You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

After approval of M0 for an ONAP release, the SECCOM will create a new section in the Security Vulnerabilities ONAP wiki space for the release containing copies of the Security/Vulnerability - Full Content pages for the included projects from the previous release.

M1

  • The PTL will review the NexusIQ scans for their project and update their Security/Vulnerability - Full Content page
    • Each vulnerability identified by NexusIQ is listed in the table
    • Each vulnerability is identified as being a false positive or exploitable
    • Each vulnerability is identified as being in a package that can be updated/replace by the project or a dependency in a package used by the project (e.g., ODL)
    • Each exploitable vulnerability has a corresponding Jira ticket, including those in dependencies that cannot be fixed by the project
  • The SECCOM will review each Security/Vulnerability - Full Content page
    • Ensure that each vulnerability found by NexusIQ is listed in the review table
    • Ensure that each vulnerability has a Jira ticket

M2 & M3

  • The PTL will review the Nexus IQ scans for their project weekly and update their Security/Vulnerability - Full Content page
  • The SECCOM will not review the tables, trusting that the PTLs are keeping the tables up to date; the SECCOM will answer questions from the PTLs or their delegates

M4

  • The PTL will finalize their Security/Vulnerability - Full Content page making it consistent with the NexusIQ scans
  • The SECCOM will review each Security/Vulnerability - Full Content page
    • Where necessary, the SECCOM representative will communicate with the PTL to clarify the information in the table
    • When each table has been satisfactorily completed, the SECCOM will create a sanitized copy of each table in the public wiki to be included in the Release Notes

Note: A PTL may delegate the task of analyzing NexusIQ findings and updating the Security/Vulnerability - Full Content page to authorized security subject matter experts on their team. In such a case, if those experts do not have access to the protected wiki space, the PTL should create an LFN helpdesk ticket to request access.  

  • No labels