ONAP Integration performs 6 security tests on all ONAP pods. 100% passing is required for the release. The 6 tests are:
- Pods running as root (root_pod)
- Non-TLS endpoints (nonssl_endpoints)
- Kubernetes tests (kube_hunter)
- Java Debug Wire Protocol (jdwp) ports in the component (jdpw_ports)
- Pods running with no limits on resource consumption (unlimited_pods)
- Java 8 and Python 2 (versions)
Pods that require the features of any of these test must file an exception. A non-compliances with an exception is not considered a failure. Exceptions must be filed for each release because they are not carried over to newer releases.
To file an exception, the project team must submit the waiver to the correct exception file in the integration/waivers repo.
| Test | Waiver File |
|---|---|
| root_pod | root_pods |
| nonssl_endpoints | nonssl_endpoints |
| kube_hunter | |
| jdpw_ports | jdwp_ports |
| unlimited_pods | unlimitted_pods |
| versions | versions |
Format of exception request:
- Commit message
- <name of project> security exceptions for <release>
- <name of test> (commit may contain multiple tests each with a list of pods)
- <name of pod(s)> reason for exception (all pods in the list have the same exception reason)
- notes about any approval discussions with SECCOM or TSC
- For each waiver file (/waivers/<waiver file name>/<waiver files name>_xfail.txt) find the correct section of each (this may vary based on file) and document the following information
- <pod name> # (optional) <associated Jira>
Using the gerrit approval process, SECCOM will review and approve/deny all requests. In some cases, review/approval may include the TSC.
Example submission
DCAE request for Istanbul exceptions.
Commit Message:
Parent: cc950e68 ([ADMIN] Update and clean Integration committer list) Author: vv770d <vv770d@att.com> AuthorDate: 2021-07-29 15:32:54 +0000 Commit: vv770d <vv770d@att.com> CommitDate: 2021-07-29 15:37:34 +0000 DCAE security exceptions for Istanbul ROOT dcae-cloudify has upstream base image dependency to run as root. Once DCAE transformation to helm is completed, this container will be deprecated (target J release) Java8 exceptions for MOD/NiFI components (upstream NiFiproject still on java8) Exceptions approved by SECCOM on 06/29/21 meeting Change-Id: I9de0d51fc526c910ffad202df16e967c716e9ab0 Signed-off-by: Vijay Venkatesh Kumar <vv770d@att.com> Issue-ID: DCAEGEN2-2736 Issue-ID: DCAEGEN2-2424
waivers/root_pods/root_pods_xfail.txt
# Expected failure list for rooted ports # Unmaintained but still needed components # waivers requested already since Guilin but no progress dcae-cloudify # DCAEGEN2-2424 # Upstream components cassandra # OOM-2552 awx # used for use cases netbox # used for use cases multicloud-fcaps # rabbit-mq # Testing components robot # use for test cases + refactoring planned in Istanbul INT-1716
waivers/versions/versions_xfail.txt
# Waiver for versions test # all the following docker images shall be excluded from the version scanning #dcae exceptions nexus3.onap.org:10001/onap/org.onap.dcaegen2.platform.mod.genprocessor-job:1.0.2 nexus3.onap.org:10001/onap/org.onap.dcaegen2.platform.mod.genprocessor-http:1.0.2 nexus3.onap.org:10001/onap/org.onap.dcaegen2.platform.mod.designtool-web:1.0.2 apache/nifi-registry:0.5.0