Versions Compared

Version Old Version 19 New Version 20
Changes made by

Olaf Renner

Dave Wallace

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


SBOMOpenSSF best practices badgeLFX Security DashboardStatic Application Security Testing (SAST)Software Composition Analysis (SCA)Dynamic Application Security Testing (DAST)Container ScanningAutomated Code Coverage TestingCode QualityVulnerability ReportingOtherContact 
ONAPIn progress. Debugging SPDX Generator Jenkins integrationAdopted by all sub projects. Several sub-projects at Silver levelOn-boarded. OpenSSF badging inaccuracy fixed. Stale repos removed.SonarCloudNexusIQ

SonarCloudSonarCloudImplementedActive security sub-committee. Meets regularly and preemptively addresses threats and vulnerabilities.

Amy Zwarico , Pawel Pawlak

FD.IOissue in finding suitable tool (VPP written in C code)Work on OpenSSF badging not started yet
  • On-boardedCleanup required - Dashboard scans archived repos

Coverity
N/AGcov Report Generation CI jobCoverityImplemented

Coverity scans (and fixing issues found) has been ongoing since 2016

Security Response Process in place since 2016

Dave Wallace
ODL

Integrated CycloneDX into CI

Jira Legacy
serverOpenDaylight Jira
serverId355b3776-d12d-3197-b123-4e6c3281c19a
keyODLPARENT-280

In Progress 90%On-boarded







Robert Varga
Anuket

Deemed inapplicable for spec sub-projects.


Cédric Ollivier : self declarative checks don't bring any value to the code project compared to patchset and deliverables verifications








See all *-grype and *-trivy views in build.opnfv.org

ex: Xtesting

xtesting-grype [Jenkins] (opnfv.org)

A few code projects are running the well known both Python and Docker security tools (bandit, trivy, etc.). They are even running as verification jobs in Functest. 
tox.ini - functest - Test suites and cases to verify OPNFV Platform functionality

Cédric Ollivier: is it only for master? a few LFN projects fail in checking the stable branches.

Cédric Ollivier

EMCOWork on SBOM not started yetWork on OpenSSF badging not started yetGitlab is not yet supported by the dashboard (https://community.lfx.dev/t/gitlab-support-or-manual-scans/1003)





GitLab issues? (nothing formalized yet)

Security analysis (August 2021, Srinivasa Addepalli) - Securing EMCO

Nadathur Sundar

XGVela

On-boarded







Qihui Zhao
L3AF

On-boarded







Jason Niesz 

ODIM

On-boarded







Martin Halstead 

Nephio











...