Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

SECCOM slides for Requirements Subcommittee

-https://wiki.onap.org/display/DW/Template+to+be+fulfilled+per+each+requirement

As we missed last We booked next session on February 15th March 1st to present slide deck , we will try to book slot on March 1st. 

ongoingE-mail to be sent to Alla to check if we could present

– confirmed with Alla

ongoingPresent slides on March 1st. 

Whitesource scans of SPC vs. Nexus-IQ

Results for CPS scans were discussed for both Whitesource and Nexus-IQ. 

Trivi at the end of image creation - would it allow for this issue identification?

Fabian will do the scans with Trivi for CPS repo and share the results.

ongoing

Exchanges with Toine shall be done by e-mail on SCA scan finding.

Whitesource could be contacted to figure out Ticket was opened with Whitesource

ongoing

Whitesource will be contacted to follow-up the request on transitive dependency in their GUI.

ODL customized repo for ONAPVersion RC1 and RC2 has some issue, so finally RC3 shall be used as an ultimate one for Honolulu release.ongoingResults to be compared between prevoius release and RC1 and RC1 and RC3UI from Morgan presentation

Scans for jabva and Python and each container - with color coding. https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/02-11-2021_22-02/security/versions/versions/

A lot of project not using a standard image that Integration team formed. It is a good thing to be created. We need to get projects moving standard images.

Maybe Alpine is not enough and Debian or Ubuntu should be added?

Orange ran Trivy against those 2 images and only 2 medium CVEs for each of them identified.

We should focus on MVP. - to be discussed next week.

ongoing

It would be good to know which projects are uding standard image and which customized and know the rationale behind.

Michal to be contacted for SDNC which uses for one container (SDNC-DMaaP) still Python 2.7.

Orange MVP to be presented by Fabian.

Logs management

Policy uses stdout for logs collection.

3 tickets were opened regarding logs:

https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/02-11-2021_22-02/security/versions/versions/
AAI – LOG : https://jira.onap.org/browse/AAI-3273
SO – LOG : https://jira.onap.org/browse/SO-3531
AWX contrib : https://jira.onap.org/browse/INT-1858

Fabian continues to check other components for logging

ongoingToine to be asked by Amy on stdout usageUI from Morgan presentation

Repository with ONAP docker images: https://nexus3.onap.org


ongoing

Info to be shared with Michal


Last PTL session update

-Exceptions for Python and Java upgrade 1 week by RC0 (March 5th)

-Page for exceptions in Honolulu release :https://wiki.onap.org/x/8DyLBQ

ongoing

Logs management – follow up by Amy – container logging requirements review

View file
name2021-02-22_LoggingRequirementEvents_v1.pptx
height150

First discussion point based on VNF requirements for logging.

Comment on container (OS layer) and container application (application layer) for logs collection.

Comment on logging modifications in the container.

ongoingComments for logging requirements to be reviewed at the next SECCOM meeting.

ONAP MVP

Slide deck to be uploaded.

MVP (to support simple use cases):

  • AAI
  • SDC
  • SO
  • DMaaP
  • SDNC
  • AAF (without Service Mesh adaptation)
ongoingTo be presented with Fabian at the PTL's meeting on March 8th.

Trivy can results

View file
nametrivy_cps-service.0.0.1-SNAPSHOT.txt
height150

Not possible to compare results with Whitesource or Nexus-IQ.

Trivy does not provide remedy version - to be elaborated by Fabian.

To be elaborated on how to integrate Trivy with the CI and what to do with the findings.

ongoingRemedy version to be elaborated by Fabian.

No use of base imagesWe need to review of who is using basic image and who is not. Once the list of projects not running basic image is known, we shall contact each concerned PTL to understand the rationale behind.ongoing

We start with discovery phase and understanding rationale.

List to be checked with Morgan and start with MVP and then exapnd to remaining projects.


How to create secure applications

Following last request from Chaker and discussion at the last PTLs meeting.

Secure design should cover that.


Tony will start Wiki with the initial proposal and SECCOM will support by reviewing it and providing feedback.

Toine from CPS to be addressed.


OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 2nd OF MARCH'21. 





Recording:

View file
name2021-02-23_SECCOM_week.mp4
height150


SECCOM presentation:

View file
name2021-02-23 ONAP Security Meeting - AgendaAndMinutes.pptx
height150