Share your community's best practices that might be applicable to other projects.
Documentation
CI/CD best practices
- Automating rejection of insecure merges (planned PoC in ONAP)
Software Bill Of Materials (SBOM)
- ONAP work - https://wiki.onap.org/display/DW/Software+Bill+of+Materials
- ONAP presentation - SBOM_DBOM.pptx
- Scripts for automated SBOM generation by Maven
- From Robert Varga, February-24-2021 :
As per my AI, I have reached out to Jessica. The LFN-side of the build tools is tracked here, the corresponding patch here .
For the purposes of OpenDaylight, I think using a tool outside of our build system (Maven) is less than optimal. Since OpenDaylight has a project managing default build system policy, I have filed
ODLPARENT-280 - Generate an SBOM for artifacts RESOLVED to track this effort. There are maven plugins for both SPDX and CycloneDX. The former is under development and it seems to have a number of issues, while the latter seems to be a breeze to integrate.
So the initial test is to add the plugin execution via a trivial patch and then let the normal build pipeline treat SBOMs just as any other maven artifact. This results in metadata being correctly propagated to properly propagate to Nexus even for snapshots (https://nexus.opendaylight.org/content/repositories/opendaylight.snapshot/org/opendaylight/odlparent/opendaylight-karaf-empty/10.0.0-SNAPSHOT/, scroll down to see latest artifacts) and also to staging repositories, for example here: https://nexus.opendaylight.org/content/repositories/odlparent-2204/org/opendaylight/odlparent/opendaylight-karaf-empty/10.0.0/ .
From what I can tell the SBOM is reasonably complete, but it would be nice if someone could validate it to see whether we need to provide more metadata.
- From Robert Varga, February-24-2021 :
Architecture
Software packaging
How to secrete supply chain? signing and authentication. Are there common ways to package software in the LF? There are differences in tooling, that depend on things like the programming language. There may not be one tool that fits all.
How to test security (as part of CI/CD)?
How to manage dependencies?
- Direct dependencies are simpler
- Indirect dependencies may be more tricky
- How to automate the mitigation?