In order to fulfill REQ-265 TSC Approval at M2 with Epic Link Software Composition Analysis, projects are to focus on upgrading the packages that are direct dependencies to the latest version at M2instead of analyzing the actual vulnerabilities.
- Remove requirement to provide effective/ineffective analysis until there are tools to support the analysis
- Projects update direct dependencies in their applications to most recent version of packages
- Projects identify the direct dependencies (packages) in each project component
- NexusIQ provides a list of all packages used in a component
- Maven creates dependency tree that identifies direct dependencies as the "left-most packages"
- By M2 Projects open Jiras to update older package versions in direct dependencies and commits to upgrading by M4 or provides reason that the package cannot be upgraded
- NexusIQ provides package history - SECCOM recommendation is to use the latest GA release of a package available at M2
- Include the new version number in the Jira ticket
- No requirement to upgrade transitive dependent packages
- Projects identify the direct dependencies (packages) in each project component
- SECCOM will update oparent to include the most recent version of included packages as of the time of the oparent release for the ONAP release (mid December)
- All known CVEs for each component will be listed in readthedocs for the release with no analysis.
...