DEPRECATED IN GUILIN: REPLACED BY Remediating Known Vulnerabilities in Third Party Packages
In Scope: All security vulnerabilities in the ONAP code base. This includes vulnerabilities in the code, and vulnerabilities related to the configuration of dependent packages, e.g., using default passwords or enabling debug tools.
Out of Scope: Known vulnerabilities in the dependent packages included in the ONAP code base. Examples of dependent packages in ONAP include ODL, com.fasterxml.jackson.core : jackson-databind : 2.8.11.3, org.eclipse.jetty : jetty-util : 9.4.14.v20181114, and djangoframework.
Reminder: All security vulnerabilities found in the ONAP code base must be fixed within 60days in order for the project to retain its CII Passing badge.
The resolution will immediately be candidate for the next candidate release i.e. early drop, minor or major release.
An exception may be raised on extra-ordinary issue, but exceptions must be rare and have a well documented rationale.
The project must present the following:
SECCOM Recommendations, following similar process to the IP Legal issues.
The reason they could not meet the deadline.
The nature of the risk.Any critical CVE that will not be resolved within the 60 day period must be presented to the TSC for review no later than one week before the expiration period (day 53).