In Scope: All security vulnerabilities in the ONAP code base.
Out of Scope: Known vulnerabilities in the dependent packages included in the ONAP code base. Examples of dependent packages in ONAP include ODL, com.fasterxml.jackson.core : jackson-databind : 2.8.11.3, and org.eclipse.jetty : jetty-util : 9.4.14.v20181114.
Reminder: All security vulnerabilities found in the ONAP code base must be fixed within 60days in order for the project to retain its CII Passing badge.
ONAP Policy:
- Any security vulnerability found in the ONAP code base must be removed from the ONAP code base within 60days.
- If a project is unable to remove a security vulnerability within the 60day window:
- the project may supply a default configuration that prevents execution of the vulnerable code, and
- the project must add removal of the vulnerable code to the backlog for the next release.