REQ-323
-
Getting issue details...STATUS
: Each project will update the vulnerable direct dependencies in their code base
Milestones affected
N/A
Projects affected
N/A
Background description
Components deployed within OpenDaylight's karaf container must use the version of third party libraries that come preinstalled in order to avoid version conflicts. We have updated all the direct dependencies that we can without creating version conflicts and noted those that cannot be addressed in the appropriate secure wiki page for third party vulnerabilites for CCSDK and SDNC.
Schedule impact
N/A
Recovery plan
Many of these vulnerabilities should be resolved in Honolulu, when we upgrade to the next Opendaylight release. Also, we are making changes in CCSDK and SDNC to create new pods that run outside OpenDaylight to eliminate the need to be bound by OpenDaylight versions.
Milestone schedule change
N.A
Risk
As long as we need to support deploying our code within OpenDaylight, we are going to be constrained by its third party versions. Once we get to the point where we no longer run within the ODL karaf container, that risk will no longer exist.
