Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

Java and the new model of licensing for Oracle JDK versus Open JDK – Natacha

Oracle JDK which is commercial - benefits updates

Open JDK - like open source so free of charge but support for java 11 but not earlier versions. 

Presentation was submitted to recent TSC meeting to ensure the common understanding of the risk. 

TSC wants to know which distribution of the OpenJDK is used – Integration team/OOM to be contacted - discussion planned for next status meeting on Wednesday. SECCOM cares Java 11 and not particular distribution - we appreciate common image from governance perspectiveand harmonization - coordination on release manager side.

Next steps:

E-mail to be sent to Morgan with Pawel B. in copy to confirm if image is already created.


Secrets managementAgreement achieved last week (Krzysztof and Samuli)Written description is needed on the Wiki.Once we have a written recommendation, it would be reviewed at the next SECCOM meeting and further presented at the TSC for an prroval - once gained it would become best practice.

Script for automatic jira ticket generation of direct dependencies to be upgraded was successfully tested with CLAMP by Julien and Pierre.

2 scripts were created in Python

  • script 1: uses maven and creates json of direct dependencies to be upgraded
  • script 2: takes json generated by script 1 and creates Jira tickets for each package to be upgraded
Scripts were reviewed as well as CLAMP. No specific feedback from SECCOM received from demo till today. 

Nexts steps: 

  • Wiki with script description to be created
  • Before creating a ticket script could check if it does not exist.
  • Scripts available under Julien's github: https://github.com/JulienBe/onap-dep
  • Present solution to PTLs and get feedback on how to integrate the scripts into the ONAP development cycle to generate the project jiras for package upgrades

New xtesting security docker has been integrated end of last week.
Meeting on Wednesday with OOM and Integration.Update next week.

Frankfurt M2/M3 scorecard SECCOM requirements update

Items reviewed:

  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-207
    SECCOM Code coverage
  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-215
    SECCOM Containers configured per secure recommendation
  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-219
    SECCOM Java 11 migration from v8
  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-223
    SECCOM CII badging – meet targeted Silver and
the new model of licensing for Oracle JDK versus Open JDK – Natacha

Oracle JDK which is commercial - benefits updates

Open JDK - like open source so free of charge but support for java 11 but not earlier versions. 

JRE (compilation not possible) vs JDK (compilation possible). Packaging change for java 11.Presentation to be submitted to next TSC meeting to ensure the common understanding of the risk. Java 8 JRE is bundled with the Java 8 JDK.

2 ways to deploy ONAP:

  • out of the box - without hardcoded passwords but generated ones with single master password, for some cases with already existing secrets,
  • providing few hundreds of passwords by user
For container we should be able to provide plain text passwords

ONAP out of the box is using password generator of certain type - to be documented for ONAP.

  • What secret names are used
  • documentation is needed
  • HELM template is used
PTLs cal
  • Asked PTLs to link SECCOM requirements with their project Jira tickets.
  • Meeting with OOM team to help develop a template so that projects can correctly configure their containers to pass the Integration kubernetes tests.  
    • Gold requirements
    • Jira Legacy
      serverSystem Jira
      columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
      serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
      keyREQ-227
      SECCOM Complete the OJSI backlog
    • Jira Legacy
      serverSystem Jira
      columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
      serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
      keyREQ-231
      SECCOM HTTPS communication vs. HTTP
    • Jira Legacy
      serverSystem Jira
      columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
      serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
      keyREQ-235
      SECCOM Password removal from OOM HELM charts
    • Jira Legacy
      serverSystem Jira
      columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
      serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
      keyREQ-239
      SECCOM Communication Matrix
    • Jira Legacy
      serverSystem Jira
      columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
      serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
      keyREQ-243
      SECCOM Containers and Kubernetes secure configuration recommendation
    • Jira Legacy
      serverSystem Jira
      columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
      serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
      keyREQ-247
      SECCOM Coverity integration by end of Frankfurt
    • Jira Legacy
      serverSystem Jira
      columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
      serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
      keyREQ-251
      SECCOM Ingress controller
    • Jira Legacy
      serverSystem Jira
      columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
      serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
      keyREQ-263
      SECCOM Perform Software Composition Analysis - Vulnerability tables


    Status
    colourYellow
    titleYELLOW

    Status
    colourRed
    titleRED

    Status
    colourYellow
    titleYELLOW


    Status
    colourRed
    titleRED

    Status
    colourYellow

    Status
    colourGreen

    Status
    colourYellow

    Status
    colourGreen


    Status
    colourGreen
    titleGREEN

    Status
    colourRed
    titleRED

    Status
    colourGreen


    Status
    colourRed
    titleRED


    Template to be created. 






     OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 11TH OF FEBRUARY'20


    ...