Versions Compared

Old Version 16

changes.mady.by.user Krzysztof Opasiak

Saved on

compared with

New Version 17

changes.mady.by.user Krzysztof Opasiak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Vulnerabilities of managed functions (e.g. VNFs) are out of the scope of ONAP, however if an ONAP vulnerability has a dependence with a managed function, the managed functions vulnerability procedures will be used to coordinate the issue.

The Process

Notice

All the tasks mentioned below should be executed by VMS coordinator who is chosen and assigned by VMS based on their internal on case by case basis.

Overview

Reception

A report can be received either as a ticket in Vulnerability Reporting Jira Project /Insert link when created/, or as a private encrypted email to one of the VMS members /Insert a link to a suitable page/ .

...

  1. Edit the ticket description by adding embargo notice in the beginning (VMS team)

  2. Add "Uncategorised" label to the ticket (VMS team)
  3. Confirm bug reception by assigning the task to one of VMS members and adding a reception confirmation comment. (VMS team)

Reception via email

  1. Create new Jira ticket and post embargo notice and the content of original message re-encrypted with public keys of other VMS members. (email recipient)
  2. Add "Uncategorised" label to the ticket (email recipient)
  3. Assign the task to one of VMS members (capable of decrypting the bug content)
  4. Add "Uncategorised" label to the ticket
  5. (email recipient)
  6. Send a signed reception confirmation email (DO NOT include the original message in plain text). (email recipient)


VMS should do its best to provide a prompt confirmation to the reporter. Bug reception should be confirmed no later than within 3 business days.

...

Steps to be completed

  1. Develop the fix (PTL or delegate)
  2. Do not sent it to the public code review system (gerrit) unless the ticket is already public.

...

Steps to be completed

  1. Review the fix (PTL and committers pre)
  2. Pre-approve fix by providing a comment to the ticket "Acked-by: Name Surname <email@domain.tld>" (PTL, committers and VMS coordinator)
  3. When all required approval are collected, commit message should be updated and  comments from the previous step should be added to the commit message (VMS coordinator)

Draft Vulnerability description

...

  1. Review the draft of vulnerability description(PTL and commiters)

Send CVE request

If reporter did not request for a CVE number on his or her own, VMS coordinator should attempt to obtain one to ensure full traceability. This is generally done as the patch gets nearer to final approval. The approved impact description is submitted through MITRE’s CVE Request form. The request type is Request a CVE ID, the e-mail address should be that of the requester, and for critical reports the coordinator’s OpenPGP key should be pasted into the field provided.

...

  1. Create ticket with issue description in Vulnerability Reporting Jira Project (VMS members)
  2. Make the ticket publicly visible (VMS members)
  3. Assign the bug to one of VMS members
  4. Perform bug triage and CVE request if necessary (VMS coordinator)
  5. Send email containing triage results to /Agree on email recipients/
  6. Rest of standard process should be followed, skipping embargoed disclosure step

...