...
| near-RT RIC (end of Cherry) | |||
| Criteria | Result / Proof point / Notes | ||
|---|---|---|---|
Static code analysis | |||
| At least one static code analysis tool (beyond compiler warnings and "safe" language modes) MUST be applied to any proposed major production release of the software before its release, if there is at least one FLOSS tool that implements this criterion in the selected language. | yes | Sonar | |
| It is SUGGESTED that at least one of the static analysis tools used for the static_analysis criterion include rules or approaches to look for common vulnerabilities in the analyzed language or environment. | partial (fix-priority medium) | TODO-check container build system | Governance 2021-02-17 . Fix all the vulnerabilities from Sonar scan report |
| All medium and higher severity exploitable vulnerabilities discovered with static code analysis MUST be fixed in a timely way after they are confirmed. | partial (fix-priority medium) | Governance[ 2/17/2021]2021-02-17 Fix all the vulnerabilities from Sonar scan report | |
| It is SUGGESTED that static source code analysis occur on every commit or at least daily. | partial (fix-priority high) | Technical [2/17/2021] 2021-02-17 Consider components not using Sonar | |
Dynamic code analysis | |||
| It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release. | no | code coverage tool 2021-02-17: changed from no to yes after better understanding what tools are meant. | |
| It is SUGGESTED that if the software produced by the project includes software written using a memory-unsafe language (e.g., C or C++), then at least one dynamic tool (e.g., a fuzzer or web application scanner) be routinely used in combination with a mechanism to detect memory safety problems such as buffer overwrites. If the project does not produce software written in a memory-unsafe language, choose "not applicable" (N/A). | no (fix-priority low) | Governance 2021-02-17 Not to be picked of now | |
| It is SUGGESTED that the software produced by the project include many run-time assertions that are checked during dynamic analysis. | no (fix-priority low) | Governance 2021-02-17 Not to be picked as of now | |
| All medium and higher severity exploitable vulnerabilities discovered with dynamic code analysis MUST be fixed in a timely way after they are confirmed. | no (fix-priority low) | Governance,Technical [2/17/2021]2021-02-17
| |
...