Configuration Persistence Service (CPS)

遵循以下最佳实践的项目将能够自愿的自我认证,并显示他们已经实现了核心基础设施计划(OpenSSF)徽章。

如果这是您的项目,请在您的项目页面上显示您的徽章状态!徽章状态如下所示: 项目4398的徽章级别为gold 这里是如何嵌入它:

这些是黄金级别条款。您还可以查看通过白银级别条款。

        

 基本 5/5

  • 公开的版本控制的源代码存储库


    足够获得徽章!

    必须使用通用的分布式版本控制软件(例如,git,mercurial)作为项目的源代码存储库。 [repo_distributed]

    Github is used as the projects source repository. Repo links as shared below: • https://github.com/onap/cpshttps://github.com/onap/cps-cps-temporalhttps://github.com/onap/cps-ncmp-dmi-pluginhttps://github.com/onap/cps-cps-tbdmt


    足够获得徽章!

    该项目必须清楚地识别新的或临时贡献者可以执行的小型任务。 (需要网址) [small_tasks]

    https://jira.onap.org/secure/RapidBoard.jspa?rapidView=228&view=planning&selectedIssue=CPS-365&epics=visible&issueLimit=100


    足够获得徽章!

    项目必须要求开发人员使用双因素身份验证(2FA)来更改中央存储库或访问敏感数据(如私密漏洞报告)。这种2FA机制可以使用没有密码学机制的方案,如SMS(短消息),尽管不推荐。 [require_2FA]

    2FA Authentication is enabled for merging in GERRIT for all ONAP


    足够获得徽章!

    项目的双因素身份认证(2FA)应该使用加密机制来防止仿冒。基于短消息服务(SMS)的2FA本身不符合此标准,因为它不被加密。 [secure_2FA]

    2FA Authentication is enabled for merging in GERRIT for all ONAP


  • 编码标准


    足够获得徽章!

    该项目必须记录其代码检视需求,包括代码检视是如何进行的,必须检查的内容以及哪些是可接纳的内容。 (需要网址) [code_review_standards]

    The Onap specifications for code review is used in CPS . It is ensured that there are atleast 2 +1s from unassociated significant contributors and committers before the code is merged. • https://wiki.onap.org/display/DW/Committer+Best+Practices#CommitterBestPractices-BestPractices


    足够获得徽章!

    该项目必须至少有50%的修改(作者之外的人提出的)在发布之前审查,以确定是否是一个有价值的修改,并且没有已知的问题,会反对其包含 [two_person_review]

    The Onap specifications for code review is used in CPS . It is ensured that there are atleast 2 +1s from unassociated significant contributors and committers other that the person who has raised the review before the code is merged. • https://wiki.onap.org/display/DW/Committer+Best+Practices#CommitterBestPractices-BestPractices


  • 可工作的构建系统


    足够获得徽章!

    该项目必须具有可重复构建。如果没有发生构建(例如,直接使用源代码而不是编译的脚本语言),请选择“不适用”(N/A)。 (需要网址) [build_reproducible]

    cps : https://jenkins.onap.org/job/cps-master-merge-java/ cps-temporal: https://jenkins.onap.org/job/cps-cps-temporal-review-verification-maven-master dmi-plugin: https://jenkins.onap.org/job/cps-cps-temporal-maven-docker-verify-master-mvn36-openjdk11


  • 自动测试套件


    足够获得徽章!

    测试套件必须以该语言的标准方式进行调用。 (需要网址) [test_invocation]

    Unit testing is covered using Groovy and spock tests. These can be executed using mvn test. CSIT tests are included in the application for Integration testing. These tests are using ROBOT framework. • https://github.com/onap/cps/tree/master/csit


    足够获得徽章!

    该项目必须实施持续集成,将新的或更改的代码经常集成到中央代码库中,并对结果进行自动化测试。 (需要网址) [test_continuous_integration]

    CI-CD jobs are incorporated to ensure that all the jobs are executed including verification, SONAR and merge. This link will list all the jobs included for CPS projects. • https://jenkins.onap.org/view/cps/


    足够获得徽章!

    如果有至少一个FLOSS工具可以以所选语言度量此条款,该项目的FLOSS自动测试套件必须具有至少90%语句覆盖率。 [test_statement_coverage90]

    CSIT Integration test suite is included to test all the REST apis that are developed in CPS . Example : • https://github.com/onap/cps/tree/master/csit The coverage check is tested reported using Jacoco coverage in the sonar • https://sonarcloud.io/component_measures?id=onap_cps&metric=coverage&view=listhttps://sonarcloud.io/component_measures?id=onap_cps-cps-temporal&metric=coverage&view=list


    足够获得徽章!

    如果有至少一个FLOSS工具可以以所选语言度量此条款,该项目的FLOSS自动测试套件必须具有至少80%分支覆盖率。 [test_branch_coverage80]

    Test suites covers the entire code in the branch except for the Unit tests and CSIT Integration tests.


