{"type":"doc","content":[{"type":"paragraph","content":[{"text":"ONAP Integration performs 6 security tests on all ONAP pods. 100% passing is required for the release. The 6 tests are:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Pods running as root (root_pod)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Non-TLS endpoints (nonssl_endpoints)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Kubernetes tests (kube_hunter)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Java Debug Wire Protocol (jdwp) ports in the component (jdpw_ports)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Pods running with no limits on resource consumption (unlimited_pods)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Java 8 and Python 2 (versions)","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Pods that require the features of any of these test must file an exception. A non-compliances with an exception is not considered a failure. Exceptions must be filed for each release because they are not carried over to newer releases.","type":"text"}]},{"type":"paragraph","content":[{"text":"To file an exception, the project team must submit the waiver to the correct exception file in the integration/waivers repo.","type":"text"}]},{"type":"table","content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Test","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Waiver File","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"root_pod","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"root_pods","type":"text","marks":[{"type":"link","attrs":{"href":"https://git.onap.org/integration/seccom/tree/waivers/root_pods"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"nonssl_endpoints","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"nonssl_endpoints","type":"text","marks":[{"type":"link","attrs":{"href":"https://git.onap.org/integration/seccom/tree/waivers/nonssl_endpoints"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"kube_hunter","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"jdpw_ports","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"jdwp_ports","type":"text","marks":[{"type":"link","attrs":{"href":"https://git.onap.org/integration/seccom/tree/waivers/jdwp_ports"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"unlimited_pods","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"unlimitted_pods","type":"text","marks":[{"type":"link","attrs":{"href":"https://git.onap.org/integration/seccom/tree/waivers/unlimitted_pods"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"versions","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"versions","type":"text","marks":[{"type":"link","attrs":{"href":"https://git.onap.org/integration/seccom/tree/waivers/versions"}}]}]}]}]}]},{"type":"paragraph","content":[{"text":"Format of exception request: ","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Commit message","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":" security exceptions for ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":" (commit may contain multiple tests each with a list of pods)","type":"text"},{"type":"hardBreak"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":" reason for exception (all pods in the list have the same exception reason)","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"notes about any approval discussions with SECCOM or TSC","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"For each waiver file (/waivers//_xfail.txt) find the correct section of each (this may vary based on file) and document the following information","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":" # (optional) ","type":"text"}]}]}]}]}]},{"type":"paragraph","content":[{"text":"Using the gerrit approval process, SECCOM will review and approve/deny all requests. In some cases, review/approval may include the TSC.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Example submission","type":"text"}]},{"type":"paragraph","content":[{"text":"DCAE request for Istanbul exceptions.","type":"text"}]},{"type":"paragraph","content":[{"text":"Commit Message:","type":"text"}]},{"type":"codeBlock","content":[{"text":"Parent: cc950e68 ([ADMIN] Update and clean Integration committer list)\nAuthor: vv770d \nAuthorDate: 2021-07-29 15:32:54 +0000\nCommit: vv770d \nCommitDate: 2021-07-29 15:37:34 +0000\nDCAE security exceptions for Istanbul\nROOT\ndcae-cloudify has upstream base image dependency to run as root.\nOnce DCAE transformation to helm is completed, this container\nwill be deprecated (target J release)\nJava8 exceptions for MOD/NiFI components (upstream NiFiproject still on java8)\nExceptions approved by SECCOM on 06/29/21 meeting\nChange-Id: I9de0d51fc526c910ffad202df16e967c716e9ab0\nSigned-off-by: Vijay Venkatesh Kumar \nIssue-ID: DCAEGEN2-2736\nIssue-ID: DCAEGEN2-2424","type":"text"}]},{"type":"paragraph","content":[{"text":" ","type":"text"},{"text":" ","type":"text","marks":[{"type":"link","attrs":{"href":"https://gerrit.onap.org/r/c/integration/seccom/+/122972/1/waivers/root_pods/root_pods_xfail.txt"}}]},{"text":" waivers/root_pods/root_pods_xfail.txt ","type":"text","marks":[{"type":"link","attrs":{"href":"https://gerrit.onap.org/r/c/integration/seccom/+/122972/1/waivers/root_pods/root_pods_xfail.txt"}}]}]},{"type":"codeBlock","content":[{"text":"# Expected failure list for rooted ports\n# Unmaintained but still needed components\n# waivers requested already since Guilin but no progress\ndcae-cloudify # DCAEGEN2-2424\n# Upstream components\ncassandra # OOM-2552\nawx # used for use cases\nnetbox # used for use cases\nmulticloud-fcaps # rabbit-mq\n# Testing components\nrobot # use for test cases + refactoring planned in Istanbul INT-1716","type":"text"}]},{"type":"paragraph","content":[{"text":"waivers/versions/versions_xfail.txt ","type":"text","marks":[{"type":"link","attrs":{"href":"https://gerrit.onap.org/r/c/integration/seccom/+/122972/1/waivers/versions/versions_xfail.txt"}}]},{"type":"hardBreak"}]},{"type":"codeBlock","content":[{"text":"# Waiver for versions test\n# all the following docker images shall be excluded from the version scanning\n#dcae exceptions\nnexus3.onap.org:10001/onap/org.onap.dcaegen2.platform.mod.genprocessor-job:1.0.2\nnexus3.onap.org:10001/onap/org.onap.dcaegen2.platform.mod.genprocessor-http:1.0.2\nnexus3.onap.org:10001/onap/org.onap.dcaegen2.platform.mod.designtool-web:1.0.2\napache/nifi-registry:0.5.0","type":"text"}]}],"version":1}

Browser not supported