Versions Compared

Old Version 1

changes.mady.by.user Vijay Venkatesh Kumar

Saved on

compared with

New Version 2

changes.mady.by.user Vijay Venkatesh Kumar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


NOTE: This page is copy of Jakarta DCAE report created by SECCOM (excluded CVE info); any update should be done on parent page.


The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.

  • Priority 1 recommendations have at least one Critical vulnerability.
  • Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.
  • There are four status values:
    • Status
      titleOpen
      - required upgrade identified
    • Status
      colourBlue
      titleIn Progress
      - project working on the upgrade
    • Status
      colourGreen
      titleComplete
      - package has been upgraded to the recommended version
    • Status
      colourYellow
      titleWaiver
      - project granted a waiver for the upgrade because of technical or resource constraints

When the upgrade of the package is complete change the status in the table to

Status
colourGreen
titleComplete
.

If a waiver is granted, change the status to

Status
colourYellow
titleWaiver
.

When the status of all direct dependency replacements is

Status
colourGreen
titleComplete
or
Status
colourYellow
titleWaiver
, the Jira ticket should be closed.

dcaegen2-analytics-tca-gen2

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5

???

Already on latest; no non-vulnerable version available

Status
titleOPEN

2

undertow-core : 2.2.7.Final

5

5

2.2.14

2.2.14.Final

dcaegen2-collectors-datafile

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

1

spring-web : 5.3.6

9

7

4

5.3.135.3.13 or 5.3.14

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5???Already on latest; no non-vulnerable version available

onap-dcaegen2-collectors-restconf

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.2.101.2.10

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.5

72.8.92.8.9

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5???Already on latest; no non-vulnerable version available


1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

dcaegen2-collectors-hv-ves

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.6

72.8.92.8.9

dcaegen2-collectors-ves

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.6

72.8.92.8.9

Status
titleOPEN

2io.netty : netty-codec-http : 4.1.59.Final54.1.70.Final4.1.73.Final

Status
titleOPEN

2

io.springfox : springfox-swagger2 : 3.0.0

5???Already on latest; no non-vulnerable version available


org.apache.logging.log4j: log4j-core:2.16.0

2.17.1

dcaegen2-platform-mod-genprocessor

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)


1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

Status
titleOPEN

2

nifi-utils : 1.9.2

5
retain current version due to dependency with upstream nifi version on designer module

dcaegen2-platform-mod2-auth

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment  (Target for J)

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.6

72.8.9POC components; not part of ONAP deployment

Status
titleOPEN

1com.squareup.okhttp3 : okhttp : 4.0.174.9.3POC components; not part of ONAP deployment

dcaegen2-platform-mod2-catalog

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment  (Target for J)

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.6

72.8.9POC components; not part of ONAP deployment

Status
titleOPEN

1com.squareup.okhttp3 : okhttp : 4.0.174.9.3

POC components; not part of ONAP deployment

Status
titleOPEN

1

io.springfox : springfox-swagger-ui : 2.9.2

9

6

6

3.0.0POC components; not part of ONAP deployment

Status
titleOPEN

2io.springfox : springfox-swagger2 : 2.9.253.0.0POC components; not part of ONAP deployment

dcaegen2-platform-mod-runtimeapi

Status

Priority

Component name and version

CVE

Threat level

Recommended version

Project’s assessment  (Target for J)








caegen2-services-kpi-computation-ms

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment  (Target for J)

Status
titleOPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.2.101.2.10

Status
titleOPEN

1org.springframework : spring-web : 5.3.7

9

4

5.3.135.3.14


1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

Status
titleOPEN

2io.undertow : undertow-core : 2.2.8.Final

5

5

2.2.14.Final2.2.14.Final


org.springframework : spring-webmvc : 5.3.76
5.3.14

dcaegen2-services-bbs-event-processor

Status

Priority

Component name and version

CVE

Threat level

Recommended version

Project’s assessment








dcaegen2-services-mapper

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)


1

com.fasterxml.jackson.core : jackson-databind : 2.11.2

102.12.62.12.6


org.apache.logging.log4j: log4j-core:2.16.0

2.17.1

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.5

72.8.92.8.9

Status
titleOPEN

1xstream : 1.4.16

8

1.4.181.4.18

Status
titleOPEN

2

 xercesImpl : 2.12.15???Already on latest; no non-vulnerable version available

dcaegen2-services-pm-mapper

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.5

72.8.92.8.9

Status
titleOPEN

2

undertow-core : 2.2.9.Final

5

4

4

2.2.14.Final

2.2.14.Final

2.2.16.Final

dcaegen2-services-prh

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)

Status
titleOPEN

1

org.apache.tomcat.embed : tomcat-embed-websocket : 9.0.48

7

10.1.0M7

Either 10.1.0-M8 or  9.0.56 

Status
titleOPEN

1

org.springframework : spring-web : 5.3.8

9

4

5.3.13 RELEASE

5.3.14

dcaegen2-services-sdk

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment

Status
titleOPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.2.101.2.10

Status
titleOPEN

1

com.google.code.gson : gson : 2.8.5

72.8.92.8.9


org.springframework : spring-webflux : 5.3.16
5.3.14

dcaegen2-services-son-handler

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment


1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

Status
titleOPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.2.101.2.10

Status
titleOPEN

1

org.springframework : spring-web : 5.3.7.RELEASE

9

4

5.3.13 RELEASE

5.3.14


org.springframework : spring-webmvc : 5.3.76
5.3.14

Status
titleOPEN

1

org.apache.tomcat.embed : tomcat-embed-core : 9.0.46

6

10.1.0-M7

9.0.50 or 10.1.0-M8

dcaegen2-services-slice-analysis-ms

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment


1

com.fasterxml.jackson.core : jackson-databind : 2.11.0

102.12.62.12.6

Status
titleOPEN

1

ch.qos.logback : logback-core : 1.3.0-alpha0

81.2.101.2.10

Status
titleOPEN

1

org.springframework : spring-web : 5.3.7.RELEASE

9

4

5.3.13 RELEASE

5.3.14


org.springframework : spring-webmvc : 5.3.76
5.3.14

Status
titleOPEN

2

org.apache.tomcat.embed : tomcat-embed-core : 9.0.46

6

10.1.0-M7

9.0.50 or 10.1.0-M8


dcaegen2-platform-mod2-helmgenerator

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)



com.fasterxml.jackson.core : jackson-databind : 2.10.3

10
2.12.6



com.squareup.okhttp3 : okhttp : 4.0.1

5
4.9.3


commons-io : commons-io : 2.4

2.11.0


dcaegen2-platform-ves-openapi-manager

Status

Priority

Component name and version

Threat level

Recommended version

Project’s assessment (Target for J)



com.fasterxml.jackson.core : jackson-databind : 2.9.4

10
2.12.6