...
Status: Draft
Best Practice:
Recommendation to the TSC
- Use Coverity Scan https://scan.coverity.com/ to perform static code scans on all ONAP code.
- Automate scanning by enabling Jenkins to trigger weekly scans with Coverity Scan.
- Deliver scan reports to the PTLs for each project PTLs will be responsible for getting the vulnerabilities resolved (fixed or designated as false positive).
- All projects in a release must have the high vulnerabilities resolved by MS-3.
- All projects in a release must have the high and medium vulnerabilities resolved by MS-4.
- The Security Committee will host session to help projects walk through the scanning process and reports.
Next Steps
- Review the OPNFV scanning process at https://wiki.opnfv.org/display/security/Security+Scanning to see if it can be adopted as the ONAP static code scanning process.
Tools that have been assessed: Coverity Scan (LF evaluationusing the tool in OPNFV and other projects), HP Fortify (AT&T evaluation), Checkmarx (AT&T evaluation), Bandit (AT&T evaluation)
...