ONAP Model Loader

All major releases are tagged in gerrit and the artifacts are stored with the release information on onap.nexus. So we can access all old versions of the artifact. If and when a upgrade requires certain steps to be followed they are being added to the release documents as needed

Jira is used to track issues. https://jira.onap.org/projects/AAI/issues/AAI-671?filter=allopenissues

Vulnerabilities can be reported using the link https://wiki.onap.org/pages/viewpage.action?pageId=6591711 Currently we dont have any vulnerabilities reported, but the wiki page explains on how to report a vulnerability and how to report anonymously if you do not want the credit for it.

Vulnerability handling is documented in https://wiki.onap.org/pages/viewpage.action?pageId=6591711

Google coding style is used in ONAP https://github.com/google/styleguide

maven-checkstyle-plugin

The application does not create native binaries.

The application does not create native binaries.

The application does not create native binaries.

All releases are tagged in gerrit(git), and the builds are controlled using jenkins. By providing the git tag information the same image can be build over and over again with same bit-for-bit result.

The applications can be installed either using Docker via HEAT, or Kubernetes via Helm scripts.

Docker containers are used for installation, so the conventions of the host operating system are not relevant.

All the components require only java and maven to begin with for a developer to quickly install and test it. Even for deployment using OOM and the right amount of resources, we can deploy the full AAI/ONAP suite in less than a day. The steps are documented in https://onap.readthedocs.io/en/latest/submodules/oom.git/docs/oom_quickstart_guide.html

We use sonatype CLM https://nexus-iq.wl.linuxfoundation.org/ and https://sonar.onap.org

Maven is used to manage external component versions, and the automated Jenkins build jobs will ensure the deployable artifacts are up to date with the maven changes.

Updating an external component simply involves making an update to the pom.xml file for that project.

We choose free open source solutions in every case and choose up-to-date versions of the components.

https://jenkins.onap.org - on every commit, a verification job runs which runs an automated test suite. The code check in cannot pass with out jenkins posting a +1 on the review.

We add tests in these cases.

Contributing guide lines for development is recorded in https://wiki.onap.org/display/DW/Development+Procedures+and+Policies

This is documented on our wiki: https://wiki.onap.org/display/DW/Code+Coverage+and+Static+Code+Analysis

Build systems run the compile with test flag enabled by default. So any failure in test cases will fail the ci and the merge request.

AAI strives to implement secure design principles. We encrypt data where possible, and run security scans on the code and its dependencies.

We disallow SHA-1 or other insecure cryptographic algorithms.

We support mutiple cryptographic algorithms.

Credentials are separate and can be replaced without code compilation.

We use ssh2 internal to the cluster and TLS1.2+ for the external interfaces.

We only allow TLS1.2+

We perform certificate verfication.

We support TLS certification verification before exchange of private information.

The project strives to validate all input

SonarQube is run. https://sonar.onap.org/dashboard?id=org.onap.aai.model-loader%3Amodel-loader

The project does not produce software written in a memory-unsafe language