...
- The PTL will review the NexusIQ scans for their project and update their Security/Vulnerability - Full Content page
- Each vulnerability identified by NexusIQ is listed in the table
- Each vulnerability is identified as being a false positive or exploitable
- Each vulnerability is identified as being in a package that can be updated/replace by the project or a dependency in a package used by the project (e.g., ODL)
- Each exploitable vulnerability has a corresponding Jira ticket, even for false positives and for including those in dependencies that cannot be fixed by the project
- The Jira ticket for a vulnerability in a dependency will be to either
- find a replacement for the package
- replace the package with the dependency once the dependency is fixed
- Where there is a Jira ticket for the dependent package, reference that ticket in the project specific Jira ticket
- Note: Although false positives do not require a Jira ticket, projects should, as part of good software development practices, use current versions of all packages.
- The Jira ticket for a vulnerability in a dependency will be to either
- The SECCOM will review each Security/Vulnerability - Full Content page
- Ensure that each vulnerability found by NexusIQ is listed in the review table
- Ensure that each exploitable vulnerability has a Jira ticket
...
Note: A PTL may delegate the task of analyzing NexusIQ findings and updating the Security/Vulnerability - Full Content page to authorized security subject matter experts on their team. In such a case, if those experts do not have no access to the protected wiki space, ticket should be issued by PTL to LFN helpdesk to enable it. the PTL should create an LFN helpdesk ticket to request access. Note that only committers can be granted access to the NexusIQ reports.