Skip to end of metadata
Go to start of metadata

SBOMOpenSSF best practices badgeLFX Security DashboardVulnerability ReportingOtherContact 
ONAPIn progress. Debugging SPDX Generator Jenkins integrationAdopted by all sub projects. Several sub-projects at Silver levelOn-boarded. OpenSSF badging inaccuracy fixed. Stale repos removed.ImplementedActive security sub-committee. Meets regularly and preemptively addresses threats and vulnerabilities.

  • On-boarded
  • Cleanup required - Dashboard scans archived repos

Coverity scans (and fixing issues found) has been ongoing since 2016

Security Response Process in place since 2016

Dave Wallace

Integrated CycloneDX into CI

ODLPARENT-280 - Getting issue details... STATUS

In Progress 90%On-boarded


Deemed inapplicable for spec sub-projects.

Cedric Ollivier : self declarative checks don't bring any value to the code project compared to patchset and deliverables verifications

See all *-grype and *-trivy views in

ex: Xtesting

xtesting-grype [Jenkins] (

A few code projects are running the well known both Python and Docker security tools (bandit, trivy, etc.). They are even running as verification jobs in Functest. 
tox.ini - functest - Test suites and cases to verify OPNFV Platform functionality

Cedric Ollivier: is it only for master? a few LFN projects fail in checking the stable branches.

Tungsten Fabric


Nick Davey
EMCOWork on SBOM not started yetWork on OpenSSF badging not started yetGitlab is not yet supported by the dashboard ( issues? (nothing formalized yet)

Security analysis (August 2021, Srinivasa Addepalli) - Securing EMCO



Qihui Zhao




Muthukkumaran Ramalingam
  • No labels