...
Question | Description | Sample Answer | |
Basics: IdentificationBasics: PrerequisitesBasics: Project oversightBasics: Other | The questions in these Basics sections will be filled in automatically. Some questions change SHOULDs from previous levels to MUSTs. | ||
Question | Description | Sample Answer | |
Change Control: Public version-controlled source repository | |||
The project's source repository MUST use a common distributed version control software (e.g., git or mercurial). [repo_distributed] | This question will be filled in automatically from previous levels. | ||
The project MUST clearly identify small tasks that can be performed by new or casual contributors. (URL required) [small_tasks] | TBD DO WE HAVE POLICIES ON THIS? | ||
The project MUST require two-factor authentication (2FA) for developers for changing a central repository or accessing sensitive data (such as private vulnerability reports). This 2FA mechanism MAY use mechanisms without cryptographic mechanisms such as SMS, though that is not recommended. [require_2FA] | TBD DO WE HAVE POLICIES ON THIS? | ||
The project's two-factor authentication (2FA) SHOULD use cryptographic mechanisms to prevent impersonation. Short Message Service (SMS) based 2FA, by itself, does NOT meet this criterion, since it is not encrypted. [secure_2FA] | TBD DO WE HAVE POLICIES ON THIS? | ||
Question | Description | Sample Answer | |
Quality: Coding standards | |||
The project MUST document its code review requirements, including how code review is conducted, what must be checked, and what is required to be acceptable. (URL required) [code_review_standards] | TBD DO WE HAVE POLICIES ON THIS? | ||
The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion [two_person_review] | ONAP requires a committer other than the submitter to review each proposed modification. | Per https://wiki.onap.org/display/DW/Code+Review, self-commits are not allowed. | |
Question | Description | Sample Answer | |
Quality: Working build system | |||
The project MUST have a reproducible build. If no building occurs (e.g., scripting languages where the source code is used directly instead of being compiled), select "not applicable" (N/A). (URL required) [build_reproducible] | TBD AFAIK, WE DO NOT CURRENTLY HAVE A POLICY ON THIS | ||
Question | Description | Sample Answer | |
Quality: Automated test suite | These questions will be filled in automatically from previous levels. | ||
The project MUST implement continuous integration, where new or changed code is frequently integrated into a central code repository and automated tests are run on the result. (URL required) [test_continuous_integration] TBD WHERE IS THIS DOCUMENTED? A URL IS REQUIRED. | ONAP uses continuous integration. | Junit tests are invoked from mvn. Pytest tests are invoked by running pytest from command line. Rebar3 tests are invoked from command line by running rebarr3. All are included as part of Jenkin builds. All are standard testing tools invoked in standard way. Robot Framework tests are invoked by standard Robot methodology, also triggered by Jenkins build jobs. https://wiki.onap.org/display/DW/Continuous+Integration https://wiki.onap.org/pages/viewpage.action?pageId=4718718 | |
A test suite MUST be invocable in a standard way for that language. (URL required) [test_invocation] | TBD WHERE IS THIS DOCUMENTED? A URL IS REQUIRED. | ||
Question | Description | Sample Answer | |
Security: Use basic good cryptographic practicesSecurity: Secured delivery against man-in-the-middle (MITM) attacksSecurity: Publicly known vulnerabilities fixed | These questions will be filled in automatically from previous levels. | ||
The project website, repository (if accessible via the web), and download site (if separate) MUST include key hardening headers with nonpermissive values. (URL required) [hardened_site] | This will need to be resolved on an ONAP project basis. We cannot currently answer MET on this item. | Cannot be met yet. | |
Question | Description | Sample Answer | |
Analysis: Dynamic code analysis | Some questions in the Analysis section will be automatically filled in from previous levels. The remaining questions in the Analysis section must be individually answered according to your project. |
...