ddf
ddf copied to clipboard
codice
[SECURITY] Dependency Upgrade Tracking - Q1 2025
Master Tracking: Security Dependency Upgrades
This issue tracks all security-related dependency upgrades for DDF.
Critical Priority (P0) - Immediate
| Dependency | Current | Target | CVEs | Status |
|---|---|---|---|---|
| Hazelcast | 3.12.10 | Remove/5.5.0 | 4 | 🔴 Not Started |
| GeoTools | 24.6 | 28.6.1+ | 12+ | 🔴 Not Started |
High Priority (P1) - Next 30 Days
| Dependency | Current | Target | CVEs | Status |
|---|---|---|---|---|
| Commons-Collections | 3.2.2 | 4.5.0 | 4 | 🔴 Not Started - #6936 |
| Spring Framework | 6.1.21 | 6.2.12 | 2 | 🔴 Not Started - #6935 |
| Commons BeanUtils | 1.9.4 | 1.11.0 | 1 | 🔴 Not Started |
| Apache Batik | 1.14 | 1.17+ | 4 | 🔴 Not Started |
Medium Priority (P2) - Next 60 Days
| Dependency | Current | Target | CVEs | Status |
|---|---|---|---|---|
| Apache Karaf | 4.4.8 | 4.4.9+ | TBD | 🔴 Not Started |
| Netty (transitive) | Various | 4.1.114+ | 9 | 🔴 Not Started |
| Protobuf (transitive) | Various | 3.25.8+ | 8 | 🔴 Not Started |
Low Priority (P3) - Ongoing
| Dependency | Current | Target | CVEs | Status |
|---|---|---|---|---|
| commons-lang 2.x | 2.6 | Migrate to 3.x | EOL | 🔴 Not Started |
| jQuery/Bootstrap | Various | Latest | Multiple | 🔴 Not Started |
Progress Summary
- Total Vulnerabilities: ~126 unique
- Target Vulnerabilities: <25 (MEDIUM/LOW only)
- Expected Reduction: 78%+
Related Issues
- #6936 - Commons-Collections 4.x migration
- #6935 - Spring Framework 6.2.x upgrade
- #6934 - KlvDecoder recursion limit
- #6938 - Test coverage initiative
- #6939 - GeoTools upgrade
Definition of Done
- [ ] All P0 vulnerabilities resolved
- [ ] All P1 vulnerabilities resolved
- [ ] P2 vulnerabilities in progress
- [ ] No CRITICAL CVEs remaining
- [ ] CI security scanning enabled
- [ ] OWASP suppression file for false positives
