Note: WIP
This document outlines the checks each project must make before being included in an official OPNFV release.
All mandatory checks must be performed by all projects to be accepted for release inclusion. It is up to the project to perform these checks with adequate time to fix / resolve findings, prior to release deadlines.
Each check will be also be performed by a member of the Infra-WG who will then inform release about which projects have failed / passed checks. Projects should not rely on the checks performed by Infra-WG as a means to pre-warn them of issues that will affect release of their project, this will not leave you with adequate time to fix issues.
Should a waiver be required, this would first need consent of the Infra-WG and the release manager.
Release Process (draft)
- MS7 - all security issues identified and documented in JIRA
- Must be assigned to the current release using the "fix version" field
- Must have the designated security tag (common for all projects)
- Confirmation from security/infra working group that all known issues are documented
- MS8 - all security issues documented in JIRA have been closed
- Probably need some sort of exception process
Mandatory checks
Each mandatory check must be performed within a time frame to allow you to resolve any issues prior to release.
If left to the infra-wg to perform the check and issues are found, there may not be time to fix and resolve before release. This would result in your project not being included in a release.
Check #1: Ensure libraries do not contain modules / libs with known security risks.
All dependencies used for your software should be free from reported CVE's.
Tools to perform a scan are listed below.
Python (safety)
https://pyup.io/safety/
Installation
pip install safety
Usage
From within the root of your project, run:
safety check
Errors will be reported as followed:
safety check ???????????????????????????????????????????????????????????????????????????????? ? ? ? /$$$$$$ /$$ ? ? /$$__ $$ | $$ ? ? /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ ? ? /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ ? ? | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ ? ? \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ ? ? /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ ? ? |_______/ \_______/|__/ \_______/ \___/ \____ $$ ? ? /$$ | $$ ? ? | $$$$$$/ ? ? by pyup.io \______/ ? ? ? ???????????????????????????????????????????????????????????????????????????????? ? REPORT ? ? checked 17 packages, using default DB ? ???????????????????????????????????????????????????????????????????????????????? ? package ? installed ? affected ? ID ? ???????????????????????????????????????????????????????????????????????????????? ? insecure-package ? 0.1.0 ? <0.2.0 ? 25853 ? ????????????????????????????????????????????????????????????????????????????????
Java (OWASP Dependency Check)
Download the latest version of the tool
Unzip the archive
Run the dependency check script
./dependency-check.sh --project sandbox --out . --scan /home/luke/repos/opnfv/sandbox
Ruby (Bundler Audit)
Bundler audit can be installed as a gem
gem install bundler-audit
After installation you simply run..
bundle audit
Check #2 Ensure any use of artefacts are hosted internally and an integrity check occurs.
Artefacts refer to any objects which are retrieved by your project, including:
Virtual Machine Images: ISO, QCOW2, VDI, VMDK, VHD ..etc.
File archives: .tar, .tar.gz, .bz, .zip, .cpio ..etc.
OS Packages: .rpm, .deb
Scripts, any shell script, python, ruby
Check #3 Ensure releng-anteater is not reporting any issues by performing a complete scan
pip install anteater
Download a config and project exception file
wget https://git.opnfv.org/releng-anteater/plain/anteater.conf mkdir exceptions; cd exceptions wget https://git.opnfv.org/releng-anteater/plain/exceptions/sandbox.yaml
Run anteater
anteater anteater --project sandbox --path /path/to/sandbox
Recommended checks
Check #4 User based Github repos
Avoid cloning repositories from individual github users. This is a recommended check, as its not pragmatic to have as mandatory. It should still be considered though, as the users account could be hacked and backdoored.