Versions Compared

Old Version 19

changes.mady.by.user Samuli Kuusela

Saved on

compared with

New Version 20

changes.mady.by.user Samuli Kuusela

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Meet with Coverity (schedule call, include Tony Hansen , someone from Linux Foundation) 
    • Will Scan integrate with Gerrit? (Coverity Scan tool indicates that it does integrate with Gerrit.)
    • Can it integrate with Jenkins (use resources from Linux Foundation to assist)?
    • How long does it take to run a scan and get results?
    • Lead time with Coverity to use Scan?
    • Mass registration of all ONAP subcomponents (approximately 30 projects, 210 subprojects)?
  • Identify an open source project actively using Coverity Scan to get their feedback on the integration of Scan with their code development lifecycle
  • Determine whether or not the restrictions on scan frequency will cause a problem for any of the ONAP projects
  • Identify an ONAP project willing to test Scan (possibly CLAMP since they are also going through CII badging)
  • Integrate Scan with ONAP code development (if Scan is determined to be a viable product)

5.

...

Security of the xNF Package and the Artifacts

Several priorities were discussed.Status: Priority 1 approved by TSC

Disussion:


Priority 1:

...

xNF Package Verification (Committed for Dublin as part of 5G use case

...

)

...

Integrity of the

...

xNF package needs to be verified prior to, or at the time of onboarding. The purpose is to ensure that the

...

xNF package originates from the vendor, and that the content has not been tampered with. The verification is done against the signature provided by the vendor. Reference [ETSI NFV SOL004] contains the detailed specifications on VNF package. As of March 2019 this is being implemented for Dublin release in SDC and VNF SDK (VNF SDK includes partial implementation from Casablanca).

Priority 2

...

: Integrity Verification at Instantiation (Release TBD)

Reference . This is still FFS.
- Reference [ETSI NFV SEC021] is the main specification of this feature. As of March 2019 the status is 'final draft for approval', target date of publication is July 2019.
As of March 2019, ETSI NFV plans changes in [ETSI NFV SOL004] impacting this item: creation of signature per individual artifact in the VNF package (by the package vendor) is planned to be mandatory.

Priority 3

...

: Service Provider Ability to Sign the Artifacts (Release TBD)

Reference . This is still FFS.
- Reference [ETSI NFV SEC021] is the main specification of this feature. As of March 2019 the status is 'final draft for approval', target date of publication is July 2019.

References

[ETSI NFV SOL004]
ETSI GS NFV-SOL 004 V2.3.1 (2017-07): http://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/004/02.03.01_60/gs_nfv-sol004v020301p.pdf

...