Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 22 Next »


NOTE: This page is copy of /wiki/spaces/SV/pages/16094094 report created by SECCOM under DCAEGEN2-3318 (excluded CVE info); any update should be done on parent page.


The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.

  • Priority 1 recommendations have at least one Critical vulnerability.
  • Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
  • There are four status values:
    • OPEN - required upgrade identified
    • IN PROGRESS - project working on the upgrade
    • COMPLETE - package has been upgraded to the recommended version
    • WAIVER - project granted a waiver for the upgrade because of technical or resource constraints

When the upgrade of the package is complete change the status in the table to COMPLETE.

If a waiver is granted, change the status to WAIVER.

When the status of all direct dependency replacements is COMPLETE or WAIVER, the Jira ticket should be closed.

dcaegen2-analytics-tca-gen2

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

COMPLETE

1com.fasterxml.jackson.core : jackson-databind : 2.13.32.14.1

COMPLETE

1io.undertow : undertow-core : 2.2.17.Final2.3.0.Final

COMPLETE

2io.springfox : springfox-swagger-ui : 2.10.53.0.0

COMPLETE

2io.springfox : springfox-swagger2 : 3.0.03.0.0
SECCOM: 3.0. is the latest version

dcaegen2-collectors-datafile

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

IN PROGRESS

1com.fasterxml.jackson.core : jackson-databind : 2.13.32.14.1


IN PROGRESS

1org.apache.tomcat.embed : tomcat-embed-core : 9.0.6510.1.2

This is transient dependency from spring-boot; upgraded

to tomcat 9.0.65 which is default in the spring-boot 2.7.2

IN PROGRESS

1org.springframework : spring-web : 5.3.226.0.2



COMPLETE
2io.springfox : springfox-swagger-ui : 3.0.03.0.0
SECCOM: 3.0. is the latest version

COMPLETE

2io.springfox : springfox-swagger2 : 3.0.03.0.0
SECCOM: 3.0. is the latest version

dcaegen2-collectors-hv-ves

Status

Priority

Component name and version

CVE

Threat level

Recommended version

Project’s assessment







No vulnerable components

onap-dcaegen2-collectors-restconf

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

COMPLETE

1com.fasterxml.jackson.core : jackson-databind : 2.13.32.14.1


COMPLETE

1org.codehaus.jettison : jettison : 1.3.71.5.2


COMPLETE

2io.springfox : springfox-swagger-ui : 2.10.53.0.0


COMPLETE

2io.springfox : springfox-swagger2 : 3.0.03.0.0

SECCOM: 3.0. is the latest version

dcaegen2-collectors-ves

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

COMPLETE

2io.springfox : springfox-swagger-ui : 3.0.03.0.0
SECCOM: 3.0. is the latest version

COMPLETE

2io.springfox : springfox-swagger2 : 3.0.03.0.0
SECCOM: 3.0. is the latest version

dcaegen2-platform-mod-genprocessor

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

WAIVER

1com.fasterxml.jackson.core : jackson-databind : 2.11.02.14.1

The component will be retired in London release, hence no upgrade is needed.

WAIVER

1org.apache.commons : commons-text : 1.71.10.0

WAIVER

2org.apache.nifi : nifi-utils : 1.9.21.19.0

dcaegen2-platform-mod-runtimeapi

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

WAIVER

1org.yaml : snakeyaml : 1.261.33

The component will be retired in London release, hence no upgrade is needed.


WAIVER

2io.springfox : springfox-swagger-ui : 3.0.03.0.0

dcaegen2-platform-mod2-helm-generator

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

WAIVER

1com.fasterxml.jackson.core : jackson-databind : 2.10.3 2.14.1


The component will be retired in London release, hence no upgrade is needed.

dcaegen2-platform-ves-openapi-manager

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

IN PROGRESS

1com.fasterxml.jackson.core : jackson-databind : 2.13.3 2.14.1



dcaegen2-services-kpi-computation-ms

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

OPEN

1ch.qos.logback : logback-core : 1.3.0-alpha01.4.5

OPEN

1com.fasterxml.jackson.core : jackson-databind : 2.13.32.14.1

OPEN

1io.undertow : undertow-core : 2.2.17.Final2.3.0.Final

OPEN

1org.springframework : spring-web : 5.3.206.0.2

OPEN

2org.eclipse.jetty : jetty-server : 9.4.41.v2021051611.0.12

dcaegen2-services-mapper

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

COMPLETE

1com.fasterxml.jackson.core : jackson-databind : 2.13.32.14.1

COMPLETE

1com.thoughtworks.xstream : xstream : 1.4.191.4.19

COMPLETE

1org.postgresql : postgresql : 42.3.642.5.1

COMPLETE

2io.projectreactor.netty : reactor-netty : 0.9.12.RELEASE1.1.0

COMPLETE

2xerces : xercesImpl : 2.12.22.12.2

dcaegen2-services-pm-mapper

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

IN PROGRESS

1io.undertow : undertow-core : 2.2.17.Final2.3.0.Final


dcaegen2-services-prh

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

OPEN

1org.apache.commons : commons-text : 1.61.10.0

OPEN

1org.apache.tomcat.embed : tomcat-embed-core : 9.0.6510.1.2

OPEN

1org.springframework : spring-web : 5.3.226.0.2

dcaegen2-services-sdk

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

IN PROGRESS

1com.google.protobuf : protobuf-java : 3.21.14.0.0-rc-2

dcaegen2-services-slice-analysis-ms

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

OPEN

1ch.qos.logback : logback-core : 1.3.0-alpha01.4.5

OPEN

1com.fasterxml.jackson.core : jackson-databind : 2.13.32.14.1

OPEN

1org.apache.tomcat.embed : tomcat-embed-core : 9.0.6510.1.2

OPEN

1org.postgresql : postgresql : 42.3.642.5.1

OPEN

1org.springframework : spring-web : 5.3.206.0.2

OPEN

2org.eclipse.jetty : jetty-server : 9.4.41.v2021051611.0.12

dcaegen2-services-son-handler

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

OPEN

1ch.qos.logback : logback-core : 1.3.0-alpha01.4.5

OPEN

1com.fasterxml.jackson.core : jackson-databind : 2.13.32.14.1

OPEN

1org.apache.tomcat.embed : tomcat-embed-core : 9.0.6510.1.2

OPEN

1org.postgresql : postgresql : 42.3.642.5.1

OPEN

1org.springframework : spring-web : 5.3.206.0.2

OPEN

2io.projectreactor.netty : reactor-netty : 0.9.12.RELEASE1.1.0

OPEN

2org.eclipse.jetty : jetty-server : 9.4.40.v2021041311.0.12

The following had no violations (or no direct violations): 

  • dcaegen2-deployments
  • dcaegen2-platform-adapter-acumos
  • dcaegen2-platform-mod-designtool
  • dcaegen2-platform-mod-distributorapi 
  • dcaegen2-platform-mod-onboardingapi
  • dcaegen2-platform-mod2-catalog-service

  • dcaegen2-platform-mod2-auth-service

  • dcaegen2-platform-mod2-ui
  • dcaegen2-services-heartbeat
  • dcaegen2-utils
  • dcaegen2
  • No labels