DCAE R12 London Vulnerability - SECCOM Report
- Vijay Kumar
- Kedar Ambekar
- Shuting Qing
NOTE: This page is copy of /wiki/spaces/SV/pages/16094094 report created by SECCOM under DCAEGEN2-3318 (excluded CVE info); any update should be done on parent page.
The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.
- Priority 1 recommendations have at least one Critical vulnerability.
- Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
- There are four status values:
- OPEN - required upgrade identified
- IN PROGRESS - project working on the upgrade
- COMPLETE - package has been upgraded to the recommended version
- WAIVER - project granted a waiver for the upgrade because of technical or resource constraints
When the upgrade of the package is complete change the status in the table to COMPLETE.
If a waiver is granted, change the status to WAIVER.
When the status of all direct dependency replacements is COMPLETE or WAIVER, the Jira ticket should be closed.
dcaegen2-analytics-tca-gen2
Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 1 | com.fasterxml.jackson.core : jackson-databind : 2.13.3 | 2.14.1 | ||
COMPLETE | 1 | io.undertow : undertow-core : 2.2.17.Final | 2.3.0.Final | ||
COMPLETE | 2 | io.springfox : springfox-swagger-ui : 2.10.5 | 3.0.0 | ||
COMPLETE | 2 | io.springfox : springfox-swagger2 : 3.0.0 | 3.0.0 | SECCOM: 3.0. is the latest version |
dcaegen2-collectors-datafile
Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 1 | com.fasterxml.jackson.core : jackson-databind : 2.13.3 | 2.14.1 | ||
COMPLETE | 1 | org.apache.tomcat.embed : tomcat-embed-core : 9.0.65 | 10.1.2 | This is transient dependency from spring-boot; upgraded to tomcat 9.0.65 which is default in the spring-boot 2.7.2. Recommended version requires Springboot-3 and Spring-6 which in turn require Java-17. In London release, version 9.0.72 will be upgraded to. | |
COMPLETE | 1 | org.springframework : spring-web : 5.3.22 | 6.0.2 | Recommended version requires Java-17. In London release, version 5.3.25 will be upgraded to. | |
| 2 | io.springfox : springfox-swagger-ui : 3.0.0 | 3.0.0 | SECCOM: 3.0. is the latest version | ||
COMPLETE | 2 | io.springfox : springfox-swagger2 : 3.0.0 | 3.0.0 | SECCOM: 3.0. is the latest version |
dcaegen2-collectors-hv-ves
Status | Priority | Component name and version | CVE | Threat level | Recommended version | Project’s assessment |
| No vulnerable components |
onap-dcaegen2-collectors-restconf
Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 1 | com.fasterxml.jackson.core : jackson-databind : 2.13.3 | 2.14.1 | ||
COMPLETE | 1 | org.codehaus.jettison : jettison : 1.3.7 | 1.5.2 | ||
COMPLETE | 2 | io.springfox : springfox-swagger-ui : 2.10.5 | 3.0.0 | ||
COMPLETE | 2 | io.springfox : springfox-swagger2 : 3.0.0 | 3.0.0 | SECCOM: 3.0. is the latest version |
dcaegen2-collectors-ves
Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 2 | io.springfox : springfox-swagger-ui : 3.0.0 | 3.0.0 | SECCOM: 3.0. is the latest version | |
COMPLETE | 2 | io.springfox : springfox-swagger2 : 3.0.0 | 3.0.0 | SECCOM: 3.0. is the latest version |
dcaegen2-platform-mod-genprocessor
Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
WAIVER | 1 | com.fasterxml.jackson.core : jackson-databind : 2.11.0 | 2.14.1 | The component will be retired in London release, hence no upgrade is needed. | |
WAIVER | 1 | org.apache.commons : commons-text : 1.7 | 1.10.0 | ||
WAIVER | 2 | org.apache.nifi : nifi-utils : 1.9.2 | 1.19.0 |
dcaegen2-platform-mod-runtimeapi
Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
WAIVER | 1 | org.yaml : snakeyaml : 1.26 | 1.33 | The component will be retired in London release, hence no upgrade is needed. | |
WAIVER | 2 | io.springfox : springfox-swagger-ui : 3.0.0 | 3.0.0 |
dcaegen2-platform-mod2-helm-generator
Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
WAIVER | 1 | com.fasterxml.jackson.core : jackson-databind : 2.10.3 | 2.14.1 | The component will be retired in London release, hence no upgrade is needed. |
