|
**Vulnerability Management Process Flow**
|
|
**Vulnerability Management Process Flow**
|
|
|
|
|
|
|
|
![FlowCapture](uploads/393e9662c3993da431681fbd90ed0799/FlowCapture.JPG)
|
|
|
|
|
|
1. **Developers:** Develop software and trigger the execution of vulnerability scanning via the CI/CD pipeline.
|
|
1. **Developers:** Develop software and trigger the execution of vulnerability scanning via the CI/CD pipeline.
|
|
2. **Scanning Tools:** Detect, classify and provide vulnerability remediation steps.
|
|
2. **Scanning Tools:** Detect, classify and provide vulnerability remediation steps.
|
... | @@ -20,24 +21,22 @@ |
... | @@ -20,24 +21,22 @@ |
|
| Policy | Mohammad Malekmakan | EA/DEL/DIGITAL Petronas |
|
|
| Policy | Mohammad Malekmakan | EA/DEL/DIGITAL Petronas |
|
|
| Data Definitions | Thomas Gehrmann | SLB |
|
|
| Data Definitions | Thomas Gehrmann | SLB |
|
|
| Infra-azure-provisioning | Madhur Tanwani | MSFT |
|
|
| Infra-azure-provisioning | Madhur Tanwani | MSFT |
|
|
|
|
6. **Exception/Acceptance Process:** If a vulnerability can be resolved, but not within the required time frame the exception process must be followed along with vulnerability remediation. If a vulnerability cannot be resolved the acceptance process must be followed and no further remediation will be required. Note: The following steps are only required if a vulnerability can be remediated.
|
|
|
|
7. **Remediate Vulnerability:** Developers will remediate vulnerabilities by performing the following steps:
|
|
|
|
|
|
6. **Exception/Acceptance Process:** If a vulnerability can be resolved, but not within the required time frame the exception process must be followed along with vulnerability remediation. If a vulnerability cannot be resolved the acceptance process must be followed and no further remediation will be required.
|
|
7\.1. Update software and/or dependencies based on recommendations
|
|
Note: The following steps are only required if a vulnerability can be remediated.
|
|
|
|
7. **Remediate Vulnerability:** Developers will remediate vulnerabilities by performing the following steps:
|
|
|
|
|
|
|
|
7.1. Update software and/or dependencies based on recommendations
|
|
7\.2. Rescan impacted software and dependencies to ensure vulnerabilities are no longer detected
|
|
|
|
|
|
7.2. Rescan impacted software and dependencies to ensure vulnerabilities are no longer detected
|
|
7\.3. Update Issue status to Resolved. The following steps are to be used to close out vulnerabilities in the compliance report after they have been remediated:
|
|
|
|
|
|
7.3. Update Issue status to Resolved. The following steps are to be used to close out vulnerabilities in the compliance report after they have been remediated:
|
|
* Access the OSDU Vulnerability Report [Vulnerability Report · Platform · GitLab (opengroup.org)](https://community.opengroup.org/groups/osdu/platform/-/security/vulnerabilities).
|
|
|
|
* Locate the vulnerability assigned to you or your team. This can be done by using the dropdown filters and/or scrolling though listed vulnerabilities.
|
|
|
|
|
|
- Access the OSDU Vulnerability Report [Vulnerability Report · Platform · GitLab (opengroup.org)](https://community.opengroup.org/groups/osdu/platform/-/security/vulnerabilities).
|
|
![VulnerabilityListCapture](uploads/010126d7101a79157157f28ed2718837/VulnerabilityListCapture.JPG)
|
|
- Locate the vulnerability assigned to you or your team. This can be done by using the dropdown filters and/or scrolling though listed vulnerabilities.
|
|
* Click on vulnerability.
|
|
|
|
* Select the Status dropdown list which can be found in the upper right corner of the screen.
|
|
|
|
* Select the appropriate status (Dismiss, Confirm or Resolve)
|
|
|
|
* Click Change status button
|
|
|
|
|
|
![VulnerabilityListCapture](uploads/010126d7101a79157157f28ed2718837/VulnerabilityListCapture.JPG)
|
|
![VulnerabilityScreenCapture](uploads/82e8008fc3e9a8515cbfa6ac5801acd2/VulnerabilityScreenCapture.JPG) |
|
- Click on vulnerability.
|
|
\ No newline at end of file |
|
- Select the Status dropdown list which can be found in the upper right corner of the screen.
|
|
|
|
- Select the appropriate status (Dismiss, Confirm or Resolve)
|
|
|
|
- Click Change status button
|
|
|
|
|
|
|
|
![VulnerabilityScreenCapture](uploads/82e8008fc3e9a8515cbfa6ac5801acd2/VulnerabilityScreenCapture.JPG) |
|
|