ONAP Integration performs 6 security tests on all ONAP pods. 100% passing is required for the release. The 6 tests are:
Pods that require the features of any of these test must file an exception. A non-compliances with an exception is not considered a failure. Exceptions must be filed for each release because they are not carried over to newer releases.
To file an exception, the project team must submit the waiver to the correct exception file in the integration/waivers repo.
Test | Waiver File |
---|---|
root_pod | root_pods |
nonssl_endpoints | nonssl_endpoints |
kube_hunter | |
jdpw_ports | jdwp_ports |
unlimited_pods | unlimitted_pods |
versions | versions |
Format of exception request:
Using the gerrit approval process, SECCOM will review and approve/deny all requests. In some cases, review/approval may include the TSC.
DCAE request for Istanbul exceptions.
Commit Message:
Parent: cc950e68 ([ADMIN] Update and clean Integration committer list) Author: vv770d <vv770d@att.com> AuthorDate: 2021-07-29 15:32:54 +0000 Commit: vv770d <vv770d@att.com> CommitDate: 2021-07-29 15:37:34 +0000 DCAE security exceptions for Istanbul ROOT dcae-cloudify has upstream base image dependency to run as root. Once DCAE transformation to helm is completed, this container will be deprecated (target J release) Java8 exceptions for MOD/NiFI components (upstream NiFiproject still on java8) Exceptions approved by SECCOM on 06/29/21 meeting Change-Id: I9de0d51fc526c910ffad202df16e967c716e9ab0 Signed-off-by: Vijay Venkatesh Kumar <vv770d@att.com> Issue-ID: DCAEGEN2-2736 Issue-ID: DCAEGEN2-2424 |
waivers/root_pods/root_pods_xfail.txt
# Expected failure list for rooted ports # Unmaintained but still needed components # waivers requested already since Guilin but no progress dcae-cloudify # DCAEGEN2-2424 # Upstream components cassandra # OOM-2552 awx # used for use cases netbox # used for use cases multicloud-fcaps # rabbit-mq # Testing components robot # use for test cases + refactoring planned in Istanbul INT-1716 |
waivers/versions/versions_xfail.txt
# Waiver for versions test # all the following docker images shall be excluded from the version scanning #dcae exceptions nexus3.onap.org:10001/onap/org.onap.dcaegen2.platform.mod.genprocessor-job:1.0.2 nexus3.onap.org:10001/onap/org.onap.dcaegen2.platform.mod.genprocessor-http:1.0.2 nexus3.onap.org:10001/onap/org.onap.dcaegen2.platform.mod.designtool-web:1.0.2 apache/nifi-registry:0.5.0 |