|SBOM||OpenSSF best practices badge||LFX Security Dashboard||Vulnerability Reporting||Other||Contact|
|ONAP||In progress. Debugging SPDX Generator Jenkins integration||Adopted by all sub projects. Several sub-projects at Silver level||On-boarded. OpenSSF badging inaccuracy fixed. Stale repos removed.||Implemented||Active security sub-committee. Meets regularly and preemptively addresses threats and vulnerabilities.|
Coverity scans (and fixing issues found) has been ongoing since 2016
Security Response Process in place since 2016
|ODL||In Progress 90%||On-boarded|
Deemed inapplicable for spec sub-projects.
Cedric Ollivier : self declarative checks don't bring any value to the code project compared to patchset and deliverables verifications
See all *-grype and *-trivy views in build.opnfv.org
A few code projects are running the well known both Python and Docker security tools (bandit, trivy, etc.). They are even running as verification jobs in Functest.
Cedric Ollivier: is it only for master? a few LFN projects fail in checking the stable branches.
|Tungsten Fabric||On-boarded||Nick Davey|
|EMCO||Work on SBOM not started yet||Work on OpenSSF badging not started yet||Gitlab is not yet supported by the dashboard (https://community.lfx.dev/t/gitlab-support-or-manual-scans/1003)||GitLab issues? (nothing formalized yet)|
Security analysis (August 2021, Srinivasa Addepalli) - Securing EMCO