Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Passing grade

Silver Grade

CII Badge Security

...

Considerations

VVP is a set of python scripts executed locally, without communication over the network. The interface provided to users is via cli, and yaml documents are loaded and linted according to the VNF Heat Template Guidelines.

This introduces one potential security concern, which is the loading of potentially unknown yaml documents on a users machine. According to the PyYaml documentation:

Warning: It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. Check the yaml.safe_load function though.

In 2018, vvp validation scripts were updated to use the PyYaml safe_load method to mitigate the potential for executing arbitrary python functions.

Bug reports :

Raise a bug report  against the vvp project in the ONAP JIRA

...

Refer to the ONAP contribution process see ONAP wiki Getting Involved

Requirements for acceptable contributions:

Refer to the ONAP contribution process. see ONAP wiki  Developer Best Practices, Development Procedures & Policies

LFN code of conduct applies  https://lfprojects.org/policies/code-of-conduct/

...