1e41f4b71Sopenharmony_ci# OpenHarmony Security Test Guide 2e41f4b71Sopenharmony_ci 3e41f4b71Sopenharmony_ciWith reference to industry standards and best practices, this document provides specifications for security tests of the OpenHarmony project. 4e41f4b71Sopenharmony_ci 5e41f4b71Sopenharmony_ci## Security Test Content 6e41f4b71Sopenharmony_ci 7e41f4b71Sopenharmony_ci- Review the code of each module according to [OpenHarmony C&C++ Secure Coding Guide](OpenHarmony-c-cpp-secure-coding-guide.md) and fix all issues found in the review. 8e41f4b71Sopenharmony_ci 9e41f4b71Sopenharmony_ci- Use the OpenHarmony gated check-in to scan your code and clear all alarms. 10e41f4b71Sopenharmony_ci 11e41f4b71Sopenharmony_ci- Use the compilation option scanning tool to scan your binary file and ensure that the settings of all the compilation options comply with the OpenHarmony Compilation Specifications. 12e41f4b71Sopenharmony_ci 13e41f4b71Sopenharmony_ci- For the module that receives and processes user-mode parameters, develop gray-box and white-box fuzz testing suites according to the [Fuzz Testing Guide](https://gitee.com/openharmony/test_developertest/tree/master/libs/fuzzlib) and complete the tests. 14e41f4b71Sopenharmony_ci 15e41f4b71Sopenharmony_ci- Use mainstream vulnerability scanning tools to scan open-source components. Ensure that all the detected vulnerabilities have been fixed according to the vulnerability management process of the community. 16e41f4b71Sopenharmony_ci 17e41f4b71Sopenharmony_ci- Perform consistency check of the released versions, and check that the [released version images](../release-notes/Readme.md) provide the SAH-256 checksum. 18e41f4b71Sopenharmony_ci 19e41f4b71Sopenharmony_ci- Complete the security design self-check for each module according to [OpenHarmony Security Design Specifications](OpenHarmony-security-design-guide.md). Ensure that all design issues found in the self-check have been fixed. 20e41f4b71Sopenharmony_ci 21e41f4b71Sopenharmony_ci- Use mainstream viruses scanning software to scan software packages. Ensure that all virus detected have been removed or confirmed as false alarms. 22e41f4b71Sopenharmony_ci 23e41f4b71Sopenharmony_ci- Search for ".cer" and ".pem" or keyword such as "PRIVATE KEY" to find the certificate key, and check that the certificate key is within the validity period and the encryption algorithm meets [encryption algorithm requirements](OpenHarmony-security-design-guide.md#3-encryption). Ensure that all certificate key issues have been resolved. 24e41f4b71Sopenharmony_ci 25e41f4b71Sopenharmony_ci- Perform black-box fuzz testing on exposed user-mode APIs, including system service APIs, kernel driver APIs, socket APIs, and more. 26e41f4b71Sopenharmony_ci 27e41f4b71Sopenharmony_ci 28e41f4b71Sopenharmony_ci>**NOTE** 29e41f4b71Sopenharmony_ci> 30e41f4b71Sopenharmony_ci>The preceding requirements apply to all new and inherited features. 31e41f4b71Sopenharmony_ci 32e41f4b71Sopenharmony_ci## Security Test Completion Requirements 33e41f4b71Sopenharmony_ci 34e41f4b71Sopenharmony_ciThe mandatory security test performed before version release is complete only when: 35e41f4b71Sopenharmony_ci 36e41f4b71Sopenharmony_ci- All the security tests mentioned in [Security Test Content](#security-test-content) are complete. 37e41f4b71Sopenharmony_ci 38e41f4b71Sopenharmony_ci- All security issues have been closed. 39e41f4b71Sopenharmony_ci 40e41f4b71Sopenharmony_ci## Security Test Report Template 41e41f4b71Sopenharmony_ci 42e41f4b71Sopenharmony_ci- The security test report must contain the security test results in [Security Test Content](#security-test-content) and pending security issues. 43e41f4b71Sopenharmony_ci- The version security test report is released with the entire test report of the version, instead of being released and archived separately. 44