To reduce the number of ONAP security vulnerabilities, ONAP is using the O-Parent project to provide centralized version management of common 3rd party Java libraries.  This has the benefit of reducing the number of disparate versions of the same 3rd party package that is being used across ONAP, and reduces the attack surface correspondingly.  More detailed discussion on this thread is here.

How to Use

  1. Import Dependency Versions
  2. Remove Specific Library Versions from Project pom

Step 1: Import Dependency Versions

Option 1.A: Inherit from O-Parent

The managed package versions are automatically imported into your project poms if you inherit from the latest version of oparent: O-Parent (oparent).  Most ONAP projects should implement this option.

Set the parent POM in your pom.xml as follows.  Be sure to use the current version of oparent as declared in the version manifest; see ONAP Version Manifest Maven Plugin.

<parent>
    <groupId>org.onap.oparent</groupId>
    <artifactId>oparent</artifactId>
    <version>1.2.0</version>
    <relativePath/>
</parent>


Option 1.B: Manually Import Dependency Versions

If your project has specific technical reasons that prevents it from being able to inherit from O-Parent (e.g. CCSDK), you can manually import the dependency versions.  To do so:

Add the following dependency to the dependencyManagement section in your pom.xml.  Be sure to use the current version of oparent:dependencies as declared in the version manifest; see ONAP Version Manifest Maven Plugin.

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.onap.oparent</groupId>
        <artifactId>dependencies</artifactId>
        <version>1.2.0</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
    </dependencies>
  </dependencyManagement>


Step 2: Remove Specific Library Versions from Project pom

Once the the dependency library versions have been imported using Step 1 above, you should remove the specific library versions of the management libraries from your own project pom files.  This will ensure that you will always use the centrally managed and vetted dependency library versions.


Managed 3rd Party Libraries

The current list of standard 3rd party library package versions can be seen here:

https://git.onap.org/oparent/tree/dependencies/pom.xml

  • No labels