...
#14 Any critical, severe or high vulnerability found in the code written by the project team MUST be fixed within 60 days or prior to the inclusion of the project in a new release, whichever occurs first.
Muddasar's Proposed format for above process. Some actions have been rearranged.
| Sequence | Action | R | A | C | I | Artifact | Tool/process |
| 1 | Final call to the ONAP Community raised by the PTL or by the TSC. (Neagtive Result for volunteer for succession) | TSC | TSC | PTLs | ArcSubComm | email Distribution Lists | |
| 2 | Review what is used by the Community and the dependencies to other components and maintain the repositories that are necessary for the ONAP Components | ArcSubComm | TSC | PTLs, SECCOM | PTLs | Projects Dependency List | Nexus, PTL confrence |
| Verify what (if any) impact the change has on OOM/Integration (CIST)/DOC projects and ensure that is communicated | ArcSubComm | TSC | PTLs, SECCOM, DOC | PTLs | |||
| 3 | Identify an alternative path (if any) | Pgm | TSC | PTLs | ArcSubComm, SECCOM | ||
| 4 | Identify potential remaining committers to maintain the remaining repositories | Pgm | TSC | PTLs | ArcSubComm, SECCOM | ||
| 5 | Update INFO.yaml (Need role assignment) | ||||||
| 6 | In gerrit set the appropriate repositories that are no longer in use to 'Read Only' access | LF-IT? | |||||
| 7 | Update the Architecture diagrams and references (Need role assignment) | ||||||
| 8 | Remove Jenkins jobs (I think Code scanning and report generation needs to continue until closed and archived) | LF-IT? | |||||
| 9 | Inform Steven Winslow (LFN IP Legal) and disable all the scans (Sonar, FOSSology, NexusIQ) on the unmaintained repos (I think Code scanning and report generation needs to continue until closed and archived) | Pgm | TSC | PTLs | ArcSubComm, SECCOM | ||
| 10 | Move the project to Unmaintained State Projects including Clean-up of other wiki pages, RDT, JIRA, mailing lists, calendars, etc. | ||||||
| 11 | Indicate in the release note that the project is in Unmaintained state i.e. add a hint in the header. | ||||||
| 12 | The project information for this component will no more be branched (i.e. master) and will be linked to the latest maintained release. (how would it impact CI tools?) | ||||||
| 13 | Any critical, severe or high vulnerability found in the code written by the project team MUST be fixed within 60 days or prior to the inclusion of the project in a new release, whichever occurs first. (This can not be done due to lack of resources. Can this be mentioned in the Release notes? if yes, who owns the risk? TSC?, SECCOM?) |
Transition from "Unmaintained" to "Incubation/Mature": A Unmaintained project can be moved to “Incubation” or “Mature" if there is a new interest from the ONAP Community and meeting the requirement for the project state while performing a project review, including PTL responsibility and committers engagement. The following steps will be re-initiatied
...