NexusIQ Scans per Milestone

After approval of M0 for an ONAP release, the SECCOM will create a new section in the Security Vulnerabilities ONAP wiki space for the release containing copies of the Security/Vulnerability - Full Content pages for the included projects from the previous release.

M1

  • The PTL will review the NexusIQ scans for their project and update their Security/Vulnerability - Full Content page

    • Each vulnerability identified by NexusIQ is listed in the table

    • Each vulnerability is identified as being a false positive or exploitable

    • Each vulnerability is identified as being in a package that can be updated/replace by the project or a dependency in a package used by the project (e.g., ODL)

    • Each exploitable vulnerability has a corresponding Jira ticket, including those in dependencies that cannot be fixed by the project

      • The Jira ticket for a vulnerability in a dependency will be to either

        • find a replacement for the package

        • replace the package with the dependency once the dependency is fixed

      • Where there is a Jira ticket for the dependent package, reference that ticket in the project specific Jira ticket

      • Note: Although false positives do not require a Jira ticket, projects should, as part of good software development practices, use current versions of all packages.

  • The SECCOM will review each Security/Vulnerability - Full Content page

    • Ensure that each vulnerability found by NexusIQ is listed in the review table

    • Ensure that each exploitable vulnerability has a Jira ticket

M2 & M3

  • The PTL will review the Nexus IQ scans for their project weekly and update their Security/Vulnerability - Full Content page

  • The SECCOM will not review the tables, trusting that the PTLs are keeping the tables up to date; the SECCOM will answer questions from the PTLs or their delegates

M4

  • The PTL will finalize their Security/Vulnerability - Full Content page making it consistent with the NexusIQ scans

  • The SECCOM will review each Security/Vulnerability - Full Content page

    • Where necessary, the SECCOM representative will communicate with the PTL to clarify the information in the table

    • When each table has been satisfactorily completed, the SECCOM will create a sanitized copy of each table in the public wiki to be included in the Release Notes

Note: A PTL may delegate the task of analyzing NexusIQ findings and updating the Security/Vulnerability - Full Content page to authorized security subject matter experts on their team. In such a case, if those experts do not have access to the protected wiki space, the PTL should create an LFN helpdesk ticket to request access. Note that only committers can be granted access to the NexusIQ reports.