...
- The PTL will review the NexusIQ scans for their project and update their Security/Vulnerability - Full Content page
- Each vulnerability identified by NexusIQ is listed in the table
- Each vulnerability is identified as being a false positive or exploitable
- Each vulnerability is identified as being in a package that can be updated/replace by the project or a dependency in a package used by the project (e.g., ODL)
- Each exploitable vulnerability has a corresponding Jira ticket, even for false positives and for including those in dependencies that cannot be fixed by the project
- The SECCOM will review each Security/Vulnerability - Full Content page
- Ensure that each vulnerability found by NexusIQ is listed in the review table
- Ensure that each vulnerability has a Jira ticket
...
Note: A PTL may delegate the task of analyzing NexusIQ findings and updating the Security/Vulnerability - Full Content page to authorized security subject matter experts on their team. In such a case, if those experts do not have no access to the protected wiki space, ticket should be issued by PTL to the PTL should create an LFN helpdesk ticket to enable itrequest access.