The TAC is seeking a refresh of the project tool adoption. Projects should update this table by
|SBOM||OpenSSF best practices badge||LFX Security Dashboard||Static Application Security Testing (SAST)||Software Composition Analysis (SCA)||Dynamic Application Security Testing (DAST)||Container Scanning||Automated Code Coverage Testing||Code Quality||Vulnerability Reporting||Other||Contact|
|ONAP||In progress. Debugging SPDX Generator Jenkins integration||Adopted by all sub projects. Several sub-projects at Silver level||On-boarded. OpenSSF badging inaccuracy fixed. Stale repos removed.||SonarCloud||NexusIQ||SonarCloud||SonarCloud||Implemented||Active security sub-committee. Meets regularly and preemptively addresses threats and vulnerabilities.|
|FD.IO||issue in finding suitable tool (VPP written in C code)||Work on OpenSSF badging not started yet but on a cursory review nearly all criteria are adopted.||Coverity||N/A||Gcov Report Generation CI job||Coverity||Implemented|
Coverity scans (and fixing issues found) has been ongoing since 2016
Security Response Process in place since 2016
|ODL||In Progress 90%||On-boarded|
Deemed inapplicable for spec sub-projects.
Cedric Ollivier : self declarative checks don't bring any value to the code project compared to patchset and deliverables verifications
See all *-grype and *-trivy views in build.opnfv.org
A few code projects are running the well known both Python and Docker security tools (bandit, trivy, etc.). They are even running as verification jobs in Functest.
Cedric Ollivier: is it only for master? a few LFN projects fail in checking the stable branches.
|EMCO||Work on SBOM not started yet||Work on OpenSSF badging not started yet||Gitlab is not yet supported by the dashboard (https://community.lfx.dev/t/gitlab-support-or-manual-scans/1003)||GitLab issues? (nothing formalized yet)|