...
Practice Area | Checkpoint | Yes/No | Evidence - Comment | How to? |
Security | Has the Release Security/Vulnerability table been updated in the protected Security Vulnerabilities wiki space? |
| Table in in the protected Security Vulnerabilities wiki space corresponding to the latest NexusIQ scan | PTL reviews the NexusIQ scans for their project repos and fills out the vulnerability review table |
| Have Have all project containers been designed to run as a non-root user? | Project containers that run as root must document this in the release notes along with the functionality that requires the container to run as root | https://wiki.onap.org/display/DW/Best+Practices |
...
Practice Area | Checkpoint | Yes/No | Evidence - Comment | How to? |
Security | Has the Release Security/Vulnerability table been updated in the protected Security Vulnerabilities wiki space? |
| Table in in the protected Security Vulnerabilities wiki space corresponds to the latest NexusIQ scan | PTL reviews the NexusIQ scans for their project repos and fills out the vulnerability review table |
Has the project committed to enabling transport level encryption on all interfaces and the option to turn it off? |
| Requirements and test cases for transport layer encryption have been created for all interfaces not currently supporting encryption. |
| |
Has the project documented all open port information? |
|
| ||
Has the project provided the communication policy to OOM and Integration?Gildas recommends this be moved to M1 |
|
| ||
Do you have a plan to address by M4 the Critical and High vulnerabilities in the third party libraries used within your project? | Currently also in M1 table |
|
| Ensure by M4 the Nexus-IQ report from “Jenkins CLM” shows 0 critical security vulnerability. Open the Nexus-IQ report for the details on each repo.
|
M4 Release Planning Milestone
...
Practice Area | Checkpoint | Yes/No | Evidence - Comment | How to? |
Security | Has the Release Security/Vulnerability table been filled out in the protected Security Vulnerabilities wiki space? |
| Table in in the protected Security Vulnerabilities wiki space corresponds to the latest NexusIQ scan; all NexusIQ finding are marked as false positive or exploitable with the supporting analysis. | PTL reviews the NexusIQ scans for their project repos and fills out the vulnerability review table |
Are all Defects of priority Highest and High in status "Closed" in Jira? (this includes the Jira for Critical and Severe NexusIQ findings) |
| All Jira tickets for vulnerability elimination are complete. | Complete Jira tickets | |
Did the project achieve the enablement of transport level encryption on all interfaces and the option of disabling transport level encryption? |
| All interfaces are exposed over TLS (or another TLS and the secure protocol )can optionally be turned off |
| |
| Do Do all containers run as a non-root user and is documentation available for those containers that must run as root in order to enable ONAP features? | https://wiki.onap.org/display/DW/Best+Practices | |||
Provide the "% Achieved" on the CII Best Practices program. Moved from Development section |
| Provide link to your project CII Best Practices page. | As documented in CII CII Badging Program, teams have to fill out CII Best Practices | |
REMOVE FROM DEVELOPMENT | Is there any Critical and Severe level security vulnerabilities older than 60 days old in the third party libraries used within your project unaddressed? Nexus-IQ classifies level as the following:
which is complaint with CVSS V2.0 rating. |
|
|
|
...