Configuration Persistence Service (CPS)

Projects that follow the best practices below can voluntarily self-certify and show that they've achieved an Open Source Security Foundation (OpenSSF) best practices badge.

There is no set of practices that can guarantee that software will never have defects or vulnerabilities; even formal methods can fail if the specifications or assumptions are wrong. Nor is there any set of practices that can guarantee that a project will sustain a healthy and well-functioning development community. However, following best practices can help improve the results of projects. For example, some practices enable multi-person review before release, which can both help find otherwise hard-to-find technical vulnerabilities and help build trust and a desire for repeated interaction among developers from different companies. To earn a badge, all MUST and MUST NOT criteria must be met, all SHOULD criteria must be met OR be unmet with justification, and all SUGGESTED criteria must be met OR unmet (we want them considered at least). If you want to enter justification text as a generic comment, instead of being a rationale that the situation is acceptable, start the text block with '//' followed by a space. Feedback is welcome via the GitHub site as issues or pull requests There is also a mailing list for general discussion.

We gladly provide the information in several locales, however, if there is any conflict or inconsistency between the translations, the English version is the authoritative version.
If this is your project, please show your badge status on your project page! The badge status looks like this: Badge level for project 4398 is gold Here is how to embed it:
You can show your badge status by embedding this in your markdown file:
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/4398/badge)](https://www.bestpractices.dev/projects/4398)
or by embedding this in your HTML:
<a href="https://www.bestpractices.dev/projects/4398"><img src="https://www.bestpractices.dev/projects/4398/badge"></a>


These are the Gold level criteria. You can also view the Passing or Silver level criteria.

        

 Basics 5/5

 Change Control 4/4

  • Public version-controlled source repository


    The project's source repository MUST use a common distributed version control software (e.g., git or mercurial). [repo_distributed]
    Git is not specifically required and projects can use centralized version control software (such as subversion) with justification.

    Github is used as the projects source repository. Repo links as shared below: • https://github.com/onap/cpshttps://github.com/onap/cps-cps-temporalhttps://github.com/onap/cps-ncmp-dmi-pluginhttps://github.com/onap/cps-cps-tbdmt



    The project MUST clearly identify small tasks that can be performed by new or casual contributors. (URL required) [small_tasks]
    This identification is typically done by marking selected issues in an issue tracker with one or more tags the project uses for the purpose, e.g., up-for-grabs, first-timers-only, "Small fix", microtask, or IdealFirstBug. These new tasks need not involve adding functionality; they can be improving documentation, adding test cases, or anything else that aids the project and helps the contributor understand more about the project.

    The project MUST require two-factor authentication (2FA) for developers for changing a central repository or accessing sensitive data (such as private vulnerability reports). This 2FA mechanism MAY use mechanisms without cryptographic mechanisms such as SMS, though that is not recommended. [require_2FA]

    2FA Authentication is enabled for merging in GERRIT for all ONAP



    The project's two-factor authentication (2FA) SHOULD use cryptographic mechanisms to prevent impersonation. Short Message Service (SMS) based 2FA, by itself, does NOT meet this criterion, since it is not encrypted. [secure_2FA]
    A 2FA mechanism that meets this criterion would be a Time-based One-Time Password (TOTP) application that automatically generates an authentication code that changes after a certain period of time. Note that GitHub supports TOTP.

    2FA Authentication is enabled for merging in GERRIT for all ONAP


 Quality 7/7

  • Coding standards


    The project MUST document its code review requirements, including how code review is conducted, what must be checked, and what is required to be acceptable. (URL required) [code_review_standards]
    See also two_person_review and contribution_requirements.

    The Onap specifications for code review is used in CPS . It is ensured that there are atleast 2 +1s from unassociated significant contributors and committers before the code is merged. • https://wiki.onap.org/display/DW/Committer+Best+Practices#CommitterBestPractices-BestPractices



    The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion [two_person_review]

    The Onap specifications for code review is used in CPS . It is ensured that there are atleast 2 +1s from unassociated significant contributors and committers other that the person who has raised the review before the code is merged. • https://wiki.onap.org/display/DW/Committer+Best+Practices#CommitterBestPractices-BestPractices


