ONAP POLICY

遵循以下最佳实践的项目将能够自愿的自我认证,并显示他们已经实现了核心基础设施计划(OpenSSF)徽章。

如果这是您的项目,请在您的项目页面上显示您的徽章状态!徽章状态如下所示: 项目1614的徽章级别为gold 这里是如何嵌入它:

这些是黄金级别条款。您还可以查看通过白银级别条款。

        

 基本 5/5

  • 识别

    POLICY is the subsystem of ONAP that maintains, distributes, and operates on the set of rules that underlie ONAP’s control, orchestration, and management functions.

    POLICY provides a logically centralized environment for the creation and management of policies, including conditional rules. This provides the capability to create and validate policies/rules, identify overlaps, resolve conflicts, and derive additional policies as needed.

    Policies are used to control, influence, and help ensure compliance with goals. Policies can support infrastructure, products and services, operation automation, and security. Users, including network and service designers, operations engineers, and security experts, can easily create, change, and manage policy rules from the POLICY Manager in the ONAP Portal.

    A policy is defined to create a condition, requirement, constraint, decision, or a need that must be provided, evaluated, maintained, and/or enforced. The policy is validated and corrected for any conflicts, and then placed in the appropriate repository, and made available for use by other subsystems and components. Alternately, some policies are directly distributed to policy decision engines such as Drools or XACML. In this manner, the constraints, decisions and actions to be taken are distributed.

  • 先决条件


    足够获得徽章!

    该项目必须拥有银级徽章。 [achieve_silver]

  • 项目监督


    足够获得徽章!

    项目必须具有2个或更多的“公交车因子”。 (需要网址) [bus_factor]

    All 5 project committers actively contribute to the codebase. Details on the committers is stored in INFO.yaml files for each repository. For example: https://gerrit.onap.org/r/gitweb?p=policy/parent.git;a=blob;f=INFO.yaml;hb=refs/heads/master


    足够获得徽章!

    该项目必须至少有两个不相关的重要贡献者。 (需要网址) [contributors_unassociated]

    We have key developers contributing to Policy Framework from different organizations are listed below:

    https://gerrit.onap.org/r/q/owner:ajinkya-patil%2540t-systems.com https://gerrit.onap.org/r/q/owner:wayne.dunican%2540est.tech https://gerrit.onap.org/r/q/owner:francesco.fiora%2540est.tech https://gerrit.onap.org/r/q/owner:adam.kenihan%2540est.tech https://gerrit.onap.org/r/q/owner:saul.gill%2540est.tech


  • 其他


    足够获得徽章!

    项目必须在每个源文件中包含许可证声明。这可以通过在每个文件开头附近的注释中加入以下内容来实现: SPDX-License-Identifier: [SPDX license expression for project][license_per_file]

    ONAP requires this via their CI/CD process that license/copyright are on every source file, or a single license file may be placed at the top of a directory structure. SPDX-License-Identifier is included. https://github.com/onap/policy-clamp/blob/master/common/src/main/java/org/onap/policy/clamp/common/acm/exception/AutomationCompositionException.java https://github.com/onap/policy-api/blob/master/main/src/main/java/org/onap/policy/api/main/service/PdpGroupService.java


  • 公开的版本控制的源代码存储库


    足够获得徽章!

    必须使用通用的分布式版本控制软件(例如,git,mercurial)作为项目的源代码存储库。 [repo_distributed]

    Git and Gerrit are used.


    足够获得徽章!

    该项目必须清楚地识别新的或临时贡献者可以执行的小型任务。 (需要网址) [small_tasks]

    https://lf-onap.atlassian.net/jira/software/c/projects/POLICY/issues?jql=project%20%3D%20%22POLICY%22%20ORDER%20BY%20created%20DESC


    足够获得徽章!

    项目必须要求开发人员使用双因素身份验证(2FA)来更改中央存储库或访问敏感数据(如私密漏洞报告)。这种2FA机制可以使用没有密码学机制的方案,如SMS(短消息),尽管不推荐。 [require_2FA]

    LF requires a Linux Foundation ID for accessing repos . LF Id requires a 2FA.


    足够获得徽章!

    项目的双因素身份认证(2FA)应该使用加密机制来防止仿冒。基于短消息服务(SMS)的2FA本身不符合此标准,因为它不被加密。 [secure_2FA]

    2FA for LF id uses authenticator app.


