On the CII badging page for your app https://bestpractices.coreinfrastructure.org/projects/1759 change the answers for Static Fixed and Vulnerabilities Fixed 60 Days

Static Fixed: change the answer to N/A because ONAP is not running a static analysis tool.

Vulnerabilities Fixed 60 Days:

The CII question says:
"There MUST be no unpatched vulnerabilities of medium or high severity that have been publicly known for more than 60 days."

Note that this refers to vulnerabilities within ONAP code, and NOT to vulnerabilities inherited from third party libraries.

Your answer should be MET:

• If there are no known vulnerabilities
• If all known vulnerabilites pointed out by tools are ONLY false positives,
• If your project can commit to fixing new vulnerabilities within 60 days.

If you can NOT choose MET, select "UNMET" and update the description to indicate "Updated 2019-MM-DD." and an indication of why you could not choose MET.