages as of the time of the oparent release for the ONAP release (mid December)
- All known CVEs for each component will be listed in readthedocs for the release with no analysis.
- CLAMP team to investigate writing a script to automatically generate of project Jira tickets for all direct dependencies for all project.
- Include label "ComponentUpgrade"
- Each PTL will indicate upgrade plans in M2 as follows.
- case 1: direct dependency at latest version
- PTL creates Jira comment stating that the package is at the latest version with the version number, and closes ticket
- case 2: direct dependency at older version
- case 1: project creates Jira comment stating that the package will be upgraded
- case 2: project creates in Jira comment stating that package will not be upgraded and provides reason
- case 1: direct dependency at latest version