ONAP Security Exception Process
- Amy Zwarico
ONAP Integration performs 6 security tests on all ONAP pods. 100% passing is required for the release. The 6 tests are:
Pods running as root (root_pod)
Non-TLS endpoints (nonssl_endpoints)
Kubernetes tests (kube_hunter)
Java Debug Wire Protocol (jdwp) ports in the component (jdpw_ports)
Pods running with no limits on resource consumption (unlimited_pods)
Java 8 and Python 2 (versions)
Pods that require the features of any of these test must file an exception. A non-compliances with an exception is not considered a failure. Exceptions must be filed for each release because they are not carried over to newer releases.
To file an exception, the project team must submit the waiver to the correct exception file in the integration/waivers repo.
Test | Waiver File |
|---|---|
root_pod | |
nonssl_endpoints | |
kube_hunter | |
jdpw_ports | |
unlimited_pods | |
versions |
Format of exception request:
Commit message
<name of project> security exceptions for <release>
<name of test> (commit may contain multiple tests each with a list of pods)
<name of pod(s)> reason for exception (all pods in the list have the same exception reason)
notes about any approval discussions with SECCOM or TSC
For each waiver file (/waivers/<waiver file name>/<waiver files name>_xfail.txt) find the correct section of each (this may vary based on file) and document the following information
<pod name> # (optional) <associated Jira>
Using the gerrit approval process, SECCOM will review and approve/deny all requests. In some cases, review/approval may include the TSC.
Example submission
DCAE request for Istanbul exceptions.
Commit Message:
Parent: cc950e68 ([ADMIN] Update and clean Integration committer list)
Author: vv770d <vv770d@att.com>
AuthorDate: 2021-07-29 15:32:54 +0000
Commit: vv770d <vv770d@att.com>
CommitDate: 2021-07-29 15:37:34 +0000
DCAE security exceptions for Istanbul
ROOT
dcae-cloudify has upstream base image dependency to run as root.
Once DCAE transformation to helm is completed, this container
will be deprecated (target J release)
Java8 exceptions for MOD/NiFI components (upstream NiFiproject still on java8)
Exceptions approved by SECCOM on 06/29/21 meeting
Change-Id: I9de0d51fc526c910ffad202df16e967c716e9ab0
Signed-off-by: Vijay Venkatesh Kumar <vv770d@att.com>
Issue-ID: DCAEGEN2-2736
Issue-ID: DCAEGEN2-2424waivers/root_pods/root_pods_xfail.txt
# Expected failure list for rooted ports
# Unmaintained but still needed components
# waivers requested already since Guilin but no progress
dcae-cloudify # DCAEGEN2-2424
# Upstream components
cassandra # OOM-2552
awx # used for use cases
netbox # used for use cases
multicloud-fcaps # rabbit-mq
# Testing components
robot # use for test cases + refactoring planned in Istanbul INT-1716waivers/versions/versions_xfail.txt
# Waiver for versions test
# all the following docker images shall be excluded from the version scanning
#dcae exceptions
nexus3.onap.org:10001/onap/org.onap.dcaegen2.platform.mod.genprocessor-job:1.0.2
nexus3.onap.org:10001/onap/org.onap.dcaegen2.platform.mod.genprocessor-http:1.0.2
nexus3.onap.org:10001/onap/org.onap.dcaegen2.platform.mod.designtool-web:1.0.2
apache/nifi-registry:0.5.0