Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Changes from Remediating Known Vulnerabilities in Third Party Packages in the Beijing through El Alto releases
    • There is no requirement to provide effective/ineffective analysis until there are tools to support the analysis.
    • There is no requirement to create vulnerability review tables.
  • M2 M0
    • Projects identify the direct dependencies (packages) in each project component.
      • NexusIQ provides a list of all packages used in a component.
      • Maven creates dependency tree that identifies direct dependencies as the "left-most packages".
    • Projects identify the most recent version of the direct dependencies
    • SECCOM updates oparent.pom to include the most recent version of included packages that are available at M2.
    • SECCOM prioritization of package upgrades
      • Priority 1: outdated packages containing a Critical vulnerability
      • Priority 2: outdated packages containing a Severe vulnerability
      • Priority 3: all other outdated packages
    • Each project opens Jiras tickets ticket(s) to update older package versions in direct dependencies.
      • Note: There is no requirement to upgrade transitive dependent packages.
      • There must be a separate Jira for each package to be upgraded in each project repository.
      • Required information in Jira ticket:
        • Old and new version numbers
        • Label of "ComponentUpgrade"
        • Fix Version = release under development
    • Exceptions: The project must request a TSC exception for each direct dependency that cannot be upgraded by M1.
      • Required information in the "ComponentUpgrade" Jira ticket with an exception:
        • The reason that the package cannot be upgraded,
        • Fix Version = the next release to be developed
  • M1
    • Package updates must be complete complete
    • Outdated packages that are not updated require TSC exceptions: The project must request a TSC exception for each direct dependency that cannot be upgraded by M4M1.
      • Required information in the "ComponentUpgrade" Jira ticket with an exception:
        • The reason that the package cannot be upgraded,
        • Fix Version = the next release to be developed
  • M4 M4
    • Project will close each Jira ticket that has been completed.
    • SECCOM will create a report of the status of all "ComponentUpgrade" Jiras for the release.
    • Open tickets will require a TSC exception
      • Jiras with M4 exceptions must contain the same information documented above
  • Readthedocs
    • All projects will list all CVEs (CVE number only) associated with third party packages in the readthedocs in the Third Party Vulnerabilities section.
      • Vulnerabilities are listed in the NexusIQ reports for each project repository scanned

...

The CLAMP team will investigate writing a script to automatically generate project-level Jira tickets for all direct dependencies.

Frankfurt Release: The CLAMP team wrote a script that generates user stories for each outdated direct dependency in a project and links them to an epic for the project. Example epic: CLAMP-601. Example user story: CLAMP-602. Each user story identifies and outdated package and the newest version.

Proposal: The CLAMP team will run the script for all projects during the week of 10 February, creating user stories and epics for each project. SECCOM will measure progress for REQ-263 using the automatically generated tickets.

The script is an open source project which can be found here. The CLAMP team welcomes contributions.