...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| Yes - the PF team/PTL/committers review and look for security issues and recommend fixes before merging. | ✅ |
Know Common Errors
Do the committers and PTL understand commonly found errors (and how to counter or mitigate them)? Do they apply these principles when reviewing software for merging?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| Yes - the PF team & PTL are aware of common security risks and how to mitigate them | ✅ |
No Leaked Credentials
Do the committers and PTL verify that there are no non-test credentials and no non-test private keys in code to be merged?
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
We have public user/password in configuration files, including test files. It's recommended to change it and most of the non-test usage is done with helm charts, which generate secrets. | ✅ |
Security Documentation
Documentation Architecture
...
| Your Answer-Please Describe | SECCOM Feedback / Recommendations |
|---|---|
All the resources that can be accessed in PF require authentication | ❌
|
Assurance Case
Does your project actually meet its documented security requirements?
...
| Your Answer-Please Describe | SECCOM Feedback / Recommendations |
|---|---|
Test cases are found at https://github.com/onap/policy-docker/tree/master/csit/resources/tests showing that authentication must be done before interacting with any resource. ONAP docs describring how to run test cases https://docs.onap.org/projects/onap-policy-parent/en/latest/development/devtools/testing/csit.html | Good start |
Vulnerability Mitigation
Vulnerabilities Critical Fixed
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
Sonarcloud reports can be found at: https://sonarcloud.io/project/overview?id=onap_policy-apex-pdp https://sonarcloud.io/project/overview?id=onap_policy-api https://sonarcloud.io/project/overview?id=onap_policy-clamp https://sonarcloud.io/project/overview?id=onap_policy-common https://sonarcloud.io/project/overview?id=onap_policy-distribution https://sonarcloud.io/project/overview?id=onap_policy-drools-applications https://sonarcloud.io/project/overview?id=onap_policy-drools-pdp https://sonarcloud.io/project/overview?id=onap_policy-gui https://sonarcloud.io/project/overview?id=onap_policy-models https://sonarcloud.io/project/overview?id=onap_policy-pap https://sonarcloud.io/project/overview?id=onap_policy-xacml-pdp | The following have security hotspots policy-common, policy-pap The latter is a high priority item that is >1 year old. How are OJSIs dealt with? |
Vulnerabilities Fixed 60 Days
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
We try to keep up to date on fixing vulnerabilities reported on IQ Nexus, except when dependency updates break the current code and a study is necessary to mitigate functionalities not working. | And sonar cloud? policy-pap has a high severity security item reported in sonarcloud for >1 year |
Non-Cryptographic Software Questions
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
BeanValidation is used for any request coming in, checking if format and type rules are matched. | ✅ |
Hardening
Does your project apply hardening mechanisms so that software defects are less likely to result in security vulnerabilities?
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
No UI No encryption, as data processed by PF hasn't been tagged as sensitive. The application uses Swagger for RESTful API, wherein it is set that Authorization headers are required for accessing API documentation. When PF runs with docker, the services use usernames and passwords that are stored as environment variables. For helm deployments PF uses K8s secrets which are generated and stored as the application is deployed. |
|
Cryptographic-specific Software Questions
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations | UUID random keys|
|---|---|---|
UUID random keys | How are UUIDs generated? (There are many bad ways.) |
Crypto Weaknesses
Does your software depend on any cryptographic algorithms or modes that have known serious weaknesses?
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
Usernames and passwords are configurable by the clients via passing the environment variables for use in application.yml file. ???? When PF runs with docker, the services use usernames and passwords that are stored as environment variables. For helm deployments PF uses K8s secrets which are generated and stored as the application is deployed. | Please expand on the use of configurable usernames+passwords and what they allow. |
Crypto Working
Does your software depend on any cryptographic algorithms that are known to be broken?
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
Usernames and passwords are configurable by the clients via passing the environment variables for use in application.yml file. When PF runs with docker, the services use username and passwords that are stored as environment variables. For helm deployments, PF uses K8s secrets which are generated and stored as the application is deployed. | Doesn't answer the question |
Crypto Keylength
Does your software generate any keys? If so, do they use any default key-lengths that are considered insecure?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| ???? |
Crypto Algorithm Agility
Does your software use cryptographic algorithms? If so, can a user of ONAP switch the algorithm if one is found to be broken?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
K8s secrets that are generated and stored as apps are deployed. ACM-Runtime use java.UUID mechanism for generating unique identifiers. | doesn't answer the question |
Crypto Certificate Verification
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
PF is compliant and compatible with the ongoing service mesh implementation (https://gerrit.onap.org/r/c/oom/+/128543) for ONAP. | ✅ |
Crypto Credential Agility
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
Usernames and passwords are configurable by the clients via passing the environment variables for use in application.yml file. When PF runs with docker, the services use username and passwords that are stored as environment variables. For helm deployments, PF uses K8s secrets which are generated and stored as the application is deployed. | doesn't answer the question |
Crypto TLS1.2
Does your software support HTTPS? If so, is the minimum version allowed TLS1.2?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
PF is compliant and compatible with the ongoing service mesh implementation (https://gerrit.onap.org/r/c/oom/+/128543) for ONAP. | ✅ |
Crypto Used Network
Does your software have network communications inbound or outbound? If so, do you support secure protocols for all such network communications?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
PF only communicates with components within ONAP. PF's primary communication is through HTTP. PF uses Kafka or REST api interfaces between PF components and service mesh for other communications. | is HTTP protected by mesh and HTTPS? |
Crypto Verification Private
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
PF is compliant and compatible with the ongoing service mesh implementation (https://gerrit.onap.org/r/c/oom/+/128543) for ONAP. | doesn't answer the question ?? |