Skip to end of metadata
Go to start of metadata

 

Note: WIP 

This document outlines the checks each project must make before being included in an official OPNFV release.

All mandatory checks must be performed by all projects to be accepted for release inclusion. It is up to the project to perform these checks with adequate time to fix / resolve findings, prior to release deadlines.

Each check will be also be performed by a member of the Infra-WG who will then inform release about which projects have failed / passed checks. Projects should not rely on the checks performed by Infra-WG as a means to pre-warn them of issues that will affect release of their project, this will not leave you with adequate time to fix issues.

Should a waiver be required, this would first need consent of the Infra-WG and the release manager.

Release Process (draft)

  • MS7 - all security issues identified and documented in JIRA
    • Must be assigned to the current release using the "fix version" field
    • Must have the designated security tag (common for all projects)
    • Confirmation from security/infra working group that all known issues are documented
  • MS8 - all security issues documented in JIRA have been closed
    • Probably need some sort of exception process

Mandatory checks

Each mandatory check must be performed within a time frame to allow you to resolve any issues prior to release. 

If left to the infra-wg to perform the check and issues are found, there may not be time to fix and resolve before release. This would result in your project not being included in a release. 

Check #1: Ensure libraries do not contain modules / libs with known security risks.

All dependencies used for your software should be free from reported CVE's.

 

Tools to perform a scan are listed below.

Python (safety)

https://pyup.io/safety/
Installation
pip install safety
Usage

From within the root of your project, run:

safety check

Errors will be reported as followed:

safety check
????????????????????????????????????????????????????????????????????????????????
?                                                                              ?
?                               /$$$$$$            /$$                         ?
?                              /$$__  $$          | $$                         ?
?           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           ?
?          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           ?
?         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           ?
?          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           ?
?          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           ?
?         |_______/  \_______/|__/     \_______/   \___/   \____  $$           ?
?                                                          /$$  | $$           ?
?                                                         |  $$$$$$/           ?
?  by pyup.io                                              \______/            ?
?                                                                              ?
????????????????????????????????????????????????????????????????????????????????
? REPORT                                                                       ?
? checked 17 packages, using default DB                                        ?
????????????????????????????????????????????????????????????????????????????????
? package                    ? installed ? affected                 ? ID       ?
????????????????????????????????????????????????????????????????????????????????
? insecure-package           ? 0.1.0     ? <0.2.0                   ? 25853    ?
????????????????????????????????????????????????????????????????????????????????

 

Java (OWASP Dependency Check)

Download the latest version of the tool

Unzip the archive

Run the dependency check script

./dependency-check.sh --project sandbox --out . --scan /home/luke/repos/opnfv/sandbox 

Ruby (Bundler Audit)

Bundler audit can be installed as a gem

gem install bundler-audit

After installation you simply run..

bundle audit

 

Check #2 Ensure any use of artefacts are hosted internally and an integrity check occurs.

Artefacts refer to any objects which are retrieved by your project, including:

Virtual Machine Images: ISO, QCOW2, VDI, VMDK, VHD ..etc.

File archives: .tar, .tar.gz, .bz, .zip, .cpio ..etc.

OS Packages: .rpm, .deb

Scripts, any shell script, python, ruby

Check #3 Ensure releng-anteater is not reporting any issues by performing a complete scan

 

pip install anteater

Download a config and project exception file

wget https://git.opnfv.org/releng-anteater/plain/anteater.conf

mkdir exceptions; cd exceptions

wget https://git.opnfv.org/releng-anteater/plain/exceptions/sandbox.yaml

Run anteater

anteater anteater --project sandbox --path /path/to/sandbox

Recommended checks

Check #4 User based Github repos

Avoid cloning repositories from individual github users. This is a recommended check, as its not pragmatic to have as mandatory. It should still be considered though, as the users account could be hacked and backdoored.

 

  • No labels