  • Working build system


    The project MUST have a reproducible build. If no building occurs (e.g., scripting languages where the source code is used directly instead of being compiled), select "not applicable" (N/A). (URL required) [build_reproducible]
    A reproducible build means that multiple parties can independently redo the process of generating information from source files and get exactly the same bit-for-bit result. In some cases, this can be resolved by forcing some sort order. JavaScript developers may consider using npm shrinkwrap and webpack OccurenceOrderPlugin. GCC and clang users may find the -frandom-seed option useful. The build environment (including the toolset) can often be defined for external parties by specifying the cryptographic hash of a specific container or virtual machine that they can use for rebuilding. The reproducible builds project has documentation on how to do this.
  • Automated test suite


    A test suite MUST be invocable in a standard way for that language. (URL required) [test_invocation]
    For example, "make check", "mvn test", or "rake test" (Ruby).

    Unit testing is covered using Groovy and spock tests. These can be executed using mvn test. CSIT tests are included in the application for Integration testing. These tests are using ROBOT framework. • https://github.com/onap/cps/tree/master/csit



    The project MUST implement continuous integration, where new or changed code is frequently integrated into a central code repository and automated tests are run on the result. (URL required) [test_continuous_integration]
    In most cases this means that each developer who works full-time on the project integrates at least daily.

    CI-CD jobs are incorporated to ensure that all the jobs are executed including verification, SONAR and merge. This link will list all the jobs included for CPS projects. • https://jenkins.onap.org/view/cps/



    The project MUST have FLOSS automated test suite(s) that provide at least 90% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. [test_statement_coverage90]

    CSIT Integration test suite is included to test all the REST apis that are developed in CPS . Example : • https://github.com/onap/cps/tree/master/csit The coverage check is tested reported using Jacoco coverage in the sonar • https://sonarcloud.io/component_measures?id=onap_cps&metric=coverage&view=listhttps://sonarcloud.io/component_measures?id=onap_cps-cps-temporal&metric=coverage&view=list



    The project MUST have FLOSS automated test suite(s) that provide at least 80% branch coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. [test_branch_coverage80]

    Test suites covers the entire code in the branch except for the Unit tests and CSIT Integration tests.


 Security 5/5

  • Use basic good cryptographic practices

    Note that some software does not need to use cryptographic mechanisms. If your project produces software that (1) includes, activates, or enables encryption functionality, and (2) might be released from the United States (US) to outside the US or to a non-US-citizen, you may be legally required to take a few extra steps. Typically this just involves sending an email. For more information, see the encryption section of Understanding Open Source Technology & US Export Controls.

    The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network communications, select "not applicable" (N/A). [crypto_used_network]


    The software produced by the project MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). [crypto_tls12]

  • Secured delivery against man-in-the-middle (MITM) attacks


    The project website, repository (if accessible via the web), and download site (if separate) MUST include key hardening headers with nonpermissive values. (URL required) [hardened_site]
    Note that GitHub and GitLab are known to meet this. Sites such as https://securityheaders.com/ can quickly check this. The key hardening headers are: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Content-Type-Options (as "nosniff"), and X-Frame-Options. Fully static web sites with no ability to log in via the web pages could omit some hardening headers with less risk, but there's no reliable way to detect such sites, so we require these headers even if they are fully static sites.

    CPS uses Github as the central repository. Verified CPS(https://github.com/onap?q=cps) using the site specified : https://securityheaders.com/ Found all required security hardening headers. // All headers set with non permissive values HTTP Strict Transport Security (HSTS) : max-age=31536000; includeSubdomains; preload X-Content-Type-Options : nosniff X-Frame-Options : deny


  • Other security issues


    The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary. [security_review]
    This MAY be done by the project members and/or an independent evaluation. This evaluation MAY be supported by static and dynamic analysis tools, but there also must be human review to identify problems (particularly in design) that tools cannot detect.

    ONAP runs nexus IQ report once every release to ensure the security requirements are met https://jenkins.onap.org/view/cps/job/cps-maven-clm-master/

    CPS has finalized the security review questionnaire and has been reviewed by the SECCOM committee. See https://wiki.onap.org/display/DW/CPS+-+ONAP+Security+Review+Questionnaire



    Hardening mechanisms MUST be used in the software produced by the project so that software defects are less likely to result in security vulnerabilities. (URL required) [hardening]
    Hardening mechanisms may include HTTP headers like Content Security Policy (CSP), compiler flags to mitigate attacks (such as -fstack-protector), or compiler flags to eliminate undefined behavior. For our purposes least privilege is not considered a hardening mechanism (least privilege is important, but separate).

