NOTE: This page is copy of /wiki/spaces/SV/pages/16094118 report

The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.

Priority 1 recommendations have at least one Critical vulnerability.
Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
There are four status values:
- OPEN - required upgrade identified
- IN PROGRESS - project working on the upgrade
- COMPLETE - package has been upgraded to the recommended version
- WAIVER - project granted a waiver for the upgrade because of technical or resource constraints

When the upgrade of the package is complete change the status in the table to COMPLETE.

If a waiver is granted, change the status to WAIVER.

When the status of all direct dependency replacements is COMPLETE or WAIVER , the Jira ticket should be closed.

so-adapters-so-etsi-sol003-adapter

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.11.3	2.14.1		This is indirect dependency coming from the o-parent. 25 Jul 2023 The version 2.14.2 is updated and available in Master branch
IN PROGRESS	1	org.yaml : snakeyaml : 1.26	1.33		This needs further analysis and is being checked in detail. We have a resource crunch at the moment. 06 Sep 2023 As per our analysis 1.33 version not supported it required Spring Boot 3.0.0 version. So we try update it 1.31 version its working so we push the code changes. commit code in community https://gerrit.onap.org/r/c/so/+/135858

so-libs

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.11.1	2.14.1		This is indirect dependency coming from the o-parent. 25 Jul 2023 The version 2.14.2 is updated and available in Master branch

so

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.11.3	2.14.1		This is indirect dependency coming from the o-parent. 25 Jul 2023 The version 2.14.2 is updated and available in Master branch
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.9.8	2.14.1		Same as above
COMPLETE	1	com.google.protobuf : protobuf-java : 3.10.0	4.0.0-rc-2		This needs further analysis and is being checked in detail. We have a resource crunch at the moment. 26 Jul 2023 This dependancy is excluded in SO pom.xml therefor no impact, require no change in SO
COMPLETE	1	com.h2database : h2 : 1.4.200	0.16.4		We dont use this code in the production and is only built for testing code. 17 Aug 2023 1) As per analysis the recommend version is lowest which is not available in Maven dependency. 2) We update the latest version 2.1.214 and its work i.e. code build successfully. Reference link: https://mvnrepository.com/artifact/com.h2database/h2
IN PROGRESS	1	org.apache.tomcat : tomcat-catalina : 9.0.45	9.0.37.1		This needs further analysis and We are facing resource issue at the moment, request a waiver. 06 Sep 2023 We are not able to find this dependency.
COMPLETE	1	org.json : json : 20140107	20220924		The change would bring in a major testing to be performed across the projects and we have a resource crunch. 25 Jul 2023 The version 2.14.2 is updated and available in Master branch
COMPLETE	1	org.json : json : 20160212	20220924		The change would bring in a major testing to be performed across the projects and we have a resource crunch. 25 Jul 2023 The version 2.14.2 is updated and available in Master branch
OPEN	1	org.springframework : spring-web : 5.2.14.RELEASE	6.0.2		09 Aug 2023 Spring Framework 6 requires Java 17
COMPLETE	1	org.springframework.data : spring-data-rest-hal-browser : 3.3.9.RELEASE	3.3.9.RELEASE		17 Aug 2023 change is pushed
COMPLETE	1	org.springframework.security : spring-security-web : 5.4.6	3.0.11-oss		This needs further analysis and We are facing resource issue at the moment, request a waiver. 17 Aug 2023 1) As per our analysis the recommended version 3.0.11-oss is not related to Spring-Security-Web. It is related to AJSC Archetype Parent which is not used in our SO Project (atleast we did not find it). 2) Therefore we can update the latest version of spring-security-web version 6.1.2 and its work i.e. code build successfully. Reference links https://mvnrepository.com/artifact/com.att.ajsc/ajsc-archetype-parent/3.0.11-oss and https://mvnrepository.com/artifact/org.springframework.security/spring-security-web/6.1.2
IN PROGRESS	1	org.yaml : snakeyaml : 1.26	1.33		This needs further analysis and We are facing resource issue at the moment, request a waiver. 06 Sep 2023 As per our analysis 1.33 version not supported it required Spring Boot 3.0.0 version. So we try update it 1.31 version its working so we push the code changes. commit code in community https://gerrit.onap.org/r/c/so/+/135858
COMPLETE	2	org.glassfish.jersey.core : jersey-common : 2.22.1			17 Aug 2023 change is pushed
COMPLETE	2	org.glassfish.jersey.core : jersey-common : 2.30.1			17 Aug 2023 change is pushed
OPEN	2	org.springframework : spring-webmvc : 5.2.12.RELEASE	6.0.2		09 Aug 2023 Spring Framework 6 requires Java 17

so-so-admin-cockpit

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.11.1	2.14.1		This is indirect dependency coming from the o-parent. The change would bring in a major testing to be performed across the projects and we have a resource crunch 25 Jul 2023 The version 2.14.2 is updated and available in Master branch

so-so-etsi-nfvo

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.11.1	2.14.1		This is indirect dependency coming from the o-parent. The change would bring in a major testing to be performed across the projects and we have a resource crunch. 25 Jul 2023 The version 2.14.2 is updated and available in Master branch
IN PROGRESS	1	org.yaml : snakeyaml : 1.26	1.33		This needs further analysis and is being checked in detail. We have a resource crunch at the moment. 06 Sep 2023 As per our analysis 1.33 version not supported it required Spring Boot 3.0.0 version. So we try update it 1.31 version its working so we push the code changes. commit code in community https://gerrit.onap.org/r/c/so/+/135858

SO Security Vulnerabilities

so-adapters-so-etsi-sol003-adapter

so-libs

so

so-so-admin-cockpit

so-so-etsi-nfvo