...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| Yes - the PF team follows the best common practices regarding security and possible vulnerabilities | ✅ |
Implement Secure Design
Do the committers and PTL apply secure design principles when reviewing software for merging?
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| Yes - the PF team/PTL/committers review and look for security issues and recommend fixes before merging. | ✅?
|
...
| Your Answer-Please Describe | SECCOM Feedback / Recommendations |
|---|---|
ONAP documentation - https://docs.onap.org/projects/onap-policy-parent/en/latest/index.html | ✅ |
Documentation Security
Does your project have a description of what an user of your project can and cannot expect in terms of security from the software produced by the project, (In other words, what are its 'security requirements'?)
...
| Your Answer-Please Describe | SECCOM Feedback / Recommendations |
|---|---|
Test cases are found at https://github.com/onap/policy-docker/tree/master/csit/resources/tests showing that authentication must be done before interacting with any resource. ONAP docs describring how to run test cases https://docs.onap.org/projects/onap-policy-parent/en/latest/development/devtools/testing/csit.html | ? Good start,
|
Vulnerability Mitigation
Vulnerabilities Critical Fixed
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
Sonarcloud reports can be found at: https://sonarcloud.io/project/overview?id=onap_policy-apex-pdp https://sonarcloud.io/project/overview?id=onap_policy-api https://sonarcloud.io/project/overview?id=onap_policy-clamp https://sonarcloud.io/project/overview?id=onap_policy-common https://sonarcloud.io/project/overview?id=onap_policy-distribution https://sonarcloud.io/project/overview?id=onap_policy-drools-applications https://sonarcloud.io/project/overview?id=onap_policy-drools-pdp https://sonarcloud.io/project/overview?id=onap_policy-gui https://sonarcloud.io/project/overview?id=onap_policy-models https://sonarcloud.io/project/overview?id=onap_policy-pap https://sonarcloud.io/project/overview?id=onap_policy-xacml-pdp | ❌ The following have security hotspots policy-common, policy-pap The latter is a high priority item that is >1 year old. How are OJSIs dealt with? |
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
We try to keep up to date on fixing vulnerabilities reported on IQ Nexus, except when dependency updates break the current code and a study is necessary to mitigate functionalities not working. | ? And sonar cloud? policy-pap has a high severity security item reported in sonarcloud for >1 year |
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
No UI No encryption, as data processed by PF hasn't been tagged as sensitive. The application uses Swagger for RESTful API, wherein it is set that Authorization headers are required for accessing API documentation. When PF runs with docker, the services use usernames and passwords that are stored as environment variables. For helm deployments PF uses K8s secrets which are generated and stored as the application is deployed. | ?
|
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| N/A | ✅ |
Crypto Random - Generic
Does your software use random information? If so, does it use a cryptographically secure random number generator?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
UUID random keys | ? How are UUIDs generated? (There are many bad ways.) |
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
Usernames and passwords are configurable by the clients via passing the environment variables for use in application.yml file. ???? When PF runs with docker, the services use usernames and passwords that are stored as environment variables. For helm deployments PF uses K8s secrets which are generated and stored as the application is deployed. | ? Please expand on the use of configurable usernames+passwords and what they allow. |
Crypto Working
Does your software depend on any cryptographic algorithms that are known to be broken?
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
Usernames and passwords are configurable by the clients via passing the environment variables for use in application.yml file. When PF runs with docker, the services use username and passwords that are stored as environment variables. For helm deployments, PF uses K8s secrets which are generated and stored as the application is deployed. | ❌ Doesn't answer the question |
Crypto Keylength
Does your software generate any keys? If so, do they use any default key-lengths that are considered insecure?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations | ????|
|---|---|---|
❌ Doesn't answer the question |
Crypto Algorithm Agility
Does your software use cryptographic algorithms? If so, can a user of ONAP switch the algorithm if one is found to be broken?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
K8s secrets that are generated and stored as apps are deployed. ACM-Runtime use java.UUID mechanism for generating unique identifiers. | ❌ doesnDoesn't answer the question |
Crypto Certificate Verification
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
Usernames and passwords are configurable by the clients via passing the environment variables for use in application.yml file. When PF runs with docker, the services use username and passwords that are stored as environment variables. For helm deployments, PF uses K8s secrets which are generated and stored as the application is deployed. | ❌ doesnDoesn't answer the question |
Crypto TLS1.2
Does your software support HTTPS? If so, is the minimum version allowed TLS1.2?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
PF only communicates with components within ONAP. PF's primary communication is through HTTP. PF uses Kafka or REST api interfaces between PF components and service mesh for other communications. | ? is HTTP protected by mesh and HTTPS? |
Crypto Verification Private
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
PF is compliant and compatible with the ongoing service mesh implementation (https://gerrit.onap.org/r/c/oom/+/128543) for ONAP. | ❌ doesnDoesn't answer the question ?? |