Good afternoon Security Subcommittee,
Few days ago I took an action to present a proposal to the ONAP TSC about CVEs.
I plan to have this topic on 7/18.
Here is the proposal that we started to elaborate on PTL call (7/1)
· Within the 60 days period, the expectations are that the project team will address the CVE from a development and testing perspective.
It is understood that the resolution will immediately be candidate for the next candidate release i.e. early drop, minor or major release.
Exception can be raised on extra-ordinary issue but the purpose is to avoid that we perform one CVE on a daily/weekly basis.
If there is an emergency, people can always use the container available the “staging” repositories.
We also need to assess interdependencies between projects i.e.
#1 issue in portal SDK consumed by Policy, CLAMP, SDC etc.
#2 vulnerabilities fixed in oParent
Feedback from the project team will remain “key” to assess if potentially this resolution has an impact (or not) on another component, or the overall release.
· Any critical CVE that has reached the 60 days period and was not fixed at M4 (code freeze) should be presented to the TSC for review including
SECCOM Recommendations, following similar process than the IP Legal issues.
The project team must also provide the reason why they could not meet the deadline and the nature of the risk.
If TSC does not provide a waiver then the impacted project team will need to build a recovery plan.
If TSC gives a waiver then it means that the TSC acknowledges the risk.
Many thanks and regards
NOTE: This email (or its attachments) contains information belonging to the sender, which may be confidential. proprietary and/or legally privileged. The information is intended only for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient, you are hereby notified that any disclosure, distribution or taking of any action in reliance on the content of this is strictly forbidden. If you have received this e-mail in error please immediately notify the sender identified above