Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

In Scope: All security vulnerabilities in the ONAP code base.

Out of Scope: Known vulnerabilities in the dependent packages included in the ONAP code base. Examples of dependent packages in ONAP include ODL, com.fasterxml.jackson.core : jackson-databind : 2.8.11.3, and org.eclipse.jetty : jetty-util : 9.4.14.v20181114.

Reminder: All security vulnerabilities found in the ONAP code base must be fixed within 60days in order for the project to retain its CII Passing badge.

ONAP Policy:

  • Any security vulnerability found in the ONAP code base must be removed from the ONAP code base within 60days.
  • If a project is unable to remove a security vulnerability within the 60day window:
    • the project may supply a default configuration that prevents execution of the vulnerable code, and
    • the project must add removal of the vulnerable code to the backlog for the next release.
  • No labels