  • 使用基础的良好加密实践

    请注意,某些软件不需要使用加密机制。

    足够获得徽章!

    项目生成的软件必须支持所有网络通信的安全协议,如SSHv2或更高版本,TLS1.2或更高版本(HTTPS),IPsec,SFTP和SNMPv3。默认情况下,FTP,HTTP,Telnet,SSLv3或更早版本以及SSHv1等不安全协议必须被禁用,只有在用户专门配置时才启用。如果项目生成的软件不支持网络通信,请选择“不适用”(N/A)。 [crypto_used_network]

    足够获得徽章!

    由项目生成的软件必须,如果支持或使用TLS,至少支持TLS版本1.2。请注意,TLS的前身称为SSL。如果软件不使用TLS,请选择“不适用”(N/A)。 [crypto_tls12]

  • 安全交付防御中间人(MITM)的攻击


    足够获得徽章!

    项目网站,存储库(如果可通过网络访问)和下载站点(如果单独)必须包括具有非允许值的密钥加固头。 (需要网址) [hardened_site]

    CPS uses Github as the central repository. Verified CPS(https://github.com/onap?q=cps) using the site specified : https://securityheaders.com/ Found all required security hardening headers. // All headers set with non permissive values HTTP Strict Transport Security (HSTS) : max-age=31536000; includeSubdomains; preload X-Content-Type-Options : nosniff X-Frame-Options : deny


  • 其他安全问题


    足够获得徽章!

    该项目必须在过去5年内进行安全审查。此审查必须考虑安全需求和安全边界。 [security_review]

    ONAP runs nexus IQ report once every release to ensure the security requirements are met https://jenkins.onap.org/view/cps/job/cps-maven-clm-master/

    CPS has finalized the security review questionnaire and has been reviewed by the SECCOM committee. See https://wiki.onap.org/display/DW/CPS+-+ONAP+Security+Review+Questionnaire


    足够获得徽章!

    加固机制必须用于项目生产的软件,以便软件缺陷不太可能导致安全漏洞。 (需要网址) [hardening]

    CPS exposes restful APIs to be used by other services and does not own a GUI. All services are required to authenticate themselves while using the CPS apis. CPS includes security fixes in the software lifecycle. CPS does not have a UI and does not use javascript The application uses Swagger for RESTful API, wherein it is set that Authorization headers are required for accessing API documentation. When CPS is run with docker, the services use usernames and passwords that are stored as environment variables. CPS uses K8s secrets which are generated and stored as the application is deployed. CPS is compliant and compatible with the ongoing service mesh implementation (see https://gerrit.onap.org/r/c/oom/+/124287) for ONAP.

    see https://wiki.onap.org/display/DW/CPS+-+ONAP+Security+Review+Questionnaire#CPSONAPSecurityReviewQuestionnaire-Hardening


  • 动态代码分析


    足够获得徽章!

    必须在发布之前,至少将一个动态分析工具应用于软件任何候选发布的主要生产版本。 [dynamic_analysis]

    CPS has a project set up with ONAP Sonarcloud for analysis, see https://sonarcloud.io/component_measures?metric=coverage&view=treemap&id=onap_cps wherein a minimum of 97% code coverage is always maintained by the team. CPS also uses the SonarQube Scanner for Maven which uses the JaCoCo plugin to generate code coverage reports during the build process and track code coverage during run-time.


    足够获得徽章!

    项目应该在其生成的软件中包含许多运行时断言,并在动态分析期间检查这些断言。 [dynamic_analysis_enable_assertions]

    Instead of run-time assertions, pre-run assertions are included where all the tests including the Integration tests are executed. Only after the successful pre-run tests, the projects are released and deployed on production. CPS uses Groovy for all unit and integration testing which is compiled and executed at runtime. CPS uses its capability to perform runtime assertions, see the following example https://gerrit.onap.org/r/gitweb?p=cps.git;a=blob;f=cps-ncmp-service/src/test/groovy/org/onap/cps/ncmp/api/impl/operations/DmiDataOperationsSpec.groovy;h=03825c2bbf34398df77a0028ee0825e96f5a5fbb;hb=3d97a963ce51c4f0ecdb656a3b25bcabf2f6f8b7



此数据在知识共享署名3.0或更高版本许可证(CC-BY-3.0 +) 下可用。所有内容都可以自由分享和演绎,但必须给予适当的署名。请署名为mrsjackson76和OpenSSF最佳实践徽章贡献者。

项目徽章条目拥有者: mrsjackson76.
最后更新于 2020-11-06 15:16:30 UTC, 最后更新于 2023-11-06 20:25:48 UTC。 最后在2021-07-15 11:20:34 UTC丢失通过徽章。 最后在 2021-07-26 15:12:53 UTC 获得通过徽章。

后退