From 53de06c9d6b3c52f9f23ed4904968074b3f833d2 Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Fri, 24 May 2019 23:30:00 +0200 Subject: [PATCH] Improve security release notes In order to provide users with more details of project's state in terms of security let's divide the security release notes into three sections: - Fixed Security Issues Contains a list of security fixes merged during this release (especially those reported via OJSI tickets). - Known Security Issues Contains a list of vulnerabilities detected in project during release which have not been fixed yet and thus should be mitigated by the user. - Known Vulnerabilities in Used Modules Contains information about NexusIQ scan results Issue-ID: SECCOM-238 Change-Id: Ief8825c38c7723c26e8c7e10a6a13f4b8f9c169d Signed-off-by: Krzysztof Opasiak --- docs/release-notes.rst | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/docs/release-notes.rst b/docs/release-notes.rst index 03a11a6e..bcb1f16b 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -32,6 +32,12 @@ We worked on SDK upgrade to integrate with AAF. We partially implemented multi-l **Security Notes** +*Fixed Security Issues* + +*Known Security Issues* + +*Known Vulnerabilities in Used Modules* + PORTAL code has been formally scanned during build time using NexusIQ and all Critical vulnerabilities have been addressed, items that remain open have been assessed for risk and determined to be false positive. The PORTAL open Critical security vulnerabilities and their risk assessment have been documented as part of the `project `_. Quick Links: @@ -45,7 +51,7 @@ Quick Links: * For https Apps onboarded to portal, a certificate has to be downloaded in the browser when first trying to access the landing page of the App. * For onboarded Apps using http (since Portal is using https) the browser asks the user to click to Proceed to the unsafe URL. * For onboarded Apps using http the icon in the URL bar will appear red, click on it and allow unsafe scripts. - + **Deprecation Notes** **Other** @@ -55,8 +61,8 @@ Quick Links: * onap/portal-sdk:2.5.0 * onap/portal-wms:2.5.0 * portal/sdk java artifacts - (Release branch: “release-2.5.0”) - -Version: 2.3.2 + +Version: 2.3.2 -------------- :Release Date: 2019-04-15 @@ -67,10 +73,10 @@ This is the official release notes for the Casablanca Maintenance Release 3.0.2. **Known Issues** * The issue is an application running on HTTPS will not open in Portal if the AAF root CA is missing. - An error message will appear in a separate tab in Portal. It will say something like: - “The webpage at https://portal.api.simpledemo.onap.org:30200/vid/welcome.htm?cc=........ might + An error message will appear in a separate tab in Portal. It will say something like: + “The webpage at https://portal.api.simpledemo.onap.org:30200/vid/welcome.htm?cc=........ might be temporarily down or it may have moved permanently to a new web address.” - Here is the work-around, copy above VID (or other app) URL and replace welcome.htm to login.htm + Here is the work-around, copy above VID (or other app) URL and replace welcome.htm to login.htm in a new browser window; after login come back to Portal home page and click VID, it will now work. * For applications running on HTTP (for example SDC), the user needs to disable the security check in the browser to access the application. -- 2.16.6