After approval of M0 for an ONAP release, the SECCOM will create a new section in the Security Vulnerabilities ONAP wiki space for the release containing copies of the Security/Vulnerability - Full Content pages for the included projects from the previous release.
M1
- The PTL will review the NexusIQ scans for their project and update their Security/Vulnerability - Full Content page
- Each vulnerability identified by NexusIQ is listed in the table
- Each vulnerability is identified as being a false positive or exploitable
- Each vulnerability is identified as being in a package that can be updated/replace by the project or a dependency in a package used by the project (e.g., ODL)
- Each vulnerability has a corresponding Jira ticket, even for false positives and for dependencies that cannot be fixed by the project
- The SECCOM will review each Security/Vulnerability - Full Content page
- Ensure that each vulnerability found by NexusIQ is listed in the review table
- Ensure that each vulnerability has a Jira ticket
M2 & M3
- The PTL will review the Nexus IQ scans for their project weekly and update their Security/Vulnerability - Full Content page
- The SECCOM will not review the tables, trusting that the PTLs are keeping the tables up to date; the SECCOM will answer questions from the PTLs or their delegates
M4
- The PTL will finalize their Security/Vulnerability - Full Content page making it consistent with the NexusIQ scans
- The SECCOM will review each Security/Vulnerability - Full Content page
- Where necessary, the SECCOM representative will communicate with the PTL to clarify the information in the table
- When each table has been satisfactorily completed, the SECCOM will create a sanitized copy of each table in the public wiki to be included in the Release Notes
Note: A PTL may delegate the task of analyzing NexusIQ findings and updating the Security/Vulnerability - Full Content page to authorized security subject matter experts on their team. In such a case, if those experts have no access to protected wiki space, ticket should be issued by PTL to LFN helpdesk to enable it.