NOTE: This page is copy of /wiki/spaces/SV/pages/16094094 report created by SECCOM under DCAEGEN2-3318 (excluded CVE info); any update should be done on parent page.

The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.

Priority 1 recommendations have at least one Critical vulnerability.
Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
There are four status values:
- OPEN - required upgrade identified
- IN PROGRESS - project working on the upgrade
- COMPLETE - package has been upgraded to the recommended version
- WAIVER - project granted a waiver for the upgrade because of technical or resource constraints

When the upgrade of the package is complete change the status in the table to COMPLETE.

If a waiver is granted, change the status to WAIVER.

When the status of all direct dependency replacements is COMPLETE or WAIVER, the Jira ticket should be closed.

dcaegen2-analytics-tca-gen2

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1
COMPLETE	1	io.undertow : undertow-core : 2.2.17.Final	2.3.0.Final
COMPLETE	2	io.springfox : springfox-swagger-ui : 2.10.5	3.0.0
COMPLETE	2	io.springfox : springfox-swagger2 : 3.0.0	3.0.0		SECCOM: 3.0. is the latest version

dcaegen2-collectors-datafile

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1
COMPLETE	1	org.apache.tomcat.embed : tomcat-embed-core : 9.0.65	10.1.2		This is transient dependency from spring-boot; upgraded to tomcat 9.0.65 which is default in the spring-boot 2.7.2. Recommended version requires Springboot-3 and Spring-6 which in turn require Java-17. In London release, version 9.0.72 will be upgraded to.
COMPLETE	1	org.springframework : spring-web : 5.3.22	6.0.2		Recommended version requires Java-17. In London release, version 5.3.25 will be upgraded to.
COMPLETE	2	io.springfox : springfox-swagger-ui : 3.0.0	3.0.0		SECCOM: 3.0. is the latest version
COMPLETE	2	io.springfox : springfox-swagger2 : 3.0.0	3.0.0		SECCOM: 3.0. is the latest version

dcaegen2-collectors-hv-ves

Status	Priority	Component name and version	CVE	Threat level	Recommended version	Project’s assessment
						No vulnerable components

onap-dcaegen2-collectors-restconf

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1
COMPLETE	1	org.codehaus.jettison : jettison : 1.3.7	1.5.2
COMPLETE	2	io.springfox : springfox-swagger-ui : 2.10.5	3.0.0
COMPLETE	2	io.springfox : springfox-swagger2 : 3.0.0	3.0.0		SECCOM: 3.0. is the latest version

dcaegen2-collectors-ves

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	2	io.springfox : springfox-swagger-ui : 3.0.0	3.0.0		SECCOM: 3.0. is the latest version
COMPLETE	2	io.springfox : springfox-swagger2 : 3.0.0	3.0.0		SECCOM: 3.0. is the latest version

dcaegen2-platform-mod-genprocessor

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
WAIVER	1	com.fasterxml.jackson.core : jackson-databind : 2.11.0	2.14.1		The component will be retired in London release, hence no upgrade is needed.
WAIVER	1	org.apache.commons : commons-text : 1.7	1.10.0
WAIVER	2	org.apache.nifi : nifi-utils : 1.9.2	1.19.0

dcaegen2-platform-mod-runtimeapi

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
WAIVER	1	org.yaml : snakeyaml : 1.26	1.33		The component will be retired in London release, hence no upgrade is needed.
WAIVER	2	io.springfox : springfox-swagger-ui : 3.0.0	3.0.0

dcaegen2-platform-mod2-helm-generator

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
WAIVER	1	com.fasterxml.jackson.core : jackson-databind : 2.10.3	2.14.1		The component will be retired in London release, hence no upgrade is needed.

dcaegen2-platform-ves-openapi-manager

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1

dcaegen2-services-kpi-computation-ms

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	ch.qos.logback : logback-core : 1.3.0-alpha0	1.4.5
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1
COMPLETE	1	io.undertow : undertow-core : 2.2.17.Final	2.3.0.Final
COMPLETE	1	org.springframework : spring-web : 5.3.20	6.0.2		Recommended version requires Java-17. In London release, version 5.3.25 will be upgraded to.
COMPLETE	2	org.eclipse.jetty : jetty-server : 9.4.41.v20210516	11.0.12

dcaegen2-services-mapper

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1
COMPLETE	1	com.thoughtworks.xstream : xstream : 1.4.19	1.4.19
COMPLETE	1	org.postgresql : postgresql : 42.3.6	42.5.1
COMPLETE	2	io.projectreactor.netty : reactor-netty : 0.9.12.RELEASE	1.1.0
COMPLETE	2	xerces : xercesImpl : 2.12.2	2.12.2

dcaegen2-services-pm-mapper

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	io.undertow : undertow-core : 2.2.17.Final	2.3.0.Final

dcaegen2-services-prh

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	org.apache.commons : commons-text : 1.6	1.10.0
COMPLETE	1	org.apache.tomcat.embed : tomcat-embed-core : 9.0.65	10.1.2		Recommended version requires Springboot-3 and Spring-6 which in turn require Java-17. In London release, version 9.0.72 will be upgraded to.
COMPLETE	1	org.springframework : spring-web : 5.3.22	6.0.2		Recommended version requires Java-17. In London release, version 5.3.25 will be upgraded to.

dcaegen2-services-sdk

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	com.google.protobuf : protobuf-java : 3.21.1	4.0.0-rc-2

dcaegen2-services-slice-analysis-ms

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	ch.qos.logback : logback-core : 1.3.0-alpha0	1.4.5
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1
COMPLETE	1	org.apache.tomcat.embed : tomcat-embed-core : 9.0.65	10.1.2		Recommended version requires Springboot-3 and Spring-6 which in turn require Java-17. In London release, version 9.0.72 will be upgraded to.
COMPLETE	1	org.postgresql : postgresql : 42.3.6	42.5.1
COMPLETE	1	org.springframework : spring-web : 5.3.20	6.0.2		Recommended version requires Java-17. In London release, version 5.3.25 will be upgraded to.
COMPLETE	2	org.eclipse.jetty : jetty-server : 9.4.41.v20210516	11.0.12

dcaegen2-services-son-handler

Status	Priority	Component name and version	Recommended version	Threat level	Project’s assessment
COMPLETE	1	ch.qos.logback : logback-core : 1.3.0-alpha0	1.4.5
COMPLETE	1	com.fasterxml.jackson.core : jackson-databind : 2.13.3	2.14.1
COMPLETE	1	org.apache.tomcat.embed : tomcat-embed-core : 9.0.65	10.1.2		Recommended version requires Springboot-3 and Spring-6 which in turn require Java-17. In London release, version 9.0.72 will be upgraded to.
COMPLETE	1	org.postgresql : postgresql : 42.3.6	42.5.1
COMPLETE	1	org.springframework : spring-web : 5.3.20	6.0.2		Recommended version requires Java-17. In London release, version 5.3.25 will be upgraded to.
COMPLETE	2	io.projectreactor.netty : reactor-netty : 0.9.12.RELEASE	1.1.0
COMPLETE	2	org.eclipse.jetty : jetty-server : 9.4.40.v20210413	11.0.12

The following had no violations (or no direct violations):

dcaegen2-deployments
dcaegen2-platform-adapter-acumos
dcaegen2-platform-mod-designtool
dcaegen2-platform-mod-distributorapi
dcaegen2-platform-mod-onboardingapi
dcaegen2-platform-mod2-catalog-service
dcaegen2-platform-mod2-auth-service
dcaegen2-platform-mod2-ui
dcaegen2-services-heartbeat
dcaegen2-utils
dcaegen2

Browser not supported