Versions Compared

Old Version 3

changes.mady.by.user Amy Zwarico

Saved on

compared with

New Version Current

changes.mady.by.user Paweł Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

Last PTL's meeting (24th of August) update

  • Base image excluding GPL3

    • #ACTION: SECCOM to provide guidelines about where to document 'bash' or any other package required for the application to be added on top of the base image?
    • #ACTION: SECCOM to share on 8/24 results of Java 8.0 Audit, also documented on REQ-351

    REQ-350 - #ACTION: SECCOM - provide the list of projects that did not reply yet to this requirement to the comment of REQ-350 or add the link of the dashboard.

    • Presentation from Amir Mohamad regarding implementation of REQ

    View file
    nameSDC_Vulnerable_Dependency_Upgrades.pdf
    height250

    -

    -

    323

    Packageupgrade and Java 11

    ongoing

    Jira to be used to track requirements on top of base image. Grouping of requirements is preferred. Depencencies might be tackled in different ways.

    Tony already uploaded

    The latest version of Jcraf.jsch 0.1.55 has the same packages and class names as com.springsource.jcraft.jsch 0.1.41 (very old pacckage)

    During next PTL meeting identify next projects.

    Fabian will be off for the next 2 weeks - proxy to be identified.


    ongoing




    Subversions for Java 11 could be pushed for future release (Honolulu) for a common version (as of today 11.0.8).


    		Guilin priorities

    Automated security testing - to be checked for status.

    Some updates appreciated from Krzysztof.




    		Honolulu SECCOM SoW

    Continue packages upgrades in direct dependencies

    After Service Mesh PoC - new requirements might arrive.

    Harbor requirement. In Harbor:

    • you can sign the image and you can share the key with an application that has an account to pull or to push the image
    • possibility to scan the image all the time and send warning
    • Harbor deployed in run time while Whitesource and Nexus-IQ during the development.

    Logs management:

    • common place for data - all applications should generate logs that can be collected by Kubernetes (target for next release)
    • common format for data - format of minimum data that we want that is useful (target for next+1 release)

    SIEM integration:

    • integration like for the other applications with SIEM, have the same protocol used
    • logs from ONAP to SIEM, falco tool to be considered (IDS for Kubernetes)
    • alarms when security issue

    CII Badging - session planned on the PTLs call.

    		ongoing














    E-mail was sent to Fabian to clarify whether logs from ONAP to SIEM be considered as ONAP only or xNFs logs only or maybe both. 


    		TSC meeting outputs 

    No actions for SECCOM.

    Long discussion on a repo creation and add.




    Open Networking & Edge Summit North America 2020
    September 28 & 29, 2020 (Virtual Event)




    		LFN Fall Technical Meetings October 13 - 15, 2020Java v8 in ONAP - status updateWe received output of the script prepared by Pawel W. from Samsung. List is pretty long:

    View file
    nameonap_frankfurt_java_20200813.txt
    height150

    		Migration process to be tracked.


    		OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 25th 1st OF AUGUSTSEPTEMBER'20. 

    Topics proposed:

    • What is next for Honolulu in the context of Service Mesh PoC?
    • What is the impact of Service Mesh usage on runtime environment?


    ...