Hello  good morning. Today i had meeting with SECCOM and now the SECCOM is suggesting to ahead with following OJSI issues as high priority than reported valunerability issues as SECCOM is re-evaluting the plan for valunerability issues. 

OJSI-205CLI exposes unprotected APIs/UIs (CVE-2019-12130)

OJSI-173Port 30271 exposes unprotected service outside of cluster

OJSI-135cli exposes plain text HTTP endpoint using port 30271

OJSI-129cli exposes plain text HTTP endpoint using port 30260

And as i mentioned earlier, Currently CLI proect is getting isued in integration project, VNFSDK project and ONAP user groups. so if CLI project is not getting option to participate in F release, then really i am concerned that it may affect dependents . so i would like TSC  suggest a  better option. Thank you for understanding.

- I have reviewed your TSC MUST Have feedback. If you have no resource to fill in the Vulnerable Table then it will be a showstopper. We need to understand the level of risks associated to these vulnerability issues. Please work with SECCOM to identify a mitigated action plan. thanks

Hello Good morning.

Thank you. I have not noticed this change for this release. i have update it now at https://wiki.onap.org/display/DW/Frankfurt+Release%3A+TSC+must+have+requirement?src=contextnavpagetreemode

- CLI is not yet GREEN for M1 - please provide the requested information as soon as possible

Looking at the Release Planning, the following "TSC MUST Have" are not part of your commitments. These should be considered as part of the Frankfurt release except if ONAP CLI is not participating to the Frankfurt release.

Can you please review your commitments accordingly? thanks

• Four S3P Requirements  

  1. Document current upgrade component strategy

  2. SECCOM Perform Software Composition Analysis - Vulnerability tables

  3. SECCOM Password removal from OOM HELM charts

  4. SECCOM HTTPS communication vs. HTTP

-