...
Jira No | Summary | Description | Status | Solution | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SECCOM slides for Requirements Subcommittee | -https://wiki.onap.org/display/DW/Template+to+be+fulfilled+per+each+requirement As we missed last We booked next session on February 15th March 1st to present slide deck , we will try to book slot on March 1st. | ongoing | E-mail to be sent to Alla to check if we could present – confirmed with Alla | ongoing | Present slides on March 1st. | ||||||||
Whitesource scans of SPC vs. Nexus-IQ | Results for CPS scans were discussed for both Whitesource and Nexus-IQ. Trivi at the end of image creation - would it allow for this issue identification? Fabian will do the scans with Trivi for CPS repo and share the results. | ongoing | Exchanges with Toine shall be done by e-mail on SCA scan finding. Whitesource could be contacted to figure out Ticket was opened with Whitesource | ongoing | Whitesource will be contacted to follow-up the request on transitive dependency in their GUI. | ODL customized repo for ONAP | Version RC1 and RC2 has some issue, so finally RC3 shall be used as an ultimate one for Honolulu release. | ongoing | Results to be compared between prevoius release and RC1 and RC1 and RC3 | UI from Morgan presentation | Scans for jabva and Python and each container - with color coding. https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/02-11-2021_22-02/security/versions/versions/ A lot of project not using a standard image that Integration team formed. It is a good thing to be created. We need to get projects moving standard images. Maybe Alpine is not enough and Debian or Ubuntu should be added? Orange ran Trivy against those 2 images and only 2 medium CVEs for each of them identified. We should focus on MVP. - to be discussed next week. | ongoing | |
It would be good to know which projects are uding standard image and which customized and know the rationale behind. Michal to be contacted for SDNC which uses for one container (SDNC-DMaaP) still Python 2.7. Orange MVP to be presented by Fabian. | Logs management | Policy uses stdout for logs collection. 3 tickets were opened regarding logs: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/02-11-2021_22-02/security/versions/versions/ Fabian continues to check other components for logging | ongoing | Toine to be asked by Amy on stdout usageUI from Morgan presentation | Repository with ONAP docker images: https://nexus3.onap.org | ongoing | Info to be shared with Michal | ||||||
Last PTL session update | -Exceptions for Python and Java upgrade 1 week by RC0 (March 5th) -Page for exceptions in Honolulu release :https://wiki.onap.org/x/8DyLBQ | ongoing | |||||||||||
Logs management – follow up by Amy – container logging requirements review |
First discussion point based on VNF requirements for logging. Comment on container (OS layer) and container application (application layer) for logs collection. Comment on logging modifications in the container. | ongoing | Comments for logging requirements to be reviewed at the next SECCOM meeting. | ||||||||||
ONAP MVP | Slide deck to be uploaded. MVP (to support simple use cases):
| ongoing | To be presented with Fabian at the PTL's meeting on March 8th. | ||||||||||
Trivy can results |
Not possible to compare results with Whitesource or Nexus-IQ. Trivy does not provide remedy version - to be elaborated by Fabian. To be elaborated on how to integrate Trivy with the CI and what to do with the findings. | ongoing | Remedy version to be elaborated by Fabian. | ||||||||||
No use of base images | We need to review of who is using basic image and who is not. Once the list of projects not running basic image is known, we shall contact each concerned PTL to understand the rationale behind. | ongoing | We start with discovery phase and understanding rationale. List to be checked with Morgan and start with MVP and then exapnd to remaining projects. | ||||||||||
How to create secure applications | Following last request from Chaker and discussion at the last PTLs meeting. Secure design should cover that. | Tony will start Wiki with the initial proposal and SECCOM will support by reviewing it and providing feedback. Toine from CPS to be addressed. | |||||||||||
OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 2nd OF MARCH'21. |
Recording:
View file | ||||
---|---|---|---|---|
|
SECCOM presentation:
View file | ||||
---|---|---|---|---|
|