Re: [onap-tsc] CII Badging - Vulnerabilities

Abhijit Kumbhare

For some reason, OpenDaylight TSC got dropped off this thread - added it back. Looking forward to talking with you guys Alexis and folks.

On Fri, Feb 8, 2019 at 11:38 AM TIMONEY, DAN <dt5972@...> wrote:



One clarification I wanted to make, re: Robert’s question about the list we’d provided.


The Nexus IQ server also reports on third party libraries that are embedded within other jars.  For example, ODL Oxygen doesn’t ship netty 4.0.30, but the jar for narayana-osgi-jta contains that version of netty.  I can tell that because when I look at “Occurrences” of that library in the Nexus IQ Server report, I see this:


netty-all-4.0.30.Final.jar located at opendaylight/oxygen/target/docker-stage/karaf-0.8.3.tar.gz/karaf-0.8.3/system/org/jboss/narayana/osgi/narayana-osgi-jta/5.5.2.Final/narayana-osgi-jta-5.5.2.Final.jar



I really wish we could just share the report, but unfortunately Sonatype told us in no uncertain terms that sort of thing is a violation of their software license terms.


I just wanted to reassure you  all that I really did do my best to be careful about separating out the vulnerabilities we’re inheriting from ODL from any that we’re introducing ourselves.




Dan Timoney

SDN-CP Development

ONAP Project Technical Lead : CCSDK and SDNC


Please go to  D2 ECOMP Release Planning Wiki for D2 ECOMP Project In-take, 2016 Release Planning, Change Management, and find key Release Planning Contact Information.



From: Abhijit Kumbhare <abhijitkoss@...>
Date: Friday, February 8, 2019 at 11:06 AM
To: "onap-tsc@..." <onap-tsc@...>
Cc: Robert Varga <nite@...>, "TIMONEY, DAN" <dt5972@...>
Subject: Re: [OpenDaylight TSC] [onap-tsc] CII Badging - Vulnerabilities


Sure Alexis - I will add this to the agenda next week. Earlier this week Anil Belur was asking for the same to be on the agenda - but there was no time this week to have this.


On Fri, Feb 8, 2019 at 7:06 AM Alexis de Talhouet <adetalhouet89@...> wrote:


On Feb 8, 2019, at 10:00 AM, Brian <bf1936@...> wrote:


Since ONAP is Apache 2.0 and ODL is EPL we dont think we can build a distribution on the ONAP side that removes “ODL projects like TSDR, SXP

and similar”.   It would be awesome if ONAP could build its own distro but I dont think we know how to do that without tainting.


I tend to think we can. This is one of the things I want to discuss during ODL TSC when it is the good time.


Join { to automatically receive all group messages.