ORAN SC: OSC Non-RealTime RIC (NONRTRIC)

遵循以下最佳实践的项目将能够自愿的自我认证,并显示他们已经实现了核心基础设施计划(OpenSSF)徽章。

如果这是您的项目,请在您的项目页面上显示您的徽章状态!徽章状态如下所示: 项目4611的徽章级别为passing 这里是如何嵌入它:

这些是通过级别条款。您还可以查看白银黄金级别条款。

        

 基本 13/13

  • 识别

    The Non-RealTime RIC (RAN Intelligent Controller) is an Orchestration and Automation function described by the O-RAN Alliance for non-real-time intelligent management of RAN (Radio Access Network) functions. The primary goal of the NONRTRIC is to support non-real-time radio resource management, higher layer procedure optimization, policy optimization in RAN, and providing guidance, parameters, policies and AI/ML models to support the operation of near-RealTime RIC functions in the RAN to achieve higher-level non-real-time objectives. NONRTRIC functions include service and policy management, RAN analytics and model-training for the near-RealTime RICs. The non-RealTime RIC project provides concepts, architecture and reference implementations as defined and described by the O-RAN Alliance architecture.

    用什么编程语言实现项目?
  • 基本项目网站内容


    项目网站必须简明扼要地描述软件的作用(它解决了什么问题?)。 [description_good]

    项目网站必须提供有关如何获取和提供反馈(错误报告或增强功能)以及如何贡献的信息。 [interact]

    关于如何贡献的信息必须解释贡献流程(例如,是否使用拉请求?) (需要网址) [contribution]

    关于如何贡献的信息应包括对可接受的贡献的要求(例如,引用任何所需的编码标准)。 (需要网址) [contribution_requirements]
  • FLOSS许可证

    项目使用什么许可证发布?



    项目生产的软件必须作为FLOSS发布。 [floss_license]

    apache 2.0 The Apache-2.0 license is approved by the Open Source Initiative (OSI).



    建议由项目生成的软件的任何必需的许可证是由开放源码促进会(OSI)批准的许可证(英文)[floss_license_osi]

    The Apache-2.0 license is approved by the Open Source Initiative (OSI).



    项目必须将其许可证在其源代码存储库中的标准位置发布。 (需要网址) [license_location]
  • 文档


    项目必须为项目生成的软件提供基本文档。 [documentation_basics]

    项目必须提供描述项目生成的软件的外部接口(输入和输出)的参考文档。 [documentation_interface]
  • 其他


    项目网站(网站,存储库和下载URL)必须使用TLS支持HTTPS。 [sites_https]

    All support HTTPS



    该项目必须有一个或多个讨论机制(包括建议的更改和问题),可搜索,允许通过URL访问消息和主题,使新人能够参与一些讨论,并且不需要客户端安装专有软件。 [discussion]

    项目应该提供英文文档,并能够接受英文的代码的错误报告和评论。 [english]

    All documentation in English Bugs/Feedback etc accepted by:  Email List: OSC "discuss" mailing list: https://lists.o-ran-sc.org/g/discuss: discuss@lists.o-ran-sc.org  Please use hashtag #nonrtric JIRA: https://jira.o-ran-sc.org/projects/NONRTRIC/issues OSC Guidelines: https://wiki.o-ran-sc.org/display/ORAN/Reporting+Bugs



    必须维护该项目。 [maintained]


(高级)哪些用户还有额外权限编辑此徽章条目?目前:[9959]



  • 错误报告流程


    项目必须为用户提交错误报告(例如,使用问题跟踪器或邮件列表)提供相关流程。 (需要网址) [report_process]

    Wiki: https://wiki.o-ran-sc.org/pages/viewpage.action?pageId=20877888

    Bugs/Feedback etc accepted by: 
        Email List:
            OSC "discuss" mailing list: https://lists.o-ran-sc.org/g/discuss: discuss@lists.o-ran-sc.org 
            Please use hashtag #nonrtric
        JIRA: https://jira.o-ran-sc.org/projects/NONRTRIC/issues 
    

    OSC Guidelines: https://wiki.o-ran-sc.org/display/ORAN/Reporting+Bugs



    项目必须使用问题跟踪器来跟踪每个问题。 [report_tracker]

    该项目必须响应过去2-12个月内(含)提交的大多数错误报告;响应不需要包括修复。 [report_responses]
    Email List:
        OSC "discuss" mailing list: https://lists.o-ran-sc.org/g/discuss: discuss@lists.o-ran-sc.org 
        Please use hashtag #nonrtric
    JIRA: https://jira.o-ran-sc.org/projects/NONRTRIC/issues 
    


    该项目应该对过去2-12个月内(包括)的大部分(> 50%)的增强请求作出回应。 [enhancement_responses]

