> On Jan 22, 2019, at 3:48 PM, Daniel Farrell <dfarr...@redhat.com> wrote: > > > I have finally found the report and it's quite a few issues, so it's > hard to break them down. > > First of all, I don't believe the list of issues flagged as coming from > OpenDaylight is accurate, as I compared the artifacts we are shipped in > karaf-0.8.3. > > We also did not ship netty-4.0.30, we shipped 4.1.22. > > We did not ship the following artifacts at all: > commons-fileupload > artemis-commons > faces-impl > sendgrid-java > netty-4.0.30 -- we are shipped 4.1.22.Final > > I could not find a public repository for the SONATYPE advisories -- does > anyone have a pointer? Without that I cannot evaluate them... > > We have upgraded org.bouncycastle in Oxygen SR4, so at least those two > CVEs have been fixed. > > Finally, it seems that quite a few issues are affecting > ccsdk/distribution, which are coming from ODL projects like TSDR, SXP > and similar. I am not sure whether ONAP really uses them, so it may be > worthwhile to take a look at how the distribution is assembled.
Thanks Daniel for copying. Thanks Robert for the answer. Brian, yes, Robert did reply with some preliminary answers. We should ingest them and start triaging our list. Also, we should look into how we could build a custom distro out of ODL released artifacts specific for ONAP, as as pointed by Robert, we might not need everything. I actually think we mostly need NETCONF, that I’m aware of. I’ll follow-up w/ Dan Timoney and that. Regards, Alexis -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4508): https://lists.onap.org/g/onap-tsc/message/4508 Mute This Topic: https://lists.onap.org/mt/28708638/21656 Group Owner: onap-tsc+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
