...
- The PTL will review the NexusIQ scans for their project and update their Security/Vulnerability - Full Content page
- Each vulnerability identified by NexusIQ is listed in the table
- Each vulnerability is identified as being a false positive or exploitable
- Each vulnerability is identified as being in a package that can be updated/replace by the project or a dependency in a package used by the project (e.g., ODL)
- Each exploitable vulnerability has a corresponding Jira ticket, even for false positives and for including those in dependencies that cannot be fixed by the project
- The Jira ticket for a vulnerability in a dependency will be to either
- find a replacement for the package
- replace the package with the dependency once the dependency is fixed
- Where there is a Jira ticket for the dependent package, reference that ticket in the project specific Jira ticket
- Note: Although false positives do not require a Jira ticket, projects should, as part of good software development practices, use current versions of all packages.
- The Jira ticket for a vulnerability in a dependency will be to either
- The SECCOM will review each Security/Vulnerability - Full Content page
- Ensure that each vulnerability found by NexusIQ is listed in the review table
- Ensure that each exploitable vulnerability has a Jira ticket
...
- The PTL will finalize their Security/Vulnerability - Full Content page making it consistent with the NexusIQ scans
- The SECCOM will review each Security/Vulnerability - Full Content page
- Where necessary, the SECCOM representative will communicate with the PTL to clarify the information in the table
- When each table has been satisfactorily completed, the SECCOM will create a sanitized copy of each table in the public wiki to be include included in the Release Notes
Note: A PTL may delegate the task of analyzing NexusIQ findings and updating the Security/Vulnerability - Full Content page to authorized security subject matter experts on their team. In such a case, if those experts do not have access to the protected wiki space, the PTL should create an LFN helpdesk ticket to request access. Note that only committers can be granted access to the NexusIQ reports.