Proposal: Remediation of Known Vulnerabilities in Third Party Packages

In order to fulfill REQ-265 TSC Approval at M2 with Epic Link Software Composition Analysis, projects are to focus on upgrading the packages that are direct dependencies instead of analyzing the actual vulnerabilities.

Remove requirement to provide effective/ineffective analysis until there are tools to support the analysis
Projects update direct dependencies in their applications to most recent version of packages
- Projects identify the direct dependencies (packages) in each project component
  - NexusIQ provides a list of all packages used in a component
  - Maven creates dependency tree that identifies direct dependencies as the "left-most packages"
- By M2 Projects open Jiras to update older package versions in direct dependencies and commits to upgrading by M4 or provides reason that the package cannot be upgraded
  - NexusIQ provides package history - SECCOM recommendation is to use the latest GA release of a package available at M2
  - Include the new version number in the Jira ticket
- No requirement to upgrade transitive dependent packages
SECCOM will update oparent to include the most recent version of included packages as of the time of the oparent release for the ONAP release (mid December)
All known CVEs for each component will be listed in readthedocs for the release with no analysis.

CLAMP team to investigate writing a script to automatically generate of project Jira tickets for all direct dependencies for all project.
- Include label "ComponentUpgrade"
Each PTL will indicate upgrade plans in M2 as follows.
- case 1: direct dependency at latest version
  - PTL creates Jira comment stating that the package is at the latest version with the version number, and closes ticket
- case 2: direct dependency at older version
  - case 1: project creates Jira comment stating that the package will be upgraded
  - case 2: project creates in Jira comment stating that package will not be upgraded and provides reason