    As can be seen on:

    Email List:
        OSC "discuss" mailing list: https://lists.o-ran-sc.org/g/discuss: discuss@lists.o-ran-sc.org 
        Please use hashtag #nonrtric
    JIRA: https://jira.o-ran-sc.org/projects/NONRTRIC/issues 
    


    该项目必须有一个公开的报告和回复的档案供后续搜索。 (需要网址) [report_archive]
  • 漏洞报告流程


    项目必须在项目网站上发布报告漏洞的流程。 (需要网址) [vulnerability_report_process]

    NONRTRIC: Bugs / Feedback / Vulnerabilities: https://wiki.o-ran-sc.org/pages/viewpage.action?pageId=20877888

    Bugs/Feedback/Vulnerabilities can be notified by: 
        Email List:
            OSC "discuss" mailing list: https://lists.o-ran-sc.org/g/discuss: discuss@lists.o-ran-sc.org 
            Please use hashtag #nonrtric
        JIRA: https://jira.o-ran-sc.org/projects/NONRTRIC/issues 
    OSC Guidelines: https://wiki.o-ran-sc.org/display/ORAN/Reporting+Bugs
    Any private or confidential issues can be alerted to the PTL directly.
    


    如果支持私有漏洞报告,项目必须包括如何以保密的方式发送信息。 (需要网址) [vulnerability_report_private]

    NONRTRIC: Bugs / Feedback / Vulnerabilities: https://wiki.o-ran-sc.org/pages/viewpage.action?pageId=20877888

    Any private or confidential issues can be alerted to the PTL directly
        Support for secure/encrypted reporting can be clarified directly with the PTL
    


    该项目在过去6个月收到的任何漏洞报告的初始响应时间必须小于或等于14天。 [vulnerability_report_response]

  • 可工作的构建系统


    如果项目生成的软件需要构建使用,项目必须提供可以从源代码自动重新构建软件的可工作的构建系统。 [build]

    Maven



    建议使用通用工具来构建软件。 [build_common_tools]

    Maven



    该项目应该仅使用FLOSS工具来构建。 [build_floss_tools]

    Maven


  • 自动测试套件


    该项目必须使用至少一个作为FLOSS公开发布的自动测试套件(该测试套件可以作为单独的FLOSS项目维护)。 [test]

    Very comprehensive test environment and tests available as a sub-directory in nonrtric repo (not a separate project)

    Gerrit * nonrtric : https://gerrit.o-ran-sc.org/r/admin/repos/nonrtric ./test and ./autotest



    测试套件应该以该语言的标准方式进行调用。 [test_invocation]

    mvn test bash scripts



    建议测试套件覆盖大部分(或理想情况下所有)代码分支,输入字段和功能。 [test_most]

    All versions are tested in autotest suite (above)



    建议项目实施持续集成,将新的或更改的代码经常集成到中央代码库中,并对结果进行自动化测试。 [test_continuous_integration]

    Multiple tests triggered automatically and periodically as Jenkins jobs at numerous phases of CI/CD pipeline

    https://jenkins.o-ran-sc.org/view/nonrtric/ https://jenkins.o-ran-sc.org/view/portal-nonrtric-controlpanel/ https://jenkins.o-ran-sc.org/view/sim-a1-interface/


  • 新功能测试


    该项目必须有通用的策略(正式或非正式),当主要的新功能被添加到项目生成的软件中,该功能的测试应该同时添加到自动测试套件。 [test_policy]

    All new and updated functionality is tested in autotest suite (above) All contributions should include tests, as described at NONRTRIC: Code Style: https://wiki.o-ran-sc.org/display/RICNR/Code+Style



    该项目必须有证据表明,在项目生成的软件的最近重大变化中,已经遵守了添加测试的条款: test_policy [tests_are_added]

    All new and updated functionality is tested in autotest suite (above). New test functionality can be seen in JIRA and Gerrit.

    Unit test coverage can be verified using Sonar

    https://jenkins.o-ran-sc.org/view/nonrtric/job/nonrtric-sonar/
    https://jenkins.o-ran-sc.org/view/portal-nonrtric-controlpanel/job/portal-nonrtric-controlpanel-sonar/
    https://jenkins.o-ran-sc.org/view/sim-a1-interface/job/sim-a1-interface-tox-sonarqube/
    


    建议您在更改提案的说明文档中添加测试策略要求(请参阅test_policy)。 [tests_documented_added]

    Only informal rule exists, tests are continuously added in practice All contributions should include tests, as described at NONRTRIC: Code Style: https://wiki.o-ran-sc.org/display/RICNR/Code+Style