    CPS exposes restful APIs to be used by other services and does not own a GUI. All services are required to authenticate themselves while using the CPS apis. CPS includes security fixes in the software lifecycle. CPS does not have a UI and does not use javascript The application uses Swagger for RESTful API, wherein it is set that Authorization headers are required for accessing API documentation. When CPS is run with docker, the services use usernames and passwords that are stored as environment variables. CPS uses K8s secrets which are generated and stored as the application is deployed. CPS is compliant and compatible with the ongoing service mesh implementation (see https://gerrit.onap.org/r/c/oom/+/124287) for ONAP.

    see https://wiki.onap.org/display/DW/CPS+-+ONAP+Security+Review+Questionnaire#CPSONAPSecurityReviewQuestionnaire-Hardening


 Analysis 2/2

  • Dynamic code analysis


    The project MUST apply at least one dynamic analysis tool to any proposed major production release of the software produced by the project before its release. [dynamic_analysis]
    A dynamic analysis tool examines the software by executing it with specific inputs. For example, the project MAY use a fuzzing tool (e.g., American Fuzzy Lop) or a web application scanner (e.g., OWASP ZAP or w3af). In some cases the OSS-Fuzz project may be willing to apply fuzz testing to your project. For purposes of this criterion the dynamic analysis tool needs to vary the inputs in some way to look for various kinds of problems or be an automated test suite with at least 80% branch coverage. The Wikipedia page on dynamic analysis and the OWASP page on fuzzing identify some dynamic analysis tools. The analysis tool(s) MAY be focused on looking for security vulnerabilities, but this is not required.

    CPS has a project set up with ONAP Sonarcloud for analysis, see https://sonarcloud.io/component_measures?metric=coverage&view=treemap&id=onap_cps wherein a minimum of 97% code coverage is always maintained by the team. CPS also uses the SonarQube Scanner for Maven which uses the JaCoCo plugin to generate code coverage reports during the build process and track code coverage during run-time.



    The project SHOULD include many run-time assertions in the software it produces and check those assertions during dynamic analysis. [dynamic_analysis_enable_assertions]
    This criterion does not suggest enabling assertions during production; that is entirely up to the project and its users to decide. This criterion's focus is instead to improve fault detection during dynamic analysis before deployment. Enabling assertions in production use is completely different from enabling assertions during dynamic analysis (such as testing). In some cases enabling assertions in production use is extremely unwise (especially in high-integrity components). There are many arguments against enabling assertions in production, e.g., libraries should not crash callers, their presence may cause rejection by app stores, and/or activating an assertion in production may expose private data such as private keys. Beware that in many Linux distributions NDEBUG is not defined, so C/C++ assert() will by default be enabled for production in those environments. It may be important to use a different assertion mechanism or defining NDEBUG for production in those environments.

    Instead of run-time assertions, pre-run assertions are included where all the tests including the Integration tests are executed. Only after the successful pre-run tests, the projects are released and deployed on production. CPS uses Groovy for all unit and integration testing which is compiled and executed at runtime. CPS uses its capability to perform runtime assertions, see the following example https://gerrit.onap.org/r/gitweb?p=cps.git;a=blob;f=cps-ncmp-service/src/test/groovy/org/onap/cps/ncmp/api/impl/operations/DmiDataOperationsSpec.groovy;h=03825c2bbf34398df77a0028ee0825e96f5a5fbb;hb=3d97a963ce51c4f0ecdb656a3b25bcabf2f6f8b7



This data is available under the Creative Commons Attribution version 3.0 or later license (CC-BY-3.0+). All are free to share and adapt the data, but must give appropriate credit. Please credit aditya and the OpenSSF Best Practices badge contributors.

Project badge entry owned by: aditya.
Entry created on 2020-11-06 15:16:30 UTC, last updated on 2023-11-06 20:25:48 UTC. Last lost passing badge on 2021-07-15 11:20:34 UTC. Last achieved passing badge on 2021-07-26 15:12:53 UTC.

Back