ONAP DCAE Designtime

All major releases are tagged in gerrit and the artifacts are stored with the release information on onap.nexus. So we can access all old versions of the artifact. If and when a upgrade requires certain steps to be followed they are being added to the release documents as needed https://gerrit.onap.org

Jira is used to track issues. https://wiki.onap.org/display/DW/Tracking+Issues+with+JIRA

Vulnerabilities can be reported using the link https://wiki.onap.org/pages/viewpage.action?pageId=6591711 Currently we don't have any vulnerabilities reported, but the wiki page explains on how to report a vulnerability and how to report anonymously if you do not want the credit for it.

Vulnerabilities handling is documented in https://wiki.onap.org/pages/viewpage.action?pageId=6591711

Coding style is defined in https://wiki.onap.org/display/DW/Java+code+style

DCAE does not build any native binaries

DCAE does not build any native binaries

All DCAE components are compliant

All releases are tagged in gerrit(git), and the builds are controlled using jenkins. By providing the git tag information the same image can be build over and over again with same bit-for-bit result.

helm deploy onap helm undeploy onap

helm has no optional destination directories, but does let you direct pods to particular worker nodes

The ONAP components require only java and maven to begin with for a developer to quickly install and test ONAP. Even for deployment using OOM and the right amount of resources, we can deploy the full AAI/ONAP suite in less than a day. The steps are documented in https://onap.readthedocs.io/en/latest/submodules/oom.git/docs/oom_quickstart_guide.html

External dependencies are controlled using the pom file, which can be found in the root folder for each of the sub-projects, such as https://gerrit.onap.org/r/gitweb?p=dcaegen2/configbinding.git;a=tree;h=refs/heads/master;hb=refs/heads/master

NexusIQ sonar scan is run on all the projects on a weekly basis

External components are maintained through Maven. The user can get a list of all included components using the maven dependency tree and can update or reuse as they see fit

We avoid depending on deprecated/obsolete functions.

Automatic test suites are run every time before merging the code. The code check in cannot pass with out jenkins posting a +1 on the review.

When regressions occur, we add tests for them.

Contributing guide lines for development is recorded in https://wiki.onap.org/display/DW/Development+Procedures+and+Policies

This is documented on our wiki on Code Coverage and Static Code Analysis: https://wiki.onap.org/display/DW/Code+Coverage+and+Static+Code+Analysis and https://wiki.onap.org/display/DW/Creating+a+CSIT+Test

MOD submission are reviewed/approved based on verify build report - https://jenkins.onap.org/view/dcaegen2-platform-mod/ This project is also in POC/inbuation phase; as it becomes more mature - more strict enforcment to be added.

DCAE Team follows secure design principles and validates them as part of gerrit-reviews.

MOD components uses java which supports these configurable options.

all TLS libraries are current

All release artifacts are signed by the Linux Foundation prior to release.

All release artifacts are signed by the Linux Foundation prior to release.

The security design and assurance case can be found at https://wiki.onap.org/display/DW/DCAE+Security+Design+&+Assurance (permalink https://wiki.onap.org/x/GokDBg).

Sonatype CLM scan is applied for static code and dependency security vulnerability reporting. Its results are available on https://nexus-iq.wl.linuxfoundation.org/assets/index.html. The reports contained details of the vulnerabilities and suggestions of fixes.

DCAEGEN2 components are implemented in Java, Shell and Python. Not using C or C++.