  • 警告标志


    该项目必须启用一个或多个编译器警告标志,“安全”语言模式,或者使用单独的“linter”工具查找代码质量错误或常见的简单错误,如果至少有一个FLOSS工具可以在所选择的语言实现此条款。 [warnings]

    Sonar is used in development environment and automatically triggered by Jenkins during CI/CD process

    Jenkins:
        https://jenkins.o-ran-sc.org/view/nonrtric/job/nonrtric-sonar/
        https://jenkins.o-ran-sc.org/view/portal-nonrtric-controlpanel/job/portal-nonrtric-controlpanel-sonar/
        https://jenkins.o-ran-sc.org/view/sim-a1-interface/job/sim-a1-interface-tox-sonarqube/
    

    CheckStyle & Findbugs are used in development environments



    该项目必须处理警告。 [warnings_fixed]

    Sonar reports are acted upon continuously.



    建议在实际情况下,项目以最严格方式对待项目生成的软件中的告警。 [warnings_strict]

    Taken on a case by case basis.

    All Checkstyle, Findbugs, test failures, notified issues/bugs and Sonar warnings are acted on promptly.

    Such issues are tracked using Jira and Gerrit (See above).


  • 安全开发知识


    该项目必须至少有一个主要开发人员知道如何设计安全软件。 [know_secure_design]

    All team members are trained to develop secure software



    该项目的主要开发人员中,至少有一个必须知道导致这类型软件漏洞的常见错误类型,以及至少有一种方法来对付或缓解这些漏洞。 [know_common_errors]

    All team members are trained to develop secure software


  • 使用基础的良好加密实践

    请注意,某些软件不需要使用加密机制。

    项目生成的软件默认情况下,只能使用由专家公开发布和审查的加密协议和算法(如果使用加密协议和算法)。 [crypto_published]

    All external operational interfaces support (optional) crytographic authentication & encryption using shared key cryptography (TLS/HTTPs)



    如果项目生成的软件是应用程序或库,其主要目的不是实现加密,那么它应该只调用专门设计实现加密功能的软件,而不应该重新实现自己的。 [crypto_call]

    Commonly used existing opensource cryptogrphic libraries are used



    项目所产生的软件中,所有依赖于密码学的功能必须使用FLOSS实现。 [crypto_floss]

    Commonly used existing opensource cryptogrphic libraries are used



    项目生成的软件中的安全机制使用的默认密钥长度必须至少达到2030年(如2012年所述)的NIST最低要求。必须提供配置,以使较小的密钥长度被完全禁用。 [crypto_keylength]

    No keys intended for production use are included. Keys needed for TLS needs to be provided at SW installation. There is no inbuilt limitations on key length etc.



    项目产生的软件中的默认安全机制不得取决于已被破解的密码算法(例如,MD4,MD5,单DES,RC4,Dual_EC_DRBG)或使用不适合上下文的密码模式(例如,ECB模式几乎不适当,因为它揭示了密文中相同的块,如 ECB企鹅所示。CTR模式通常是不合适的,因为如果重复输入状态,则它不执行认证并导致重复)。 [crypto_working]

    Sample keys are RSA keys, and stored in a Java keystore file (PKCS12), which is encrypted by a password.

    It is the responsibility of the production user to ensure their keys are compliant.



    由项目产生的软件中的默认安全机制不应该依赖于具有已知严重弱点的加密算法或模式(例如,SHA-1密码散列算法或SSH中的CBC模式)。 [crypto_weaknesses]

    Does not depend on any any particular cryptographic algorithm. A cert may be signed using SHA-1, but it is up to the cert issuer.

    It is the responsibility of the production user to ensure their keys are compliant.

    Sample certs are signed.



    项目产生的软件中的安全机制应该​​对密钥协商协议实施完美的前向保密(PFS),如果长期密钥集合中的一个长期密钥在将来泄露,也不能破坏从一组长期密钥导出的会话密钥。 [crypto_pfs]

    Standard TLS/HTTPS used.



    如果项目产生的软件存储用于外部用户认证的密码,则必须使用密钥拉伸(迭代)算法(例如,PBKDF2,Bcrypt或Scrypt)将密码存储为每用户盐值不同的迭代散列 。 [crypto_password_storage]

    No users' passwords are handled.



    由项目生成的软件中的安全机制必须使用密码学安全的随机数生成器生成所有加密密钥和随机数,并且不得使用密码学不安全的生成器。 [crypto_random]

    Standard/best-practice TLS/HTTPS implementations are used. Java, Jetty, Netty, Springboot.


