Release 3 Blueprint Scanning Status (Pre-Approval)

• Integrated Cloud Native (ICN) NFV/App stack family [Kuralamudhan Ramakrishnan, Igor Duarte Cardoso]
  • Vuls: High:30 Medium:96 Low:27
  • Lynis: https://logs.akraino.org/intel/bluval_results/icn/master/20200529-023728/results/os/lynis/lynis.log
  • Kube-Hunter: Only 1 vulnerability found, in "Inside-a-Pod Scanning": CAP_NET_RAW

• Radio Edge Cloud (REC)
  • Vuls: High:44 Medium:137 Low:47
  • Lynis: https://wiki.akraino.org/download/attachments/18481239/lynis.log?version=1&modificationDate=1590586718000&api=v2
  • Kube-Hunter:
    • KHV005 Access to API using service account token
    • KHV002 Kubernetes Version Disclosure
    • KHV050 Read access to pod's service account token
    • Local to Pod CAP_NET_RAW Enabled
    • Local to Pod Access to pod's secrets

• Connected Vehicle Blueprint [Thor Chin]
  • This blueprint did not have output information from vuls, lynis or kube-hunter.  I have sent an email to Thor Chin and Tapio Tallgren.  This appears to be an issue with BluVal not executing the scans correctly.
  • Vuls:
  • Lynis:
  • Kube-Hunter:

• ELIOT Iot Gateway Blueprint [Khemendra Kumar]
  • Vuls: High:104 Medium:352 Low:74 https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/os/vuls/
  • Lynis: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/os/lynis/
  • Kube-Hunter:  https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/

• ELIOT SD-WAN/WAN Edge/uCPE Blueprint [Khemendra Kumar]
  • Vuls: High:87 Medium:168 Low:62  https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/os/vuls/
  • Lynis:  https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/os/lynis/
  • Kube-Hunter:  https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/

• KNI Provider Access Edge [Yolanda Robla Mota]
  • Running on OKD vs Kubernetes  https://wiki.akraino.org/display/AK/KNI+PAE+Architecture+document
  • Conformance tests used:  https://wiki.akraino.org/display/AK/KNI+PAE+Test+document
  • Vuls:
  • Lynis:
  • Kube-Hunter:

• Micro-MEC
  • Scan output files are not currently available at https://wiki.akraino.org/display/AK/Release+3+Planning.  I have emailed the PTL, Tapio Tallgren to see if he can provide them.
  • Vuls:
  • Lynis:
  • Kube-Hunter:

• School/Education Video Security Monitoring [Hechun Zhang and Liya Yu]
  • This blueprint did not have output information from vuls, lynis or kube-hunter.
  • This is the first release for the School/Education Video Security Monitoring blueprint, BluVal is not required. 
  • I have sent an email to Hechun Zhang and Liya Yu.
  • Vuls:
  • Lynis:
  • Kube-Hunter:

• 5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint [Feng Yang]
  • All scan logs:  https://nexus.akraino.org/content/sites/logs/tencent/job/5g-mec-cloud-gaming-CD/security_scan/2/
  • Vuls:
  • Lynis:
  • Kube-Hunter:

• Enterprise Applications on Lightweight 5G Telco Edge [Gaurav Agrawal]
  • Vuls:  https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/os/vuls/
  • Lynis:  https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/os/lynis/
  • Kube-Hunter:  https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/k8s/kube-hunter/

• Public Cloud Edge Interface (PCEI) Blueprint [Oleg Berzin]
  • This blueprint did not have output information from vuls, lynis or kube-hunter. 
  • This is the first release for the PCEI blueprint, BluVal is not required. 
  • I have sent an email to Oleg Berzin.
  • Vuls:
  • Lynis:
  • Kube-Hunter:

Approved Blueprints

...

Vuls Scan

• Pass/Fail
• Exceptions

...

Lynis Scan

• Pass/Fail
• Exceptions

...

Kube-Hunter Scan

• Pass/Fail
• Exceptions

...

5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint

...

AI/ML and AR/VR applications at Edge

...

• ELIOT AIoT in Smart Office Blueprint

...

• ELIOT IoT Gateway Blueprint

...

• ELIOT SD-WAN/WAN Edge/uCPE Blueprint

...

• Fail:
  • 141 unfixed vulnerabilities
  • (High:30 Medium:96 Low:27 ?:0), 12/153 Fixed
• Exceptions:
  • We request exceptions for all outstanding vulnerabilities
• See Nexus Logs

...

• Pass
• See Nexus Logs

...

• Fail
  • Only 1 vulnerability found, in "Inside-a-Pod Scanning": CAP_NET_RAW
• Exceptions:
  • We request exception for CAP_NET_RAW vulnerability or remediation (fixes found seem to be on a per-pod basis, which is not enough)
• See Nexus Logs

...

• IEC Type 1 for Integrated Edge Cloud (IEC) Blueprint Family

...

• IEC Type 2 for Integrated Edge Cloud (IEC) Blueprint Family

...

• IEC Type 4: AR/VR oriented Edge Stack for Integrated Edge Cloud (IEC) Blueprint Family

...

Micro-MEC

...

• Radio Edge Cloud (REC)

...

...

...

...

• SDN Enabled Broadband Access (SEBA) for Telco Appliance Blueprint Family

...

Time-Critical Edge Compute

...

Pass

Nexus logs here

...

Pass

Nexus logs here

...

Pass: no k8s cluster as part of deployment at the moment

Nexus logs here

Approved Feature Projects

If the program uses only one programming language, in the “Repository” column, just fill in the repo location.

If a project uses multiple programming languages, please list all of them, add a link in "Repository" column for each programming language to show the sample code.  

...

Akraino Blueprint Validation Framework

...

Akraino Portal Feature Project

...

API Gateway

...