-
Story
-
Resolution: Done
-
Medium
-
None
-
None
Address vulnerabilities identified by SECCOM under https://wiki.onap.org/display/SV/Istanbul+DCAE
Below is current list as of 05/13/2021 identified by SECCOM.
Project’s assessment/Istanbul Target (M2) updated as of 06/01 (revised 06/28 for tomcat-embed-core)
dcaegen2-analytics-tca-gen2 - DCAEGEN2-2803
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment/Istanbul Target (M2) |
OPEN | 2 | netty-handler : 4.1.54.Final | 6 5 |
4.1.63 FINAL | Update to SECCOM recommended version 07/16/2021 - This library is no longer utilized by TCA (latest CLM report do no flag this vulnerability) |
OPEN | 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? | Already on latest version; no change for istanbul rls |
OPEN | 2 | undertow-core : 2.2.2.Final | 5 4 |
2.2.7.Final | As there is 2.2.8.Final available; will try upgrade to the latest for Istanbul |
OPEN | 2 | httpclient : 4.5.8 | 5 | 4.5.13 | Update to SECCOM recommended version |
dcaegen2-collectors-datafile - DCAEGEN2-2804
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment/Istanbul Target (M2) |
OPEN | 1 | org.apache.tomcat.embed : tomcat-embed-core : 9.0.39 | 7 7 7 5 |
??? | 06/28/21 - Recommendation to go with 9.0.46 for Istanbul |
OPEN | 1 | spring-web : 5.3.1 | 9 | 5.3.6 | As there is 5.3.7 available; will try upgrade to the latest for Istanbul |
OPEN | 2 | io.springfox : springfox-swagger2 : 2.9.2 | 5 | ??? | No new non-vulnerable version available; will try upgrading to latest version (3.0.0) for Istanbul |
onap-dcaegen2-collectors-restconf
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment/Istanbul Target (M2) |
OPEN | 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? | Already on latest version; no change for istanbul rls |
dcaegen2-collectors-ves
Status | Priority | Component name and version | CVE | Threat level | Recommended version | Project’s assessment/Istanbul Target (M2) |
OPEN | 2 | io.springfox : springfox-swagger2 : 3.0.0 | SONATYPE-2020-0907 | 5 | ??? | Already on latest version; no change for istanbul rls |
dcaegen2-platform-inventory-api
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment/Istanbul Target (M2) |
OPEN | 2 | httpclient : 4.5.8 | 5 | 4.5.13 | Repo will be archived for Istanbul; Continue Honolulu version until fully migrated to Helm |
OPEN | 2 | org.hibernate : hibernate-validator : 5.4.3.Final | 6 5 |
7.0.1.Final | Repo will be archived for Istanbul; Continue Honolulu version until fully migrated to Helm |
dcaegen2-platform-mod-runtimeapi - DCAEGEN2-2805
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment/Istanbul Target (M2) |
OPEN | 1 | commons-io : commons-io : 2.6 |
7 | 2.8.0 | As there is 2.9.0 available; will try upgrade to the latest for Istanbul |
dcaegen2-platform-servicechange-handler
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment/Istanbul Target (M2) |
OPEN | 1 | jackson-dataformat-cbor : 2.9.9 | 7 | 2.12.3 | Repo will be archived for Istanbul; Continue Honolulu version until fully migrated to Helm |
OPEN | 1 | snakeyaml : 1.14 | 7 | 1.28 | Repo will be archived for Istanbul; Continue Honolulu version until fully migrated to Helm |
dcaegen2-services-bbs-event-processor
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment/Istanbul Target (M2) |
OPEN | 2 | io.springfox : springfox-swagger2 : 3.0.0 | 5 | ??? | Already on latest version; no change for istanbul rls |
dcaegen2-services-mapper - DCAEGEN2-2806
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment/Istanbul Target (M2) |
OPEN | 1 | xstream : 1.4.11.1 | 9 9 9 9 9 9 8 8 7 7 7 6 |
1.4.16 | As there is 1.4.17 available with no policy voilation, try upgrading to it for Istanbul |
OPEN | 1 | log4j : 1.2.17 | 9 | 2.14.1 (log4j-core) | 1.2.17 is the latest version; log4j-core is different library. No change for istanbul |
OPEN | 2 | httpclient : 4.5.8 | 5 | 4.5.13 | Update per SECCOM recommended version |
OPEN | 2 | xercesImpl : 2.12.1 | 5 | ??? | Already on latest; no change for istanbul |
