FW: [JIRA] (CLAMP-372) review vulnerabilities fixed 60 days answer

Pierre Close
 

Dear SECCOM,

 

Please find below a comment that was posted by Christophe a few days ago, and that was already asked during a previous PTL call.

 

Would it be possible to add this to the agenda (at the beginning of the call if possible due to schedule)?  I am inviting Christophe to join us for that topic.

 

Thanks and best regards,

Pierre

 

From: Christophe Closset (JIRA) <jira@...>
Sent: Wednesday, May 08, 2019 11:46
To: Close, Pierre <pierre.close@...>
Subject: [JIRA] (CLAMP-372) review vulnerabilities fixed 60 days answer

 

Image removed by sender.

Christophe Closset commented on Sub-taskCLAMP-372

 

Re: review vulnerabilities fixed 60 days answer

This was discussed during PTL call I think, here are a couple of questions we have on this requirement :

  • You say this does not refer to vulnerabilities inherited from 3rd parties libraries, which ONAP tooling is used to check ONAP vulnerability in ONAP code ? so far we've been using NexusIQ to gather known vulnerabilites from dependencies (tracking CVEs etc,) but it does not check onap code itself as far as we know. We can see Sonar is reporting vulnerabilities (or rather potential vulnerabilities since most are tagged critical and are related to coding practice, especially JAVA) but we have no visibility on other languages.
  • What about previous release that are no longer supported ? e.g.  a vulnerability exists in Beijing release, we know there won't be a maintenance release for that version, still the vulnerability exists (probably publicly known for more than 60 days), can we say we meet the requirement in this case ?

Add Comment

Add Comment

 

 

Join onap-seccom@lists.onap.org to automatically receive all group messages.