The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.
- Priority 1 recommendations have at least one Critical vulnerability.
- Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
- There are four status values:
- OPEN - required upgrade identified
- IN PROGRESS - project working on the upgrade
- COMPLETE - package has been upgraded to the recommended version
- WAIVER - project granted a waiver for the upgrade because of technical or resource constraints
When the upgrade of the package is complete change the status in the table to COMPLETE.
If a waiver is granted, change the status to WAIVER.
When the status of all direct dependency replacements is COMPLETE or WAIVER, the Jira ticket should be closed.
dcaegen2-analytics-tca-gen2
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? | |
OPEN | 2 | undertow-core : 2.2.7.Final | 5 5 | 2.2.14 |
dcaegen2-collectors-datafile
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | spring-web : 5.3.6 | 9 7 4 | 5.3.13 | |
OPEN | 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? |
onap-dcaegen2-collectors-restconf
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 8 | 1.3.0-alpha10 | |
OPEN | 1 | com.google.code.gson : gson : 2.8.5 | 7 | 2.8.9 | |
OPEN | 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? |
dcaegen2-collectors-hv-ves
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | com.google.code.gson : gson : 2.8.6 | 7 | 2.8.9 |
dcaegen2-collectors-ves
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | com.google.code.gson : gson : 2.8.6 | 7 | 2.8.9 | |
OPEN | 2 | io.netty : netty-codec-http : 4.1.59.Final | 5 | 4.1.70.Final | |
OPEN | 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? |
dcaegen2-platform-mod-genprocessor
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 2 | nifi-utils : 1.9.2 | 5 | 1.15.0 |
dcaegen2-platform-mod2-auth
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | com.google.code.gson : gson : 2.8.6 | 7 | 2.8.9 | |
OPEN | 1 | com.squareup.okhttp3 : okhttp : 4.0.1 | 7 | 4.9.3 |
dcaegen2-platform-mod2-catalog
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | com.google.code.gson : gson : 2.8.6 | 7 | 2.8.9 | |
OPEN | 1 | com.squareup.okhttp3 : okhttp : 4.0.1 | 7 | 4.9.3 | |
OPEN | 1 | io.springfox : springfox-swagger-ui : 2.9.2 | 9 6 6 | 3.0.0 | |
OPEN | 2 | io.springfox : springfox-swagger2 : 2.9.2 | 5 | 3.0.0 |
dcaegen2-platform-mod-runtimeapi
Status | Priority | Component name and version | CVE | Threat level | Recommended version | Project’s assessment |
caegen2-services-kpi-computation-ms
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 8 | 1.3.0-alpha10 | |
OPEN | 1 | org.springframework : spring-web : 5.3.7 | 9 4 | 5.3.13 | |
OPEN | 2 | io.undertow : undertow-core : 2.2.8.Final | 5 5 | 2.2.14.Final |
dcaegen2-services-bbs-event-processor
Status | Priority | Component name and version | CVE | Threat level | Recommended version | Project’s assessment |
dcaegen2-services-mapper
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | com.google.code.gson : gson : 2.8.5 | 7 | 2.8.9 | |
OPEN | 1 | xstream : 1.4.16 | 8 | 1.4.18 | |
OPEN | 2 | xercesImpl : 2.12.1 | 5 | ??? |
dcaegen2-services-pm-mapper
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | com.google.code.gson : gson : 2.8.5 | 7 | 2.8.9 | |
OPEN | 2 | undertow-core : 2.2.9.Final | 5 4 4 | 2.2.14.Final |
dcaegen2-services-prh
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | org.apache.tomcat.embed : tomcat-embed-websocket : 9.0.48 | 7 | 10.1.0M7 | |
OPEN | 1 | org.springframework : spring-web : 5.3.8.RELEASE | 9 4 | 5.3.13 RELEASE |
dcaegen2-services-sdk
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 8 | 1.3.0-alpha10 | |
OPEN | 1 | com.google.code.gson : gson : 2.8.5 | 7 | 2.8.9 |
dcaegen2-services-son-handler
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 8 | 1.3.0-alpha10 | |
OPEN | 1 | org.springframework : spring-web : 5.3.7.RELEASE | 9 4 | 5.3.13 RELEASE | |
OPEN | 1 | org.apache.tomcat.embed : tomcat-embed-core : 9.0.46 | 6 | 10.1.0-M7 |
dcaegen2-services-slice-analysis-ms
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | org.springframework : spring-web : 5.3.7.RELEASE | 9 4 | 5.3.13 RELEASE | |
OPEN | 2 | org.apache.tomcat.embed : tomcat-embed-core : 9.0.46 | 6 | 10.1.0-M7 |