Hi, Thanks. This maybe a good opportunity to point to this wiki for this process. https://wiki.onap.org/display/DW/ONAP+Vulnerability+Management
This will be a good opportunity to test it out. BR, Steve From: onap-tsc@lists.onap.org <onap-tsc@lists.onap.org> On Behalf Of Kenny Paul Sent: Friday 7 December 2018 22:15 To: onap-tsc@lists.onap.org; Daniel Farrell <dfarr...@redhat.com> Cc: Abhijit Kumbhare <abhijitk...@gmail.com>; <t...@lists.opendaylight.org> <t...@lists.opendaylight.org> Subject: Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities Perfect! Thanks Daniel! Thanks! -kenny From: <onap-tsc@lists.onap.org<mailto:onap-tsc@lists.onap.org>> on behalf of Alexis de Talhouet <adetalhoue...@gmail.com<mailto:adetalhoue...@gmail.com>> Reply-To: <onap-tsc@lists.onap.org<mailto:onap-tsc@lists.onap.org>> Date: Friday, December 7, 2018 at 12:58 PM To: Daniel Farrell <dfarr...@redhat.com<mailto:dfarr...@redhat.com>> Cc: Abhijit Kumbhare <abhijitk...@gmail.com<mailto:abhijitk...@gmail.com>>, "<t...@lists.opendaylight.org<mailto:t...@lists.opendaylight.org>>" <t...@lists.opendaylight.org<mailto:t...@lists.opendaylight.org>>, <ONAP-TSC@lists.onap.org<mailto:ONAP-TSC@lists.onap.org>> Subject: Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities Awesome. Thank you for the reminder Daniel. I’ll loop in that list. Regards, Alexis On Dec 7, 2018, at 3:56 PM, Daniel Farrell <dfarr...@redhat.com<mailto:dfarr...@redhat.com>> wrote: No, this list is exactly meant for this type of secret information. It's the group of people the TSC has appointed as trusted to handle security issues. They will follow all the normal security embargo best practices. Thanks, Daniel On Fri, Dec 7, 2018 at 9:52 PM Alexis de Talhouët <adetalhoue...@gmail.com<mailto:adetalhoue...@gmail.com>> wrote: Daniel, Is the content of information provided through that mailing list publicly available? If yes, then I can’t provide the information to that list, as we don’t want to share publicly the vulnerabilities. Alexis On Dec 7, 2018, at 3:50 PM, Daniel Farrell <dfarr...@redhat.com<mailto:dfarr...@redhat.com>> wrote: Hey Alexis, Reminder that we have a security response team that's meant to handle these types of things. Stephen is on the security response team, but you might still be better off sharing with that group vs Stephen and Michael directly. We asked for these details to be sent to that list months ago when ONAP folks first mentioned these scanning issues, but last time I talked to Stephen about it they still hadn't been sent. secur...@lists.opendaylight.org<mailto:secur...@lists.opendaylight.org> We appreciate ONAP working with us to make sure we're the best upstream we can be. Looking forward to benefiting both projects by working together more closely. Daniel On Fri, Dec 7, 2018 at 8:16 PM Alexis de Talhouët <adetalhoue...@gmail.com<mailto:adetalhoue...@gmail.com>> wrote: Michael, Stephen, I sent you the information privately, as we should not share vulnerabilities publicly. Please only distribute internally to PTL and/or TSC. Regards, Alexis On Dec 6, 2018, at 2:20 PM, Abhijit Kumbhare <abhijitk...@gmail.com<mailto:abhijitk...@gmail.com>> wrote: Thanks Alexis, Stephen and Michael. On Thu, Dec 6, 2018 at 10:16 AM Alexis de Talhouët <adetalhoue...@gmail.com<mailto:adetalhoue...@gmail.com>> wrote: Michael, Stephen, Thank you for prompt response. I’ll get clarification on the vulnerabilities we have identified and will come back to you on the points you mentioned. Alexis > On Dec 6, 2018, at 1:06 PM, Stephen Kitt > <sk...@redhat.com<mailto:sk...@redhat.com>> wrote: > > Hi Alexis, > > On Thu, 6 Dec 2018 17:57:29 +0100 > Michael Vorburger <vorbur...@redhat.com<mailto:vorbur...@redhat.com>> wrote: >>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët >>> <adetalhoue...@gmail.com<mailto:adetalhoue...@gmail.com>> wrote: >>> >>> Greeting ODL community, TSC, >>> >>> Within the ONAP community, we’re seeking CII badging. For that, we >>> need to eradicate critical vulnerabilities. >>> >>> Few ONAP projects are depending on OpenDaylight artifacts, such as >>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming >>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM >>> reports that were found in the ODL Oxygen SR3 distribution, >>> documented here >>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857. The >>> document is high level information providing only the groupId of >>> the maven artifact. I don’t have permission to see ODL projects in >>> LF Nexus-ID: >>> https://nexus-iq.wl.linuxfoundation.org<https://nexus-iq.wl.linuxfoundation.org/>, >>> so I can't >>> link directly reports here. >>> >>> Point is, we would like to know where ODL stands with regards to CII >>> Badging; is that something you’re seeking? > > Not actively, but we do care about fixing vulnerabilities. > >>> Regardless, we would like to know if ODL is willing to address >>> critical vulnerabilities impacting ONAP? > > Yes, we are. > >> I just had a (quick) look at wiki.onap.org<http://wiki.onap.org/>, and was >> wondering if you >> guys would be willing to help us help you more, by: >> >> - clarifying details about the vulnerability, like a link to a CVE > > +1 > >> - first check out Fluorine or even better already Neon; at least some >> of the Karaf related ones likely are already solved > > At least, check Oxygen SR4 when it’s available. I’m also not entirely > sure how the analysis matches up with Oxygen SR3; for example, the > version of Guava in SR3 is 23.6.1, which fixes the known > vulnerabilities. CLM also flags a number of false positives, e.g. > commons-fileupload (1.3.3 in SR3) which is fixed AFAIK. > >> - clarify where you found the artifact... there are (to me) some >> surprises in your list; e.g. sendgrid or angular I wouldn't know >> where that is used by what project in ODL > > +1 > >> - dedupe your list - it looks a lot longer than it really is, many >> dupes ;) > > I think this is because the artifacts aren’t fully described: we need > the artifactId as well as the groupId, and ideally the version. > > Regards, > > Stephen _______________________________________________ TSC mailing list t...@lists.opendaylight.org<mailto:t...@lists.opendaylight.org> https://lists.opendaylight.org/mailman/listinfo/tsc _______________________________________________ TSC mailing list t...@lists.opendaylight.org<mailto:t...@lists.opendaylight.org> https://lists.opendaylight.org/mailman/listinfo/tsc -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4286): https://lists.onap.org/g/onap-tsc/message/4286 Mute This Topic: https://lists.onap.org/mt/28628360/21656 Group Owner: onap-tsc+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
