NOTE: This page is copy of /wiki/spaces/SV/pages/16093480 report created by SECCOM (excluded CVE info); any update should be done on parent page.
The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.
- Priority 1 recommendations have at least one Critical vulnerability.
- Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
- There are four status values:
- OPEN - required upgrade identified
- IN PROGRESS - project working on the upgrade
- COMPLETE - package has been upgraded to the recommended version
- WAIVER - project granted a waiver for the upgrade because of technical or resource constraints
When the upgrade of the package is complete change the status in the table to COMPLETE.
If a waiver is granted, change the status to WAIVER.
When the status of all direct dependency replacements is COMPLETE or WAIVER, the Jira ticket should be closed.
dcaegen2-analytics-tca-gen2
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? | |
OPEN | 2 | undertow-core : 2.2.7.Final | 5 5 | 2.2.14 |
dcaegen2-collectors-datafile
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | spring-web : 5.3.6 | 9 7 4 | 5.3.13 | |
OPEN | 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? |
onap-dcaegen2-collectors-restconf
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 8 | 1.3.0-alpha10 | |
OPEN | 1 | com.google.code.gson : gson : 2.8.5 | 7 | 2.8.9 | |
OPEN | 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? |
dcaegen2-collectors-hv-ves
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | com.google.code.gson : gson : 2.8.6 | 7 | 2.8.9 |
dcaegen2-collectors-ves
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | com.google.code.gson : gson : 2.8.6 | 7 | 2.8.9 | |
OPEN | 2 | io.netty : netty-codec-http : 4.1.59.Final | 5 | 4.1.70.Final | |
OPEN | 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? |
dcaegen2-platform-mod-genprocessor
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 2 | nifi-utils : 1.9.2 | 5 | 1.15.0 |
dcaegen2-platform-mod2-auth
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | com.google.code.gson : gson : 2.8.6 | 7 | 2.8.9 | |
OPEN | 1 | com.squareup.okhttp3 : okhttp : 4.0.1 | 7 | 4.9.3 |
dcaegen2-platform-mod2-catalog
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | com.google.code.gson : gson : 2.8.6 | 7 | 2.8.9 | |
OPEN | 1 | com.squareup.okhttp3 : okhttp : 4.0.1 | 7 | 4.9.3 | |
OPEN | 1 | io.springfox : springfox-swagger-ui : 2.9.2 | 9 6 6 | 3.0.0 | |
OPEN | 2 | io.springfox : springfox-swagger2 : 2.9.2 | 5 | 3.0.0 |
dcaegen2-platform-mod-runtimeapi
Status | Priority | Component name and version | CVE | Threat level | Recommended version | Project’s assessment |
caegen2-services-kpi-computation-ms
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 8 | 1.3.0-alpha10 | |
OPEN | 1 | org.springframework : spring-web : 5.3.7 | 9 4 | 5.3.13 | |
OPEN | 2 | io.undertow : undertow-core : 2.2.8.Final | 5 5 | 2.2.14.Final |
dcaegen2-services-bbs-event-processor
Status | Priority | Component name and version | CVE | Threat level | Recommended version | Project’s assessment |
dcaegen2-services-mapper
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | com.google.code.gson : gson : 2.8.5 | 7 | 2.8.9 | |
OPEN | 1 | xstream : 1.4.16 | 8 | 1.4.18 | |
OPEN | 2 | xercesImpl : 2.12.1 | 5 | ??? |
dcaegen2-services-pm-mapper
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | com.google.code.gson : gson : 2.8.5 | 7 | 2.8.9 | |
OPEN | 2 | undertow-core : 2.2.9.Final | 5 4 4 | 2.2.14.Final |
dcaegen2-services-prh
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | org.apache.tomcat.embed : tomcat-embed-websocket : 9.0.48 | 7 | 10.1.0M7 | |
OPEN | 1 | org.springframework : spring-web : 5.3.8.RELEASE | 9 4 | 5.3.13 RELEASE |
dcaegen2-services-sdk
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 8 | 1.3.0-alpha10 | |
OPEN | 1 | com.google.code.gson : gson : 2.8.5 | 7 | 2.8.9 |
dcaegen2-services-son-handler
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 8 | 1.3.0-alpha10 | |
OPEN | 1 | org.springframework : spring-web : 5.3.7.RELEASE | 9 4 | 5.3.13 RELEASE | |
OPEN | 1 | org.apache.tomcat.embed : tomcat-embed-core : 9.0.46 | 6 | 10.1.0-M7 |
dcaegen2-services-slice-analysis-ms
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | org.springframework : spring-web : 5.3.7.RELEASE | 9 4 | 5.3.13 RELEASE | |
OPEN | 2 | org.apache.tomcat.embed : tomcat-embed-core : 9.0.46 | 6 | 10.1.0-M7 |