Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The PTL will review the NexusIQ scans for their project and update their Security/Vulnerability - Full Content page
    • Each vulnerability identified by NexusIQ is listed in the table
    • Each vulnerability is identified as being a false positive or exploitable
    • Each vulnerability is identified as being in a package that can be updated/replace by the project or a dependency in a package used by the project (e.g., ODL)
    • Each exploitable vulnerability has a corresponding Jira ticket, including those in dependencies that cannot be fixed by the project
      • The Jira ticket for a vulnerability in a dependency will be to either
        • find a replacement for the package
        • replace the package with the dependency once the dependency is fixed
      • Where there is a Jira ticket for the dependent package, reference that ticket in the project specific Jira ticket
      • Note: Although false positives do not require a Jira ticket, projects should, as part of good software development practices, use current versions of all packages.
  • The SECCOM will review each Security/Vulnerability - Full Content page
    • Ensure that each vulnerability found by NexusIQ is listed in the review table
    • Ensure that each exploitable vulnerability has a Jira ticket

...