  • 使用基础的良好加密实践

    请注意,某些软件不需要使用加密机制。

    足够获得徽章!

    项目生成的软件必须支持所有网络通信的安全协议,如SSHv2或更高版本,TLS1.2或更高版本(HTTPS),IPsec,SFTP和SNMPv3。默认情况下,FTP,HTTP,Telnet,SSLv3或更早版本以及SSHv1等不安全协议必须被禁用,只有在用户专门配置时才启用。如果项目生成的软件不支持网络通信,请选择“不适用”(N/A)。 [crypto_used_network]

    The projects supports secure TLS and HTTPS in these applications. HTTP is allowed only through service mesh.


    足够获得徽章!

    由项目生成的软件必须,如果支持或使用TLS,至少支持TLS版本1.2。请注意,TLS的前身称为SSL。如果软件不使用TLS,请选择“不适用”(N/A)。 [crypto_tls12]

    The products support TLS version 1.2


  • 安全交付防御中间人(MITM)的攻击


    足够获得徽章!

    项目网站,存储库(如果可通过网络访问)和下载站点(如果单独)必须包括具有非允许值的密钥加固头。 (需要网址) [hardened_site]

    We have got A rating from the securityheaders.com for the project website, repository and download site. Policy is hosted on Git hub which is a protected with hardening headers. Download site https://nexus3.onap.org/ project repository https://github.com/onap?q=policy&type=all&language=&sort= Project website https://lf-onap.atlassian.net/wiki/spaces/DW/pages/16230647/Policy+Framework+Project // One or more of the required security hardening headers is missing.


  • 其他安全问题


    足够获得徽章!

    该项目必须在过去5年内进行安全审查。此审查必须考虑安全需求和安全边界。 [security_review]

    Policy Framework had the security review done on Sep 2023. https://lf-onap.atlassian.net/wiki/spaces/DW/pages/16519988/PF+-+ONAP+Security+Review+Questionnaire

    We had the second review for the new component opa-pdp in May 2025 https://lf-onap.atlassian.net/wiki/spaces/DW/pages/157417605/OPA-PDP+Security+review


    足够获得徽章!

    加固机制必须用于项目生产的软件,以便软件缺陷不太可能导致安全漏洞。 (需要网址) [hardening]

    The project tries to use hardening mechanisms whenever possible. The application uses Swagger for RESTful API, wherein it is set that Authorization headers are required for accessing API documentation. Policy Framework as a production service must be installed using the OOM helm charts, which are using Service Mesh and following the required user privilege for network and file system access. In these deployments, K8s secrets which are generated and stored as the application is deployed. The user has the option to provide a username/password to the helm chart - in this case a kubernetes secret will be generated by the chart and used for authentication. Any unused functionality, service (as whole or as REST API), credential is reviewed and removed from the base code. https://lf-onap.atlassian.net/wiki/spaces/DW/pages/16519988/PF+-+ONAP+Security+Review+Questionnaire


  • 动态代码分析


    足够获得徽章!

    必须在发布之前,至少将一个动态分析工具应用于软件任何候选发布的主要生产版本。 [dynamic_analysis]

    The project runs sonar against the code on every code reviews. Jmeter is also used for analyzing the performance and application behavior on load conditions. Observability is available with prometheus metrics in the runtime applications.

    Ex: https://jenkins.onap.org/job/policy-api-sonar-verify/ Jmeter analysis: https://docs.onap.org/projects/onap-policy-parent/en/latest/development/devtools/testing/s3p/api-s3p.html


    足够获得徽章!

    项目应该在其生成的软件中包含许多运行时断言,并在动态分析期间检查这些断言。 [dynamic_analysis_enable_assertions]

    The project validates prometheus metrics on the integration tests as runtime assertions. https://jenkins.onap.org/job/policy-api-master-project-csit-api/1829/robot/Api-Test%20&%20Api-Slas/Api-Slas/



This data is available under the Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). This means that a Data Recipient may share the Data, with or without modifications, so long as the Data Recipient makes available the text of this agreement with the shared Data. Please credit mrsjackson76 and the OpenSSF Best Practices badge contributors.

项目徽章条目拥有者: mrsjackson76.
最后更新于 2018-02-02 19:29:43 UTC, 最后更新于 2025-06-03 12:17:04 UTC。 最后在 2018-05-02 14:24:07 UTC 获得通过徽章。

后退