  • 安全交付防御中间人(MITM)的攻击


    该项目必须使用一种针对MITM攻击的传递机制。使用https或ssh + scp是可以接受的。 [delivery_mitm]

    HTTPS/TLS used (optionally) throughout for all external operational interfaces



    不得通过http协议获取加密散列(例如,sha1sum)并直接使用,而不检查密码学签名。 [delivery_unsigned]

    Standard/best-practice TLS/HTTPS implementations are used.

    Java, Jetty, Netty, Springboot.


  • 修正公开的漏洞


    被公开了超过60天的中等或更高严重程度的漏洞,必须被修复。 [vulnerabilities_fixed_60_days]

    LF is currently enabling scans across all projects.

    All high/med vulnerabilities, once identified, are fixed with highest priority (<60 days)



    项目在得到报告后应该迅速修复所有致命漏洞。 [vulnerabilities_critical_fixed]

    All high/med vulnerabilities, once identified, are fixed with highest priority (<60 days)


  • 其他安全问题


    公共存储库不得泄漏旨在限制公众访问的有效私人凭证(例如,工作密码或私钥)。 [no_leaked_credentials]

    All sample/provided credentials are for test/demo purposes only.


  • 静态代码分析


    如果至少有一个FLOSS工具以所选择的语言实现此条款,则至少需要将一个静态代码分析工具应用于软件发布之前任何提议的主要生成版本。 [static_analysis]

    Sonar is used in development environment and automatically triggered by Jenkins during CI/CD process

    Jenkins:
        https://jenkins.o-ran-sc.org/view/nonrtric/job/nonrtric-sonar/
        https://jenkins.o-ran-sc.org/view/portal-nonrtric-controlpanel/job/portal-nonrtric-controlpanel-sonar/
        https://jenkins.o-ran-sc.org/view/sim-a1-interface/job/sim-a1-interface-tox-sonarqube/
    

    Findbugs and Checkstyle is used in development environment NexusIQ (from Sonatype) is also used - focuses on license scan and performs a CVE scan based on versions used. A per-release license scan based is performed for LF Legal - uses a LF-internal scanning.



    建议至少有一个用于static_analysis标准的静态分析工具包括在分析语言或环境中查找常见漏洞的规则或方法。 [static_analysis_common_vulnerabilities]

    Sonar is used in development environment and automatically triggered by Jenkins during CI/CD process

    Jenkins:
        https://jenkins.o-ran-sc.org/view/nonrtric/job/nonrtric-sonar/
        https://jenkins.o-ran-sc.org/view/portal-nonrtric-controlpanel/job/portal-nonrtric-controlpanel-sonar/
        https://jenkins.o-ran-sc.org/view/sim-a1-interface/job/sim-a1-interface-tox-sonarqube/
    

    Findbugs and Checkstyle is used in development environments NexusIQ (from Sonatype) is also used - focuses on license scan and performs a CVE scan based on versions used. A per-release license scan based is performed for LF Legal - uses a LF-internal scanning.



    使用静态代码分析发现的所有中,高严重性可利用漏洞必须在确认后及时修复。 [static_analysis_fixed]

    All reports are acted upon continuously.



    建议每次提交或至少每天执行静态源代码分析。 [static_analysis_often]

    Sonar is used in development environment and automatically triggered by Jenkins during CI/CD process


  • 动态代码分析


    建议在发布之前,至少将一个动态分析工具应用于软件任何发布的主要生产版本。 [dynamic_analysis]


    建议如果项目生成的软件包含使用内存不安全语言编写的软件(例如C或C++),则至少有一个动态工具(例如,fuzzer或web应用扫描程序)与检测缓冲区覆盖等内存安全问题的机制例行应用。如果该项目生成的软件没有以内存不安全语言编写,请选择“不适用”(N / A)。 [dynamic_analysis_unsafe]

    Java, Python is used.



    建议由项目生成的软件包括许多运行时断言,在动态分析期间检查。 [dynamic_analysis_enable_assertions]

    Test-level assertions are checked in tests. All runtime failing assertions/exceptions are caught and logged.

    Any error/exception appearing in test logs or reported by users are assessed in timely manner.



    通过动态代码分析发现的所有严重性为中,高的可利用漏洞必须在确认后及时修复。 [dynamic_analysis_fixed]

    No exploitable vulnerabilities to our knowledge. Not running dynamic code analysis and thus have not found any vulnerabilities in this way



此数据在知识共享署名3.0或更高版本许可证(CC-BY-3.0 +) 下可用。所有内容都可以自由分享和演绎,但必须给予适当的署名。请署名为Trishan de Lanerolle和OpenSSF最佳实践徽章贡献者。

项目徽章条目拥有者: Trishan de Lanerolle.
最后更新于 2021-01-24 14:40:16 UTC, 最后更新于 2021-03-24 15:55:26 UTC。 最后在 2021-03-24 15:18:32 UTC 获得通过徽章。

后退