The following items are expected to be completed for the project to Pass the M4 Code Freeze Milestone.
M4 Release Code Freeze Milestone overview is available in wiki.
Usage
- Use the "Copy" option (available under the ..., top right of this page) to duplicate this template into your project wiki.
- Fill out the Yes/No column
- Provide link to evidence (when necessary)
| Practice Area | Checkpoint | Yes/No | Evidences | How to? |
|---|---|---|---|---|
| Security | Has the Release Security/Vulnerability table been filled out in the protected Security Vulnerabilities wiki space? | Table in in the protected Security Vulnerabilities wiki space corresponds to the latest NexusIQ scan; all NexusIQ finding are marked as false positive or exploitable with the supporting analysis. | PTL reviews the NexusIQ scans for their project repos and fills out the vulnerability review table | |
| Are all Defects of priority Highest and High in status "Closed" in Jira? (this includes the Jira for Critical and Severe NexusIQ findings) | All Jira tickets for vulnerability elimination are complete. | Complete Jira tickets | ||
| Did the project achieve the enablement of transport level encryption on all interfaces and the option of disabling transport level encryption? | All interfaces are exposed over TLS and the secure protocol can optionally be turned off | |||
| Do all containers run as a non-root user and is documentation available for those containers that must run as root in order to enable ONAP features? |
| https://wiki.onap.org/display/DW/Best+Practices | ||
| Provide the "% Achieved" on the CII Best Practices program. | Provide link to your project CII Best Practices page. | As documented in CII Badging Program, teams have to fill out CII Best Practices | ||
| Product Management | Have all JIRA Stories supporting the release use case been implemented? | By using the macro JIRA Issue/Filter, provide a link to JIRA in listing the stories that are implemented in the current Release. (Example Getting issues... for AAI project, edit for your project) | For each JIRA story that are implemented in the current release, you have to setup in JIRA the JIRA fixVersion="Dublin Release" | |
| List the Stories that will not be implemented in this current Release. | By using the macro JIRA Issue/Filter, provide a link to JIRA in listing the stories that are NOT implemented in the current release. (Example Getting issues... for AAI project, edit for your project) | For each JIRA story that will not be implemented in the current Release, you have to setup in JIRA the JIRA fixVersion="El Alto Release" | ||
| Are committed Sprint Backlog Stories been coded and marked as "Closed" in Jira? | Provide Link to Project backlog | |||
| Are all tasks associated with committed Sprint Backlog Stories been marked as "Closed" in Jira? | ||||
Is there any Critical and Severe level security vulnerabilities older than 60 days old in the third party libraries used within your project unaddressed? Nexus-IQ classifies level as the following:
which is complaint with CVSS V2.0 rating. | In the case critical known vulnerability are still showing in the report, fill out the Security/Vulnerability Threat Template - Beijing, Casablanca, Dublin in your project. | Ensure the Nexus-IQ report from “Jenkins CLM” shows 0 critical security vulnerability. Open the Nexus-IQ report for the details on each repo. | ||
| Release Management | Have all issues pertaining to FOSS been addressed? | |||
| Have all findings from previous milestones been addressed? | List previous milestone issues that have not been addressed. | For M2 and M3 Milestones, ensure all findings have been closed. | ||
Has the Project Team reviewed and understood the most recent license scan reports from the LF, for both (a) licenses within the codebase and (b) licenses for third-party build time dependencies? | ||||
| For both (a) and (b), have all high priority non-Project Licenses been either removed or escalated as likely exception requests? | ||||
| Development | Are all Defects of priority Highest and High in status "Closed" in Jira? | Provide link to JIRA issue (type bug) of priority Highest and High. | ||
| Has the Platform Maturity Table been updated with implementation Status at M4? | For each Release, there is a Platform Maturity table created for PTLs to record their goals and achievement at M4 (Example: Casablanca Release Platform Maturity) | |||
| Has the project team reach the Automated Unit Test Code Coverage expectation? (Refer to artifacts available in Sonar) | Goal: 55% for Incubation project in the current release | For evidences, provide link(s) to Gerrit repos by providing the URL as shown in this example | ||
| Is there any binaries (jar, war, tar, gz, gzip, zip files) in Gerrit project repository? | Refer to CI Development Best Practices | |||
| Is there any pending commit request older than 36 hours in Gerrit? | ||||
| Are all the Jenkins jobs successfully passed (verify + merge jobs)? | Provide link to "Merge job" as evidence in Jenkins project tab | |||
| Have all OOM Staging Healtcheck related to your project passed? | ||||
| Are all snapshot binaries available in Nexus-staging? | Provide link to evidence | |||
| Do you have a clear plan to implement the Independent Versioning and Release Process by RC0? | Contact the upstream teams to make sure they will release their artifacts (in Nexus Release repo) so you can build by depending on these released artifacts by RC0. | |||
| Integration and Testing | Have 100% of Continuous System Integration Testing (CSIT) Use Cases been implemented successfully in Jenkins? | All jobs pertaining to your project MUST pass | ||
| Is there a Docker images available for your project deliverable? | Provide link to Nexus repos | |||
| Has the project code successfully passed the Daily Build process? | Goal is to ensure the latest project commit has not broken the Integration Daily Build | |||
| Doc | Has the team created a docs folder and Development and Release Notes documentation templates in Readthedocs? | Add a link to your project documentation in ReadTheDocs. | Documentation Team is using Readthedocs for documenting user facing documentation. ReadTheDcos shall be considered as a starting point for someone new within ONAP. The ReadTheDocs is the ONAP Documentation facade visible to users. | |
| Is the API documentation section populated? | Link to evidence | Ensure there is at least a direct link toward the API documentation which may be already existing in the wiki. |