What is CII Badging program?
CII (core infrastructure initiative) Badge may be achieved by the projects which follow the Best practices criteria for Free/Libre and Open Source Software (FLOSS).
CII has been created by the linux foundation in response to previous security issues in open-source projects (e.g. Heartbleed in openSSL).
The CII Badging is associated to the areas as follows:
Basics, Change Control, Reporting, Quality, Security & Analysis
Projects in ONAP should be CII certified to an appropriate level in order to confirm with expectation of carrier grade.
Levels
There are 3 levels of passing in the badging
- Passing
- Silver
- Gold
The levels may further be subdivided as follows:
Level 1: 70 % of the projects passing the level 1
with the non-passing projects reaching 80% passing level
Non-passing projects MUST pass specific cryptography criteria outlined by the Security Subcommittee*
Level 2: 70 % of the projects passing silver
with non-silver projects completed passing level and 80% towards silver level
Level 3: 70% of the projects passing gold
with non-gold projects achieving silver level and achieving 80% towards gold level
Level 4: 100 % passing gold.
Some of the important high level example criteria associated to the various levels are listed as follows for quick reference:
Level | Details/Criteria |
Passing | The project website MUST succinctly describe what the software does (what problem does it solve?). |
Silver | The project MUST document what the user can and cannot expect in terms of security from the software produced The assurance case MUST include: a description of the threat model, clear identification of trust boundaries, and evidence that common security weaknesses have been |
Gold | The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than |
Requirement
For the Beijing release the requirement is at least 70% of the project are on passing level.
Current Status
The following table gives a list of all onap projects that are undergoing the progress and their % of completion
<TODO insert the dashboard table here>
Procedure
First step is create a new project in bestpractices website
- Create a account in https://bestpractices.coreinfrastructure.org/ and login
- Click on the "Projects" icon on the top right
- This page will list all the projects certified by CII not just the onap projects. Click on Add/Add new project button to add a new project.
- Enter the details of your project in the new screen and click "Submit URL"
Now you will be prompted with a set of questions and most of them are straightforward. You can refer to one of the existing projects to get an idea of what has to be filled in.
Common questions
In this section we address some of the questions that other user had.
Resources
The following resources may be useful source of information about CII badging:
•CII Badging overview: https://bestpractices.coreinfrastructure.org/
•Basic Criteria: https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/criteria.md
•Higher Level Criteria: CII Badging overview : https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/other.md
•Example : https://bestpractices.coreinfrastructure.org/projects/1/0
•Further reading: https://wiki.onap.org/display/DW/ONAP+Beijing+Release+Developer+Forum%2C+Dec.+11-13%2C+2017%2C+Santa+Clara%2C+CA+US?preview=/16002054/20874916/ONAP-Security%20Sub-committee-pa2.pdf
•CLAMP project CII: https://bestpractices.coreinfrastructure.org/projects/1197
•http://tlhansen.us/onap/cii.php [temporary reference dashboard]