NOTE: This page is copy of /wiki/spaces/SV/pages/16094118 report
The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.
- Priority 1 recommendations have at least one Critical vulnerability.
- Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
- There are four status values:
- OPEN - required upgrade identified
- IN PROGRESS - project working on the upgrade
- COMPLETE - package has been upgraded to the recommended version
- WAIVER - project granted a waiver for the upgrade because of technical or resource constraints
When the upgrade of the package is complete change the status in the table to COMPLETE.
If a waiver is granted, change the status to WAIVER.
When the status of all direct dependency replacements is COMPLETE or WAIVER , the Jira ticket should be closed.
so-adapters-so-etsi-sol003-adapter
| Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 1 | com.fasterxml.jackson.core : jackson-databind : 2.11.3 | 2.14.1 | This is indirect dependency coming from the o-parent. | |
IN PROGRESS | 1 | org.yaml : snakeyaml : 1.26 | 1.33 | This needs further analysis and is being checked in detail. We have a resource crunch at the moment. |
so-libs
| Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 1 | com.fasterxml.jackson.core : jackson-databind : 2.11.1 | 2.14.1 | This is indirect dependency coming from the o-parent. |
so
| Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 1 | com.fasterxml.jackson.core : jackson-databind : 2.11.3 | 2.14.1 | This is indirect dependency coming from the o-parent. | |
COMPLETE | 1 | com.fasterxml.jackson.core : jackson-databind : 2.9.8 | 2.14.1 | Same as above | |
IN PROGRESS | 1 | com.google.protobuf : protobuf-java : 3.10.0 | 4.0.0-rc-2 | This needs further analysis and is being checked in detail. We have a resource crunch at the moment. | |
IN PROGRESS | 1 | com.h2database : h2 : 1.4.200 | 0.16.4 | We dont use this code in the production and is only built for testing code. | |
IN PROGRESS | 1 | org.apache.tomcat : tomcat-catalina : 9.0.45 | 9.0.37.1 | This needs further analysis and We are facing resource issue at the moment, request a waiver. | |
COMPLETE | 1 | org.json : json : 20140107 | 20220924 | The change would bring in a major testing to be performed across the projects and we have a resource crunch. | |
COMPLETE | 1 | org.json : json : 20160212 | 20220924 | The change would bring in a major testing to be performed across the projects and we have a resource crunch. | |
IN PROGRESS | 1 | org.springframework : spring-web : 5.2.14.RELEASE | 6.0.2 | The change would bring in a major testing to be performed across the projects and we have a resource crunch | |
IN PROGRESS | 1 | org.springframework.data : spring-data-rest-hal-browser : 3.3.9.RELEASE | 3.3.9.RELEASE | This needs further analysis and We are facing resource issue at the moment, request a waiver. | |
IN PROGRESS | 1 | org.springframework.security : spring-security-web : 5.4.6 | 3.0.11-oss | This needs further analysis and We are facing resource issue at the moment, request a waiver. | |
IN PROGRESS | 1 | org.yaml : snakeyaml : 1.26 | 1.33 | This needs further analysis and We are facing resource issue at the moment, request a waiver. | |
IN PROGRESS | 2 | org.glassfish.jersey.core : jersey-common : 2.22.1 | Indirect dependency, | ||
IN PROGRESS | 2 | org.glassfish.jersey.core : jersey-common : 2.30.1 | Indirect dependency. | ||
IN PROGRESS | 2 | org.springframework : spring-webmvc : 5.2.12.RELEASE | 6.0.2 | This needs further analysis and We are facing resource issue at the moment, request a waiver. |
so-so-admin-cockpit
| Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 1 | com.fasterxml.jackson.core : jackson-databind : 2.11.1 | 2.14.1 | This is indirect dependency coming from the o-parent. The change would bring in a major testing to be performed across the projects and we have a resource crunch |
so-so-etsi-nfvo
| Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
| COMPLETE | 1 | com.fasterxml.jackson.core : jackson-databind : 2.11.1 | 2.14.1 | This is indirect dependency coming from the o-parent. The change would bring in a major testing to be performed across the projects and we have a resource crunch. | |
IN PROGRESS | 1 | org.yaml : snakeyaml : 1.26 | 1.33 | This needs further analysis and is being checked in detail. We have a resource crunch at the moment. |