...
| SBOM | OpenSSF best practices badge | LFX Security Dashboard | Vulnerability Reporting | Other | Contact | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ONAP | In progress. Debugging SPDX Generator Jenkins integration | Adopted by all sub projects. Several sub-projects at Silver level | On-boarded. OpenSSF badging inaccuracy fixed. Stale repos removed. | Implemented | Active security sub-committee. Meets regularly and preemptively addresses threats and vulnerabilities. | |||||||||
| FD.IO |
| Coverity scans (and fixing issues found) has been ongoing since 2016 Security Response Process in place since 2016 | Dave Wallace | |||||||||||
| ODL | Integrated CycloneDX into CI
| In Progress 90% | On-boarded | |||||||||||
| Anuket | Deemed inapplicable for spec sub-projects. Cedric Ollivier : self declarative checks don't bring any value to the code project compared to patchset and deliverables verifications | See all *-grype and *-trivy views in build.opnfv.org ex: Xtesting | A few code projects are running the well known both Python and Docker security tools (bandit, trivy, etc.). They are even running as verification jobs in Functest. Cedric Ollivier: is it only for master? a few LFN projects fail in checking the stable branches. | |||||||||||
| Tungsten Fabric | On-boarded | Nick Davey | ||||||||||||
| EMCO | Work on SBOM not started yet | Work on OpenSSF badging not started yet | Gitlab is not yet supported by the dashboard (https://community.lfx.dev/t/gitlab-support-or-manual-scans/1003) | GitLab issues? (nothing formalized yet) | Security analysis (August 2021, Srinivasa Addepalli) - Securing EMCO | |||||||||
| XGVela | On-boarded | Qihui Zhao | ||||||||||||
| L3AF | On-boarded | |||||||||||||
| ODIM | On-boarded | Muthukkumaran Ramalingam |
...