Page History

...

Criteria	Result / Proof point
	NONRTRIC - Q1 2021
Static code analysis
At least one static code analysis tool (beyond compiler warnings and "safe" language modes) MUST be applied to any proposed major production release of the software before its release, if there is at least one FLOSS tool that implements this criterion in the selected language.	Met	Sonar is used in development environment and automatically triggered by Jenkins during CI/CD process Jenkins: https://jenkins.o-ran-sc.org/view/nonrtric/job/nonrtric-sonar/ https://jenkins.o-ran-sc.org/view/portal-nonrtric-controlpanel/job/portal-nonrtric-controlpanel-sonar/ https://jenkins.o-ran-sc.org/view/sim-a1-interface/job/sim-a1-interface-tox-sonarqube/ Findbugs is used in development environment NexusIQ (from Sonatype) is also used - focuses on license scan and performs a CVE scan based on versions used. A per-release license scan based is performed for LF Legal - uses a LF-internal scanning.
It is SUGGESTED that at least one of the static analysis tools used for the static_analysis criterion include rules or approaches to look for common vulnerabilities in the analyzed language or environment.	Met	Sonar is used in development environment and automatically triggered by Jenkins during CI/CD process Jenkins: https://jenkins.o-ran-sc.org/view/nonrtric/job/nonrtric-sonar/ https://jenkins.o-ran-sc.org/view/portal-nonrtric-controlpanel/job/portal-nonrtric-controlpanel-sonar/ https://jenkins.o-ran-sc.org/view/sim-a1-interface/job/sim-a1-interface-tox-sonarqube/ Findbugs and Checkstyle is used in development environments NexusIQ (from Sonatype) is also used - focuses on license scan and performs a CVE scan based on versions used. A per-release license scan based is performed for LF Legal - uses a LF-internal scanning.
All medium and higher severity exploitable vulnerabilities discovered with static code analysis MUST be fixed in a timely way after they are confirmed.	Met	Sonar All reports are acted upon continuously.
It is SUGGESTED that static source code analysis occur on every commit or at least daily.	Met (TBC)	Sonar is used in development environment and automatically triggered by Jenkins during CI/CD process (at least weekly)
Dynamic code analysis
It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release.	TBC
It is SUGGESTED that if the software produced by the project includes software written using a memory-unsafe language (e.g., C or C++), then at least one dynamic tool (e.g., a fuzzer or web application scanner) be routinely used in combination with a mechanism to detect memory safety problems such as buffer overwrites. If the project does not produce software written in a memory-unsafe language, choose "not applicable" (N/A).	N/A	Java, Python is used.
It is SUGGESTED that the software produced by the project include many run-time assertions that are checked during dynamic analysis.	Met	Test-level assertions are checked in tests. All runtime failing assertions/exceptions are caught and logged. Any error/exception appearing in test logs or reported by users are assessed in timely manner.
All medium and higher severity exploitable vulnerabilities discovered with dynamic code analysis MUST be fixed in a timely way after they are confirmed.	Met	No exploitable vulnerabilities to our knowledge.

...

Show all results

Space shortcuts

Page tree

Versions Compared

Old Version 6

New Version 7

Key