The TAC is seeking a refresh of the project tool adoption.  Projects should update this table by  

SBOMOpenSSF best practices badgeLFX Security DashboardStatic Application Security Testing (SAST)Software Composition Analysis (SCA)Dynamic Application Security Testing (DAST)Container ScanningAutomated Code Coverage TestingCode QualityVulnerability ReportingOtherContact 
ONAPIn progress. Debugging SPDX Generator Jenkins integrationAdopted by all sub projects. Several sub-projects at Silver levelOn-boarded. OpenSSF badging inaccuracy fixed. Stale repos removed.SonarCloudNexusIQ

SonarCloudSonarCloudImplementedActive security sub-committee. Meets regularly and preemptively addresses threats and vulnerabilities.
FD.IOissue in finding suitable tool (VPP written in C code)Work on OpenSSF badging not started yet but on a cursory review nearly all criteria are adopted.
  • On-boarded

N/AGcov Report Generation CI jobCoverityImplemented

Coverity scans (and fixing issues found) has been ongoing since 2016

Security Response Process in place since 2016

Dave Wallace

Integrated CycloneDX into CI

ODLPARENT-280 - Getting issue details... STATUS

In Progress 90%On-boarded


Deemed inapplicable for spec sub-projects.

Cedric Ollivier : self declarative checks don't bring any value to the code project compared to patchset and deliverables verifications

See all *-grype and *-trivy views in

ex: Xtesting

xtesting-grype [Jenkins] (

A few code projects are running the well known both Python and Docker security tools (bandit, trivy, etc.). They are even running as verification jobs in Functest. 
tox.ini - functest - Test suites and cases to verify OPNFV Platform functionality

Cedric Ollivier: is it only for master? a few LFN projects fail in checking the stable branches.

EMCOWork on SBOM not started yetWork on OpenSSF badging not started yetGitlab is not yet supported by the dashboard (

GitLab issues? (nothing formalized yet)

Security analysis (August 2021, Srinivasa Addepalli) - Securing EMCO



Qihui Zhao





Lucy Hyde 
  • No labels