OPEN | org.codehaus.groovy : groovy-all : 2.4.14 | 6 | Select 2.4.21: Next version with no policy violation |
dcaegen2-services-pm-mapper - DCAEGEN2-2807
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment/Istanbul Target (M2) |
OPEN | 1 | freemarker : 2.3.28 | 7 | 2.3.31 | Update per SECCOM recommended version |
OPEN | 2 | undertow-core : 2.0.30.Final | 5 4 4 |
2.2.7.Final | As there is 2.2.8.Final available; will try upgrade to the latest for Istanbul |
OPEN | 2 | httpclient : 4.5.7 | 5 | 4.5.13 | Not flagged in latest nexus report however update per SECCOM recommended version |
dcaegen2-services-prh- DCAEGEN2-2808
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment/Istanbul Target (M2) |
OPEN | 1 | org.apache.tomcat.embed : tomcat-embed-core : 9.0.41 | 7 7 |
??? | 06/28/21 - Recommendation to go with 9.0.46 for Istanbul |
OPEN | 1 | org.springframework : spring-web : 5.3.3.RELEASE | 9 6 |
5.3.6 RELEASE | As there is 5.3.7 available; will try upgrade to the latest for Istanbul |
dcaegen2-services-son-handler - DCAEGEN2-2809
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment/Istanbul Target (M2) |
OPEN | 1 | org.apache.tomcat.embed : tomcat-embed-core : 9.0.39 | 7 7 7 5 |
??? | 06/28/21 - Recommendation to go with 9.0.46 for Istanbul |
OPEN | 1 | org.springframework : spring-web : 5.2.10.RELEASE | 9 | 5.3.6 RELEASE | As there is 5.3.7 available; will try upgrade to the latest for Istanbul |
OPEN | 2 | httpclient : 4.5.7 | 5 | 4.5.13 | Update per SECCOM recommended version |
OPEN | 2 | jetty-server : 9.4.17.v20190418 | 4 | 9.4.40.v20210413 | Update per SECCOM recommended version |
dcaegen2-services-kpi-computation-ms - DCAEGEN2-2810
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | io.undertow : undertow-core : 2.0.30.Final | As there is 2.2.8.Final available; will try upgrade to the latest for Istanbul | |||
OPEN | org.springframework : spring-web : 5.2.7.RELEASE | 5.3.6 RELEASE or 5.3.7 | |||
OPEN | io.undertow : undertow-servlet : 2.0.30.Final | Select 2.0.34.Final - next version with no policy violation or upgrade to latest 2.2.8.Final | |||
OPEN | org.apache.httpcomponents : httpclient : 4.5.7 | Select 4.5.13: Next version with no policy violation | |||
OPEN | org.eclipse.jetty : jetty-server : 9.4.17.v20190418 | 9.4.41.v20210516 |
dcaegen2-services-slice-analysis-ms - DCAEGEN2-2811**
dcaegen2-services-slice-analysis-ms
Status | Priority | Component name and version | Threat level | Recommended version | Project’s assessment |
OPEN | 1 | org.apache.tomcat.embed : tomcat-embed-core : 9.0.36 | 7 7 7 7 5 4 |
9.0.46 | 06/28/21 - Recommendation to go with 9.0.46 for Istanbul |
OPEN | 1 | postgresql : 42.2.5 | 7 | 42.2.13 | Select 42.2.13: Next version with no policy violation |
OPEN | 1 | org.springframework : spring-web : 5.3.3.RELEASE | 9 7 6 |
5.3.6 RELEASE | 5.3.6 RELEASE or 5.3.7| |
---|---|---|---|---|---|
OPEN | 2 | httpclient : 4.5.7 | 5 | 4.5.13 | Select 4.5.13: Next version with no policy violation |
OPEN | 2 | jetty-server : 9.4.17.v20190418 | 4 | 9.4.41.v20210516: | 9.4.41.v20210516 |
- blocks
-
REQ-863 PACKAGES UPGRADES IN DIRECT DEPENDENCIES FOR ISTANBUL
- In Progress
- relates to
-
DCAEGEN2-2851 Remove checker-framework from HV-VES
- Closed
-
DCAEGEN2-2761 PACKAGES UPGRADES IN DIRECT DEPENDENCIES FOR ISTANBUL
- Closed
- mentioned in
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
1.
|
TCAgen2 security vulnerability updates | Closed | sumithra | |||||||||
2.
|
DFC security vulnerability updates | Closed | deen1985 | |||||||||
3.
|
Mapper security vulnerability updates | Closed | mukesh.paliwal | |||||||||
4.
|
PM-Mapper security vulnerability updates | Closed | joannajeremicz | |||||||||
5.
|
PRH security vulnerability updates | Closed | pmarcink | |||||||||
6.
|
SON-Handler security vulnerability updates | Closed | niranjana | |||||||||
7.
|
KPI-MS security vulnerability updates | Closed | denilson.l65 | |||||||||
8.
|
Slice-Analysis MS security vulnerability updates | Closed | shwetha_r |
|