...
Infrastructure (end of Cherry) | |||
Criteria | Result / Proof point | ||
---|---|---|---|
Identification | |||
What is the human-readable name of the project? | yes | O-RAN SC's Infrastructure RAN = Radio Access Network O-RAN = Open RAN SC = software community Infrastructure = Cloud based infrastructure | |
What is a brief description of the project? | yes | The INF(infrastructure) project provides open source reference implementation of Edge Cloud infrastructure according to the O-RAN WG6 specification to be used with the other O-RAN OSC projects such as O-CU, O-DU and in the future potential O-RU to create a complete reference implementation of the different O-RAN use case scenarios as defined by O-RAN Alliance work groups. The work in the INF project will following “Open Collaboration”, “Open Design”, “Open Development” and “Open Source”. | |
What is the URL for the project (as a whole)? | yes | Infrastructure Home | |
What is the URL for the version control repository (it may be the same as the project URL)? | yes | Multiple repositories in Linux Foundation Gerrit: https://gerrit.o-ran-sc.org/r/admin/repos/ | |
What programming language(s) are used to implement the project? | yes | Golang, Python | |
What is the Common Platform Enumeration (CPE) name for the project (if it has one)? | no | No CPE | |
Basic project website content | |||
The project website MUST succinctly describe what the software does (what problem does it solve? | yes | Infrastructure Home | |
The project website MUST provide information on how to: obtain, provide feedback (as bug reports or enhancements), and contribute to the software. | yes | obtain: from gerrit repos or from the OSC releases: Releases bugs: Tools (mailing list, JIRA, Gerrit) enhancements: Same JIRAS tool as for feature planning. contribute: See OSC guidelines: Project Developer Wiki | |
The information on how to contribute MUST explain the contribution process (e.g., are pull requests used?) (URL required) | yes | contribute: See OSC guidelines: Project Developer Wiki | |
The information on how to contribute SHOULD include the requirements for acceptable contributions (e.g., a reference to any required coding standard). (URL required) | no (fix-priority very-low) | yes | Code Style and contribution guidenot available. |
FLOSS license | |||
What license(s) is the project released under? | yes | Apache 2.0 | |
The software produced by the project MUST be released as FLOSS. | yes | Apache 2.0 | |
It is SUGGESTED that any required license(s) for the software produced by the project be approved by the Open Source Initiative (OSI). | yes | Apache 2.0 | |
The project MUST post the license(s) of its results in a standard location in their source repository. | yes | root dir of all repos included in the project | |
Documentation | |||
The project MUST provide basic documentation for the software produced by the project. | yes | https://docs.o-ran-sc.org/en/latest/projects.html#infrastructure-inf and other documentation under: https://docs.o-ran-sc.org/en/latest/projects.html | |
The project MUST provide reference documentation that describes the external interface (both input and output) of the software produced by the project. | yes | API and Interface | |
Other | |||
The project sites (website, repository, and download URLs) MUST support HTTPS using TLS. | yes | All support the HTTPS | |
The project MUST have one or more mechanisms for discussion (including proposed changes and issues) that are searchable, allow messages and topics to be addressed by URL, enable new people to participate in some of the discussions, and do not require client-side installation of proprietary software. | yes | Tools (mailing list, JIRA, Gerrit) | |
The project SHOULD provide documentation in English and be able to accept bug reports and comments about code in English. | yes | Tools (mailing list, JIRA, Gerrit) |
...
Infrastructure (end of Cherry) | ||
Criteria | Result / Proof point | |
---|---|---|
Working build system | ||
If the software produced by the project requires building for use, the project MUST provide a working build system that can automatically rebuild the software from source code. | yes | LF jenkins |
It is SUGGESTED that common tools be used for building the software. | yes | LF jenkins |
The project SHOULD be buildable using only FLOSS tools. | yes | |
Automated test suite | ||
The project MUST use at least one automated test suite that is publicly released as FLOSS (this test suite may be maintained as a separate FLOSS project). | yes | Ex. make dryrun |
A test suite SHOULD be invocable in a standard way for that language. For example, "make check", "mvn test", or "rake test" (Ruby). | yes | scripts |
It is SUGGESTED that the test suite cover most (or ideally all) the code branches, input fields, and functionality. | yes | |
It is SUGGESTED that the project implement continuous integration (where new or changed code is frequently integrated into a central code repository and automated tests are run on the result). | yes | |
New functionality testing | ||
The project MUST have a general policy (formal or not) that as major new functionality is added to the software produced by the project, tests of that functionality should be added to an automated test suite. As long as a policy is in place, even by word of mouth, that says developers should add tests to the automated test suite for major new functionality, select "Met. | Met | Code Style and contribution guide |
The project MUST have evidence that the test_policy for adding tests has been adhered to in the most recent major changes to the software produced by the project. Major functionality would typically be mentioned in the release notes. Perfection is not required, merely evidence that tests are typically being added in practice to the automated test suite when new major functionality is added to the software produced by the project. | no (fix-priority high)Met | |
It is SUGGESTED that this policy on adding tests (see test_policy) be documented in the instructions for change proposals. However, even an informal rule is acceptable as long as the tests are being added in practice. | Met | Ex.Getting Start (Cherry verification on Dell R740) /Sample test processno (fix-priority medium) |
Warning flags | ||
The project MUST enable one or more compiler warning flags, a "safe" language mode, or use a separate "linter" tool to look for code quality errors or common simple mistakes, if there is at least one FLOSS tool that can implement this criterion in the selected language. | partial (fix-priority medium)yes | |
The project MUST address warnings. | yes | |
It is SUGGESTED that projects be maximally strict with warnings in the software produced by the project, where practical. Some warnings cannot be effectively enabled on some projects. What is needed is evidence that the project is striving to enable warning flags where it can, so that errors are detected early. | yes | All test failures, notified issues/bugs and Sonar warnings are acted on promptly. Such issues are tracked using Jira and Gerrit (See above). |
...
Infrastructure (end of Cherry) | ||
Criteria | Result / Proof point | |
---|---|---|
Static code analysis | ||
At least one static code analysis tool (beyond compiler warnings and "safe" language modes) MUST be applied to any proposed major production release of the software before its release, if there is at least one FLOSS tool that implements this criterion in the selected language. | yes | Sonar |
It is SUGGESTED that at least one of the static analysis tools used for the static_analysis criterion include rules or approaches to look for common vulnerabilities in the analyzed language or environment. | yes | |
All medium and higher severity exploitable vulnerabilities discovered with static code analysis MUST be fixed in a timely way after they are confirmed. | yes | All reports are acted upon continuously. |
It is SUGGESTED that static source code analysis occur on every commit or at least daily. | yes | |
Dynamic code analysis | ||
It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release. | yes | code coverage tool |
It is SUGGESTED that if the software produced by the project includes software written using a memory-unsafe language (e.g., C or C++), then at least one dynamic tool (e.g., a fuzzer or web application scanner) be routinely used in combination with a mechanism to detect memory safety problems such as buffer overwrites. If the project does not produce software written in a memory-unsafe language, choose "not applicable" (N/A).no (fix-priority low) | N/A | |
It is SUGGESTED that the software produced by the project include many run-time assertions that are checked during dynamic analysis. | no (fix-priority low)Unmet | |
All medium and higher severity exploitable vulnerabilities discovered with dynamic code analysis MUST be fixed in a timely way after they are confirmed. | yet | Currently no exploitable vulnerabilities to our knowledge. If it has, will address it asap. |
...