Hi,
This is the last report from the ONAP security sub-committee.
Firstly I would like to thank that participants for their contribution during
2017, its been great to have the team established and up-and going.
We have been focussing on a few topics recently.
Static Code scanning
* Static code scanning is the scaning of ONAP produced code in search of
not-yet known vulnerabilities in the code.
* We have agreed on the following recommendation:
* Use coverity for static code scaning
* Request to integrate it into the CI/CD toolchain, with an email once a
week to PTLs
* Host a session to support the PTLs in the analysis.
* To request the inclusion of the following MS criteria
* MS-3 - no high vulnerabilities
* MS 4 and release no medium vulnerabilities
* This recommendation will be raised to the TSC for decision in January.
Scanning for known vulnerabilities
* Scanning for known vulnerabilities refers to the identification of
vulnerabilities in modules that are outside of ONAP but that ONAP components
rely on. This can re-use the NEXUS-IQ tool that is used for the licence
scanning as presented by Phil Robb at the developers event.
* The ONAP security sub-committee has agreed on the following recommendation
* Open the tool to the PTLs (or whomever they nominate)
* Request that the MS4 and release criteria: not releasing modules with
vulnerabilities more than 60 days old.
* Exceptions raised and discussed with the TSC.
* Recommend to host a session to walkthrough the Nexus IQ tool with the
PTLs if required.
* Note: A demo was done and is available from the December ONAP
Developers Event from Phil Rob.
* This recommendation will be raised to the TSC for decision in January.
Configuration scanning
* This is the scanning of the installed infastructure
(https://norad.gitlab.io/ )
* We thought that this was a good idea and propose to discuss with the
integration team (Helen, I will setup a meeting with you for this).
Support of 3SP with the CII badging program.
* We have agreed to produce a "guide" for the projects for the CII badging
program, this is to help with the questions that have a common answer for all
projects, or a hint at how to answer this in the ONAP setup.
* The plan is to have this ready by the end of january.
* The we propose to have an online session for interested PTLs (or whom
they nominate) to help the projects get started and answer initial questions.
Best Regards,
Steve
[Ericsson]<http://www.ericsson.com/>
STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services
Ericsson
Ericsson R&D Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
[email protected]
www.ericsson.com
[http://www.ericsson.com/current_campaign]<http://www.ericsson.com/current_campaign>
Legal entity: Ericsson EspaƱa S.A, compay registration number ESA288568603.
This Communication is Confidential. We only send and receive email on the basis
of the terms set out at
www.ericsson.com/email_disclaimer<http://www.ericsson.com/email_disclaimer>
_______________________________________________
ONAP-TSC mailing list
[email protected]
https://lists.onap.org/mailman/listinfo/onap-tsc