dcaegen2-platform-ves-openapi-manager
Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 1 | com.fasterxml.jackson.core : jackson-databind : 2.13.3 | 2.14.1 |
dcaegen2-services-kpi-computation-ms
Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 1.4.5 | ||
COMPLETE | 1 | com.fasterxml.jackson.core : jackson-databind : 2.13.3 | 2.14.1 | ||
COMPLETE | 1 | io.undertow : undertow-core : 2.2.17.Final | 2.3.0.Final | ||
COMPLETE | 1 | org.springframework : spring-web : 5.3.20 | 6.0.2 | Recommended version requires Java-17. In London release, version 5.3.25 will be upgraded to. | |
COMPLETE | 2 | org.eclipse.jetty : jetty-server : 9.4.41.v20210516 | 11.0.12 |
dcaegen2-services-mapper
Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 1 | com.fasterxml.jackson.core : jackson-databind : 2.13.3 | 2.14.1 | ||
COMPLETE | 1 | com.thoughtworks.xstream : xstream : 1.4.19 | 1.4.19 | ||
COMPLETE | 1 | org.postgresql : postgresql : 42.3.6 | 42.5.1 | ||
COMPLETE | 2 | io.projectreactor.netty : reactor-netty : 0.9.12.RELEASE | 1.1.0 | ||
COMPLETE | 2 | xerces : xercesImpl : 2.12.2 | 2.12.2 |
dcaegen2-services-pm-mapper
Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 1 | io.undertow : undertow-core : 2.2.17.Final | 2.3.0.Final |
dcaegen2-services-prh
Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 1 | org.apache.commons : commons-text : 1.6 | 1.10.0 | ||
COMPLETE | 1 | org.apache.tomcat.embed : tomcat-embed-core : 9.0.65 | 10.1.2 | Recommended version requires Springboot-3 and Spring-6 which in turn require Java-17. In London release, version 9.0.72 will be upgraded to. | |
COMPLETE | 1 | org.springframework : spring-web : 5.3.22 | 6.0.2 | Recommended version requires Java-17. In London release, version 5.3.25 will be upgraded to. |
dcaegen2-services-sdk
Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 1 | com.google.protobuf : protobuf-java : 3.21.1 | 4.0.0-rc-2 |
dcaegen2-services-slice-analysis-ms
Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 1.4.5 | ||
COMPLETE | 1 | com.fasterxml.jackson.core : jackson-databind : 2.13.3 | 2.14.1 | ||
COMPLETE | 1 | org.apache.tomcat.embed : tomcat-embed-core : 9.0.65 | 10.1.2 | Recommended version requires Springboot-3 and Spring-6 which in turn require Java-17. In London release, version 9.0.72 will be upgraded to. | |
COMPLETE | 1 | org.postgresql : postgresql : 42.3.6 | 42.5.1 | ||
COMPLETE | 1 | org.springframework : spring-web : 5.3.20 | 6.0.2 | Recommended version requires Java-17. In London release, version 5.3.25 will be upgraded to. | |
COMPLETE | 2 | org.eclipse.jetty : jetty-server : 9.4.41.v20210516 | 11.0.12 |
dcaegen2-services-son-handler
Status | Priority | Component name and version | Recommended version | Threat level | Project’s assessment |
COMPLETE | 1 | ch.qos.logback : logback-core : 1.3.0-alpha0 | 1.4.5 | ||
COMPLETE | 1 | com.fasterxml.jackson.core : jackson-databind : 2.13.3 | 2.14.1 | ||
COMPLETE | 1 | org.apache.tomcat.embed : tomcat-embed-core : 9.0.65 | 10.1.2 | Recommended version requires Springboot-3 and Spring-6 which in turn require Java-17. In London release, version 9.0.72 will be upgraded to. | |
COMPLETE | 1 | org.postgresql : postgresql : 42.3.6 | 42.5.1 | ||
COMPLETE | 1 | org.springframework : spring-web : 5.3.20 | 6.0.2 | Recommended version requires Java-17. In London release, version 5.3.25 will be upgraded to. | |
COMPLETE | 2 | io.projectreactor.netty : reactor-netty : 0.9.12.RELEASE | 1.1.0 | ||
COMPLETE | 2 | org.eclipse.jetty : jetty-server : 9.4.40.v20210413 | 11.0.12 |
The following had no violations (or no direct violations):
- dcaegen2-deployments
- dcaegen2-platform-adapter-acumos
- dcaegen2-platform-mod-designtool
- dcaegen2-platform-mod-distributorapi
- dcaegen2-platform-mod-onboardingapi
dcaegen2-platform-mod2-catalog-service
dcaegen2-platform-mod2-auth-service
- dcaegen2-platform-mod2-ui
- dcaegen2-services-heartbeat
- dcaegen2-utils
- dcaegen2