Re: [JIRA] (CLAMP-372) review vulnerabilities fixed 60 days answer

Pawel Pawlak
 

Of course, with pleasure!

Talk to you in 3 hours…

 

Best regards

 

Paweł Pawlak

 

ONAP SECCOM Chair

Leader in IT & Network Convergent Operations
FT/TGI/OLN/QOP/OST

 

Orange Polska S.A.

Corporate Services Agency

Obrzeżna 7, 02-691 Warszawa
tel. +48 22 699 52 17
fax +48 22 857 99 86
tel. mob. +48 501 501 030

P   Czy musisz drukować tę wiadomość? Pomyśl o środowisku.
__________________________________________________________________
Treść tej wiadomości jest własnością Orange Polska i zawiera informacje stanowiące tajemnicę przedsiębiorstwa Orange Polska. Jeżeli nie jesteście Państwo jej adresatem, bądź otrzymaliście ją przez pomyłkę, prosimy o powiadomienie o tym nadawcy oraz trwałe jej usunięcie. Orange Polska Spółka Akcyjna z siedzibą i adresem w Warszawie (02-326) przy Al. Jerozolimskich 160, wpisana do Rejestru Przedsiębiorców prowadzonego przez Sąd Rejonowy dla m.st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem 0000010681; REGON 012100784, NIP 526-02-50-995; z pokrytym w całości kapitałem zakładowym wynoszącym 3.937.072.437 złotych.

 

From: onap-seccom@... [mailto:onap-seccom@...] On Behalf Of Pierre Close
Sent: Tuesday, May 14, 2019 10:32 AM
To: onap-seccom@...
Cc: Closset, Christophe
Subject: [Onap-seccom] FW: [JIRA] (CLAMP-372) review vulnerabilities fixed 60 days answer

 

Dear SECCOM,

 

Please find below a comment that was posted by Christophe a few days ago, and that was already asked during a previous PTL call.

 

Would it be possible to add this to the agenda (at the beginning of the call if possible due to schedule)?  I am inviting Christophe to join us for that topic.

 

Thanks and best regards,

Pierre

 

From: Christophe Closset (JIRA) <jira@...>
Sent: Wednesday, May 08, 2019 11:46
To: Close, Pierre <pierre.close@...>
Subject: [JIRA] (CLAMP-372) review vulnerabilities fixed 60 days answer

 

Image removed by sender.

Christophe Closset commented on Sub-taskCLAMP-372

 

Re: review vulnerabilities fixed 60 days answer

This was discussed during PTL call I think, here are a couple of questions we have on this requirement :

  • You say this does not refer to vulnerabilities inherited from 3rd parties libraries, which ONAP tooling is used to check ONAP vulnerability in ONAP code ? so far we've been using NexusIQ to gather known vulnerabilites from dependencies (tracking CVEs etc,) but it does not check onap code itself as far as we know. We can see Sonar is reporting vulnerabilities (or rather potential vulnerabilities since most are tagged critical and are related to coding practice, especially JAVA) but we have no visibility on other languages.
  • What about previous release that are no longer supported ? e.g.  a vulnerability exists in Beijing release, we know there won't be a maintenance release for that version, still the vulnerability exists (probably publicly known for more than 60 days), can we say we meet the requirement in this case ?

Add Comment

Add Comment

 

 

Join onap-seccom@lists.onap.org to automatically receive all group messages.