Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »


Projects are to focus on upgrading the packages that are direct dependencies to the latest version at M2.

  • Remove requirement to provide effective/ineffective analysis until there are tools to support the analysis
  • Projects update direct dependencies in their applications to most recent version of packages
    • Projects identify the direct dependencies (packages) in each project component
      • NexusIQ provides a list of all packages used in a component
    • Projects open Jiras to update older package versions in direct dependencies and commit to upgrading by M4
      • NexusIQ provides package history - SECCOM recommendation is to use the latest GA release of a package available at M2
      • Include the new version number in the Jira ticket
    • No requirement to upgrade transitive dependent packages
  • SECCOM will  update oparent to include the most recent version of included packages as of the time of the oparent release for the ONAP release (mid December)
  • All known CVEs for each component will be listed in readthedocs for the release with no analysis.


  • No labels