From b891bf5b4e365e2f0cc77b22ee6a2276789e6adf Mon Sep 17 00:00:00 2001
From: Krzysztof Opasiak <k.opasiak@samsung.com>
Date: Mon, 27 May 2019 20:43:09 +0200
Subject: Improve security release notes

In order to provide users with more details of project's state in
terms of security let's divide the security release notes into three
sections:

- Fixed Security Issues
  Contains a list of security fixes merged during this
  release (especially those reported via OJSI tickets).

- Known Security Issues
  Contains a list of vulnerabilities detected in project during
  release which have not been fixed yet and thus should be mitigated
  by the user.

- Known Vulnerabilities in Used Modules
  Contains information about NexusIQ scan results

Issue-ID: SECCOM-238
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I07a057dd5bdec7a2d3ad42be854faa9c8abd38e0
---
 docs/releasenotes/releasenotes.rst | 35 +++++++++++++++++++++--------------
 1 file changed, 21 insertions(+), 14 deletions(-)

(limited to 'docs/releasenotes/releasenotes.rst')

diff --git a/docs/releasenotes/releasenotes.rst b/docs/releasenotes/releasenotes.rst
index 5b656b6..1d5a460 100755
--- a/docs/releasenotes/releasenotes.rst
+++ b/docs/releasenotes/releasenotes.rst
@@ -42,29 +42,36 @@ Many other changes and improvement are listed in JIRA:
 
 **Security Notes**
 
+*Fixed Security Issues*
+
 NBI has been improved to reduce signs of vulnerabilities,
 especially by migrating from Springboot 1.x to Springboot 2 and using ONAP Parent pom.xml
 
-Warning: NBI exposes non TLS API endpoint on port 30274, meaning full plain text exchange with NBI API.
-TLS configuration, with ONAP Root CA signed certificate will be proposed in El Alto.
+*Known Security Issues*
+
+- `OJSI-136 <https://jira.onap.org/browse/OJSI-136>`_ - In default deployment EXTAPI (nbi) exposes HTTP port 30274 outside of cluster.
+   NBI exposes non TLS API endpoint on port 30274, meaning full plain text exchange with NBI API.
+   TLS configuration, with ONAP Root CA signed certificate will be proposed in El Alto.
+
+   As a workaround it is quite easy to add HTTPS support to NBI by configuring SSL and activating strict https.
+   Presuming you have a valid JKS keystore, with private key and a signed certificate:
 
-As a workaround it is quite easy to add HTTPS support to NBI by configuring SSL and activating strict https.
-Presuming you have a valid JKS keystore, with private key and a signed certificate:
+   ::
 
-::
+       src/main/resources/application.properties
 
-    src/main/resources/application.properties
+   ::
 
-::
+       # tls/ssl
+       server.ssl.key-store-type=JKS
+       server.ssl.key-store=classpath:certificate/yourkeystore.jks
+       server.ssl.key-store-password=password
+       server.ssl.key-alias=youralias
 
-    # tls/ssl
-    server.ssl.key-store-type=JKS
-    server.ssl.key-store=classpath:certificate/yourkeystore.jks
-    server.ssl.key-store-password=password
-    server.ssl.key-alias=youralias
+       # disable http and activate https
+       security.require-ssl=true
 
-    # disable http and activate https
-    security.require-ssl=true
+*Known Vulnerabilities in Used Modules*
 
 - `Dublin Vulnerability Report <https://wiki.onap.org/pages/viewpage.action?pageId=51282484>`_
 
-- 
cgit 1.2.3-korg