...
| Question | Description | Sample Answer | |
Basics: IdentificationBasics: PrerequisitesBasics: Project oversightBasics: Other | The questions in these Basics sections will be filled in automatically. Some questions change SHOULDs from previous levels to MUSTs. | ||
| The project MUST include a copyright statement in each source file, identifying at least one relevant year and copyright holder. [copyright_per_file] | *ONAP project common response* | all source and documentation files are required to have copyright notices | |
| The project MUST include a license statement in each source file. This MAY be done by including the following inside a comment near the beginning of each file: SPDX-License-Identifier: [SPDX license expression for project]. [license_per_file] | *ONAP project common response* | all source and documentation files are required to have license statements | |
| Question | Description | Sample Answer | |
Change Control: Public version-controlled source repository | |||
| The project's source repository MUST use a common distributed version control software (e.g., git or mercurial). [repo_distributed] | This question will be filled in automatically from previous levels. | ||
| The project MUST clearly identify small tasks that can be performed by new or casual contributors. (URL required) [small_tasks] | TBD DO WE HAVE POLICIES ON THIS? | ||
| The project MUST require two-factor authentication (2FA) for developers for changing a central repository or accessing sensitive data (such as private vulnerability reports). This 2FA mechanism MAY use mechanisms without cryptographic mechanisms such as SMS, though that is not recommended. [require_2FA] | *ONAP project common response* This will need to be resolved on an ONAP project basis. We cannot currently answer MET on this item. | Cannot be met yet. Select unmet. | |
| The project's two-factor authentication (2FA) SHOULD use cryptographic mechanisms to prevent impersonation. Short Message Service (SMS) based 2FA, by itself, does NOT meet this criterion, since it is not encrypted. [secure_2FA] | *ONAP project common response* This will need to be resolved on an ONAP project basis. We cannot currently answer MET on this item. | Cannot be met yet. Select unmet. | |
| Question | Description | Sample Answer | |
Quality: Coding standards | |||
| The project MUST document its code review requirements, including how code review is conducted, what must be checked, and what is required to be acceptable. (URL required) [code_review_standards] | TBD DO WE HAVE POLICIES ON THIS? | ||
| The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion [two_person_review] | *ONAP project common response* ONAP requires a committer other than the submitter to review each proposed modification. | Per https://wiki.onap.org/display/DW/Code+Review, self-commits are not allowed. | |
| Question | Description | Sample Answer | |
Quality: Working build system | |||
| The project MUST have a reproducible build. If no building occurs (e.g., scripting languages where the source code is used directly instead of being compiled), select "not applicable" (N/A). (URL required) [build_reproducible] | TBD AFAIK, WE DO NOT CURRENTLY HAVE A POLICY ON THIS | ||
| Question | Description | Sample Answer | |
Quality: Automated test suite | These questions will be filled in automatically from previous levels. | ||
| The project MUST implement continuous integration, where new or changed code is frequently integrated into a central code repository and automated tests are run on the result. (URL required) [test_continuous_integration] | *ONAP project common response* ONAP uses continuous integration and unit tests run automatically during CI. | Junit tests are invoked from mvn. Pytest tests are invoked by running pytest from command line. Rebar3 tests are invoked from command line by running rebarr3. All are included as part of Jenkin builds. All are standard testing tools invoked in standard way. Robot Framework tests are invoked by standard Robot methodology, also triggered by Jenkins build jobs. https://wiki.onap.org/display/DW/Continuous+Integration https://wiki.onap.org/pages/viewpage.action?pageId=4718718 | |
| A test suite MUST be invocable in a standard way for that language. (URL required) [test_invocation] | TBD WHERE IS THIS DOCUMENTED? A URL IS REQUIRED. | ||
| Question | Description | Sample Answer | |
Security: Use basic good cryptographic practicesSecurity: Secured delivery against man-in-the-middle (MITM) attacksSecurity: Publicly known vulnerabilities fixed | These questions will be filled in automatically from previous levels. | ||
| The project website, repository (if accessible via the web), and download site (if separate) MUST include key hardening headers with nonpermissive values. (URL required) [hardened_site] | *ONAP project common response* This will need to be resolved on an ONAP project basis. We cannot currently answer MET on this item. | Cannot be met yet. Select unmet. For a reason, type: // X-Content-Type-Options was not set to "nosniff". Details on why this cannot be set to Met: The project website, wiki.onap.org, has these headers. https://securityheaders.io/ gives an A grade. content-security-policy: frame-ancestors 'self' strict-transport-security: max-age=15552000 x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block The code repository, gerrit.onap.org, has some of the headers. https://securityheaders.io/ gives a D grade. content-security-policy: NOT PRESENT Strict-Transport-Security: max-age=15552000 X-Content-Type-Options: NOT PRESENT X-Frame-Options: X-XSS-protection: NOT PRESENT The download site, nexus.onap.org, has some of the headers. https://securityheaders.io/ gives a C grade. content-security-policy: NOT PRESENT strict-transport-security: max-age=15552000 x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: NOT PRESENT // X-Content-Type-Options was not set to "nosniff". | |
| Question | Description | Sample Answer | |
Analysis: Dynamic code analysis | Some questions in the Analysis section will be automatically filled in from previous levels. The remaining questions in the Analysis section must be individually answered according to your project. |
...