1. High Level Component Definition and Architectural Relationships (template)

2. Component API definitions

Template Component provides the following interfaces:

Offered Interface Name

Offered Interface Description

Model

API Specs (Swagger)

xxxE-1

External Interface Definition.

capabilities

x.y.z (according to strategy)

model-a

model-b

xxxI-2

Internal interfaces if we want to raise them

Display and update:

xxxxx

Note: xxxI interface is a internal interface. xxxxE interface is a external interface

Template Component consumes the following Interfaces:

Consumed Interface Name	Consumed Interface Description

3. Component Description:

A more detailed figure and description of the component.

<< link to project-specific description elsewhere >>

4. Component Deployment Architecture

Should reference the deployment section in the component description template

5. New Release Capabilities

<< list the new capabilities that were introduced in this release, or a hot-link to the key features. New sub-chapter per release, as per a release notes document >>

6. Security Conformance

ONAP Component API and data security conformance
- Describe the component Service Mesh conformance / plan for secure communications, routing, authentication and authorization configurations
  - Does the component have AAF dependencies? If so, describe the current dependencies and a migration plan to remove the dependancies
  - How does the component support authentication and authorization of its clients (Humans, other applications)?
- Describe the component data protection
  - Data storage location/mechanism
  - Data protection plan, such as data at rest, data-level access control, data in transit, others
  - User sensitive data handling (e.g., password)
Describe the component / container hardening
- The component must run as non-root-based users. Does the component use non-root-access only? Otherwise, describe the reasons and non-root-access support plans
- Does the component container require privilege access/right? If so, describe the reasons and migration plans
- Is the component image signed digitally for integrity? (TBD)
- Does the component use the basic image to conform to the global requirement REQ-1073: Using basic image from IntegrationTo Do
- Does the component follow the K8s hardening guide? e.g., from NSA, https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF
Describe the component logging conformance
- Does the component conform to the Log field standards best practice, REQ-1072: Standardized logging fields To Do? If not, please describe the reasons and support plans.
- Does the component exclude user sensitive data (e.g., password, private key, other credentials) from logging? If not, please describe the reasons and support plans.
- Does the component support the Logging destination STDOUT / STDERR conformance? If not, please describe the reasons and support plans.
Documentation for the component security
- Describe the component security architecture and conformance in the document.

The project should fill out a ONAP Security Review Questionnaire Template and review it with SECCOM.
The project should follow the CISA Memory Safe Code guidance, not to introduce memory unsafe code, joint-guidance-exploring-memory-safety-in-critical-open-source-projects-508c.pdf, The-Case-for-Memory-Safe-Roadmaps-508c.pdf

7. Document Changes

8. References

to any supporting docs that are not referenced in other templates

ONAP Wiki

ONAP Component Architecture Review Template

Analytics