...
- The PTL will review the NexusIQ scans for their project and update their Security/Vulnerability - Full Content page
- Each vulnerability identified by NexusIQ is listed in the table
- Each vulnerability is identified as being a false positive or exploitable
- Each vulnerability is identified as being in a package that can be updated/replace by the project or a dependency in a package used by the project (e.g., ODL)
- Each exploitable vulnerability has a corresponding Jira ticket, including those in dependencies that cannot be fixed by the project
- The Jira ticket for a vulnerability in a dependency will be to either
- find a replacement for the package
- replace the package with the dependency once the dependency is fixed
- Where there is a Jira ticket for the dependent package, reference that ticket in the project specific Jira ticket
- Note: Although false positives do not require a Jira ticket, projects should, as part of good software development practices, use current versions of all packages.
- The Jira ticket for a vulnerability in a dependency will be to either
- The SECCOM will review each Security/Vulnerability - Full Content page
- Ensure that each vulnerability found by NexusIQ is listed in the review table
- Ensure that each exploitable vulnerability has a Jira ticket
...