Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In Scope: All security vulnerabilities in the ONAP code base. This includes vulnerabilities in the code, and vulnerabilities related to the configuration of dependent packages, e.g., using default passwords or enabling debug tools.

Out of Scope: Known vulnerabilities in the dependent packages included in the ONAP code base. Examples of dependent packages in ONAP include ODL, com.fasterxml.jackson.core : jackson-databind : 2.8.11.3, and org.eclipse.jetty : jetty-util : 9.4.14.v20181114, and djangoframework.

Reminder: All security vulnerabilities found in the ONAP code base must be fixed within 60days in order for the project to retain its CII Passing badge.

...

  • Any security vulnerability found in the ONAP code base must be removed from the ONAP code base within 60days60 days.
    • Within the 60 days period, the expectations are that the project team will develop and test a resolution for the CVE.
    • The resolution will immediately be candidate for the next candidate release i.e. early drop, minor or major release.

    • An exception may be raised on extra-ordinary issue, but exceptions must be rare .If there is an emergency, people can always use the container available in the “staging” repositoriesand have a well documented rationale.

    • Inter-dependencies between projects:
      • The project containing the vulnerability must immediately notify the projects that have it as a dependency of:
        • the vulnerability
        • the projected timeline for resolution
        • changes to functionality caused by resolution
      • The projects with dependencies must incorporate the new version within 60days60 days.
  • If a project is unable to remove a security vulnerability within the 60day 60 day window:
    • the project may project should supply a default configuration that prevents execution of the vulnerable code, and
    • the project must add removal of the vulnerable code to the backlog for the next release.
    Any critical CVE that has reached the 60 days period with no resolution must be presented to the TSC for review.
    • the readthedocs for the project must be updated with the vulnerability and the fix
      • The project must present the following:

        • SECCOM Recommendations, following similar process

      than
        • to the IP Legal issues.

        • The reason they could not meet the deadline.

        • The nature of the risk

      .
    • If TSC does not provide a waiver then the impacted project team will need to build a recovery plan.

    • If TSC gives a waiver then it means that the TSC acknowledges the risk.

      The project will
        • .Any critical CVE that will not be resolved within the 60 day period must be presented to the TSC for review no later than one week before the expiration period (day 53).

    • The TSC will then decide how to proceed.
      • The TSC allows the project more time to fix the vulnerability without changing the upcoming ONAP release date.
        • The resolution of the vulnerability will become the highest priority of the project.
        • If the next release will contain the vulnerability, the CVE for the vulnerability will be documented in the security section of readthedocs.
        • The project must change the answer to CII badging vulnerabilities_fixed_60_days to UNMET.
      • The TSC allows the project will prioritize resolving the vulnerabilitymore time to fix the vulnerability and delays the upcoming ONAP release date.
        • The resolution of the vulnerability will become the highest priority of the project.
        • The project must change the answer to CII badging vulnerabilities_fixed_60_days to UNMET.