View Source

The TAC is seeking a refresh of the project tool adoption. Projects should update this table by 18 Oct 2023

	SBOM	OpenSSF best practices badge	LFX Security Dashboard	Static Application Security Testing (SAST)	Software Composition Analysis (SCA)	Container Scanning	Automated Code Coverage Testing	Code Quality	Vulnerability Reporting	Other	Contact
ONAP	In progress. Debugging SPDX Generator Jenkins integration	Adopted by all sub projects. Several sub-projects at Silver level	On-boarded. OpenSSF badging inaccuracy fixed. Stale repos removed.	SonarCloud	NexusIQ		SonarCloud	SonarCloud	Implemented	Active security sub-committee. Meets regularly and preemptively addresses threats and vulnerabilities.	Amy Zwarico , Pawel Pawlak
FD.IO	issue in finding suitable tool (VPP written in C code)	Work on OpenSSF badging not started yet but on a cursory review nearly all criteria are adopted.	On-boarded		Coverity	N/A	Gcov Report Generation CI job	Coverity	Implemented	Coverity scans (and fixing issues found) has been ongoing since 2016 Security Response Process in place since 2016	Dave Wallace
ODL	Integrated CycloneDX into CI	In Progress 90%	On-boarded								Robert Varga
Anuket		Deemed inapplicable for spec sub-projects. Cedric Ollivier : self declarative checks don't bring any value to the code project compared to patchset and deliverables verifications							See all -grype and -trivy views in build.opnfv.org ex: Xtesting xtesting-grype [Jenkins] (opnfv.org)	A few code projects are running the well known both Python and Docker security tools (bandit, trivy, etc.). They are even running as verification jobs in Functest. tox.ini - functest - Test suites and cases to verify OPNFV Platform functionality Cedric Ollivier: is it only for master? a few LFN projects fail in checking the stable branches.	Cedric Ollivier
EMCO	Work on SBOM not started yet	Work on OpenSSF badging not started yet	Gitlab is not yet supported by the dashboard (https://community.lfx.dev/t/gitlab-support-or-manual-scans/1003)						GitLab issues? (nothing formalized yet)	Security analysis (August 2021, Srinivasa Addepalli) - Securing EMCO	Nadathur Sundar
XGVela			On-boarded								Qihui Zhao
L3AF			On-boarded								Jason Niesz
ODIM			On-boarded								Martin Halstead
Nephio		started	On-boarded								Lucy Hyde