...
- Use a "lint" finding program. For example,
- shell: use "shellcheck", which can be installed using "
apt install -y shellcheck" - python: there are a number lint-finding programs, such as "pylint" and "flakes8".
- shell: use "shellcheck", which can be installed using "
Code quality evaluation
the use of code quality tool help the developper to fixe early the vulnerability.
Inside the community, sonarcloud is the reference.
- https://sonarcloud.io/features (Detect, understand, and fix issues in your code, at the very earliest in your workflow)
- https://sonarcloud.io/organizations/onap/projects?sort=name (ONAP project)
Checking results and fix it regularly are one way to reduce risk
Software Composition Analysis
Like Code quality evalution, the software compositio Analys help the communauty to reduce the risk.
https://snyk.io/blog/what-is-software-composition-analysis-sca-and-does-my-company-need-it/
What Is a software composition analysis (SCA)?
Software Composition Analysis (SCA) is an application security methodology for managing open source components. Using SCA, development teams can quickly track and analyze any open-source component brought into a project. SCA tools can discover all related components, their supporting libraries, and their direct and indirect dependencies. SCA tools can also detect software licenses, deprecated dependencies, as well as vulnerabilities and potential exploits. The scanning process generates a bill of materials (BOM), providing a complete inventory of a project’s software assets.
The community use whitesource and Nexus-IQ.
>>More information Code Scanning Tools and CI
Use save and secure image
To build ONAP images, the community provides secure docker images. These images are built from Alpine images
- https://git.onap.org/integration/docker/onap-java11/about/
- https://git.onap.org/integration/docker/onap-python/about/
These images reduce the risk of threats, please use it.