...
- Any security vulnerability found in the ONAP code base must be removed from the ONAP code base within 60days.
- Within the 60 days period, the expectations are that the project team will develop and test a resolution for the CVE.
The resolution will immediately be candidate for the next candidate release i.e. early drop, minor or major release.
An exception may be raised on extra-ordinary issue, but exceptions must be rare.
If there is an emergency, people can always use the container available in the “staging” repositories.
- Inter-dependencies between projects:
- The project containing the vulnerability must immediately notify the projects that have it as a dependency of:
- the vulnerability
- the projected timeline for resolution
- changes to functionality caused by resolution
- The projects with dependencies must incorporate the new version within 60days.
- The project containing the vulnerability must immediately notify the projects that have it as a dependency of:
- If a project is unable to remove a security vulnerability within the 60day window:
- the project may supply a default configuration that prevents execution of the vulnerable code, and
- the project must add removal of the vulnerable code to the backlog for the next release.
- Any critical CVE that has reached the 60 days period with no resolution must be presented to the TSC for review.
The project must present the following:
SECCOM Recommendations, following similar process than the IP Legal issues.
The reason they could not meet the deadline.
The nature of the risk.
If TSC does not provide a waiver then the impacted project team will need to build a recovery plan.
If TSC gives a waiver then it means that the TSC acknowledges the risk.
- The project will change the answer to CII badging vulnerabilities_fixed_60_days to UNMET.
- The project will prioritize resolving the vulnerability.