Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

NSA proposal follow-up

Meeting scheduled on May 3rd.

ongoingAll interested contributors are wlecome to join this follow-up session.

Questions for SonarCloud (slides 4 and 5)

Already shared with SonarCloud - waiting for a feedback.ongoingTo check with SonarCloud representative (Sylvain) when feedback could be expected.

New Jira tasks for java and python upgrades in Istanbul release

Were already created - couple of project claimed that they already done.ongoingTo check next test results.NEXUS-IQ container scanning

Scans of the containers show the same vulns as scans of the source code. On container scans there is no indication on transitive/direct dependencies, so PTLs lose infrmation - update of the transitive dependency might break the code!

We would like to surpress all the results that are not in the code base.

ongoingSonatype to be contacted via Jess to check if ability to do the correlation exists or is planned.

IT-21675 Jacoco integration with SonarCloud (info from Christophe)

As Sonar team and Jacoco team are still arguing on this topic on forums, target was reached using unit tests only (so this is not critical anymore)

ongoing

NEXUS-IQ – SCA analysis started for Istanbul release

DCAE made a good progress - some repos free of critical vulnerabilities. For some repos upgrade is not enough  as no remedy exists yet - to be docuemented properly.ongoingTo complete SCA analysis by end of next week

:

  • meeting was very informative, grow ONAP platform in analytics and reacting to events
  • one of first steps joining this session: logging reqs, AA in Kubernetes,
  • NSA requirements are needed for an area needed to be enhanced
ongoing

Next meetings will be organized ad hoc.  SECCOM weekly meetings will be regularly used.

Amy will facilitate exchanges with Maggie and NSA team.


Additional 2 resources from Orange to improve ONAP securityProgress with SO – Fabian, first Focus on performance application issue.ongoing

ONAP security with the OPS 5G project

Next meeting on May 6th, deck prepred and presented by Amy:


ongoingTo be presented on May 6th

ONAP CII discussionRequirement: 

There MUST be no unpatched vulnerabilities of medium or higher severity that have been publicly known for more than 60 days.

ongoingSlot to be booked at the next PTLs meeting to present this issue.

SonarCloud  answers for our questions

Please refer to slides 4-7. ongoingWe will discuss answers next week.

Logging anagement follow-up

Fabian prepared slides with logging architecture.

Some requiremets for logging are in scope of security and some are more general (and outside of security domain).

Bob did the summary of logging specs andshared with SECOM via distribution list.

ongoing

We can start with the simple requirment.

Slide draft shall be presented at the SECCOM and then presented to Architecture Subcommittee - Amy will share the logging requirmeents slide deck.


Continuation of discussion on Fabian’s comment on logging management

Logs management to be taken up to Archiecture Subcommittee, so beyond security. We do have standard what to do with logs but it was not followed for a while. 

Container run time requirement and entire virtualized requirement (all event types collected)- we mix those 2. Logs transfer need to be secured.

Bob shared the link: ONAP Application Logging Specification v1.3 (Frankfurt)#MDC-InvocationIDMDC-InvocationID

ongoing

Fabian to present most recent logging management archiecture to Archiecture Subcommittee.

Bob to elaborate the link provided.

Additional 2 resources from Orange to improve ONAP security 

DMaaP PTL integrated changes and additional 8 new blocking points had to be fixed.

Next step started work on security for SO.

This will be rather for Istanbul.


Done for DMaaP

ongoing for SONEXUS-IQ – SCA analysis outputs
Analysis almost done:
  • List of recommended packages version
  • Some packages are still scanned althought planned to be unmaintained (example: policy-engine)
  • PTLs were contacted for failing Jenkins jobs



OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 11th OF MAY'21. 

Whe start pushing few other items in CII Badging or SonarCloud? To adrress it next week at the SECCOM.

Review of the document (link) provided by Bob.




...

View file
name2021-05-04_SECCOM_week.mp4
height150


SECCOM presentation:

View file
name2021-05-04 ONAP Security Meeting - AgendaAndMinutes.pptx
height150