SECCOM will define a set of metrics per release that will be used to measure the security maturity of each ONAP project. Each project will have it's maturity level documented in the release notes.

Guilin - DRAFT

1. All OJSI tickets closed.

2. All mariadb-galera and yyyy passwords removed from Helm charts.

3. All external HTTP ports converted to HTTPS.

4. Java and Python projects are all using the recommended versions.

   1. All projects that use Python have upgraded to Python 3 (version 3.8.0).

   2. All projects that use Java have upgraded to Java 11.

   3. Exceptions to Java 11 and Python 3 Migration at End of Frankfurt Release

5. All direct dependencies containing Critical or Severe vulnerabilities are updated per SECCOM recommendations.

   1. Guilin vulnerable package upgrade recommendations

6. Generate logs that can be collected by Kubernetes.

Frankfurt

1. All OJSI tickets closed, with the following exception.

   1. All fixes that have an unresolved dependency on AAF integration.

   2. Open OJSI tickets: OJSI Tickets Status

2. All mariabd-galera passwords removed from Helm charts, where the chart is using the common mariadb-galera chart. This applies to both common and dedicated instances of the db.

3. All external HTTP ports converted to HTTPS, with the following exceptions.

   1. HTTP ports discovered after M2/M3

   2. All fixes that have an unresolved dependency on AAF integration

   3. HTTP ports on testers