Projects are to focus on upgrading the packages that are direct dependencies to the latest version at M2.
- Remove requirement to provide effective/ineffective analysis until there are tools to support the analysis
- Projects update direct dependencies in their applications to most recent version of packages
- Projects identify the direct dependencies (packages) in each project component
- NexusIQ provides a list of all packages used in a component
- Projects open Jiras to update older package versions in direct dependencies and commit to upgrading by M4
- NexusIQ provides package history - SECCOM recommendation is to use the latest GA release of a package available at M2
- Include the new version number in the Jira ticket
- No requirement to upgrade transitive dependent packages
- Projects identify the direct dependencies (packages) in each project component
- SECCOM will update oparent to include the most recent version of included packages as of the time of the oparent release for the ONAP release (mid December)
- All known CVEs for each component will be listed in readthedocs for the release with no analysis.