...
Jira No | Summary | Description | Status | Solution | Jenkins, Gerrit and Sonar – Thierry Aleno | ongoing | Meeting to be organized by Pawel with LFN (Jess, Kenny) and friendly project (CPS) for a PoC later this week. If result of the PoC is positive, it could be generalized to whole ONAP. We should present the solution to PTLs. Use cases for a PoC to be defined. | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
PTLs meting update |
| ongoing | PTLs shall be encouraged to take their actions to deprecate their relevant repos. | TSC meeting update | TSC approved SonarCloud profile management model. Invitation received from Bengt to ONAP GitHub | ongoing | GitHub IDs to be collected from PTLs - to be checked with David by Pawel. Amy to follow-up with Bengt directly on being added to ONAP GitHub. | (IT-22048) for direct vs. indirect dependencies with container scans | Feedback from Bengt to move on with ticket at Sonatype by opening a feature request - Amy opened a feature request (IT-22175) - no update | ongoing | Fabian's update - quality of a code | DMaaP only 16 minor security issues, with SO pending merge (e-mail was sent to Seshu - no response so far, but Fabian reports merge) | ongoing | Software BOM and point upgrade discussion – atomic level of ONAP. | How detailed BOM shall be. Release Management of a different ONAP components - way to collect information ( ajor ONAP modules, OSes, DBs etc.). Software Bill of Materials - we do not crreate today but we have Nexus-IQ from which information can be retrieved. Contractural aspects to be checked. How to upgrade vulnerable module? | started | Amy to organize with Muddasar a meeting on Software BOM. DCAE plans for Istanbul with regards to Security/global requirements – Vijay | Firstfeedback from SECCOM: org.apache.tomcat.embed : tomcat-embed-core : although the latest from 9.x train is 9.0.48, there might be some issue with licensing there, so please consider 9.0.46 Slide deck presented by Vijay:
Regular exception process will be used, Vijay provided detailed explaination on the scans findings for it. For: dcaegen2-platform-inventory-api and dcaegen2-platform-servicechange-handler with architecture change with deployment via HELM, those components from Honolulu version will be used in Istanbul to be finally retired in Jakarta. We are not scanning containers but repos in the SCA. For Java and Python we run container scans. In Orange labs (but not for other labs like Windriver) one component is failing with resource limit - exception might be required. https://gerrit.onap.org/r/c/oom/+/122079/9/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml Internal ONAP HELM registry with fine grained authorization supported by Chartmuseum. It will be explored for next release based on other projects integration scope: | ongoing | Vijay to update Jira tickets with comments on exception request justifications. SECCOM: to include 2 additional repos with microservices in the SCA analysis output- done. To be further discussed: | |||||||
Software BOMs - Muddasar | Atomic level to be explored for ONAP - major ONAP modules, OSes, DBs etc. And how to move on with the upgrade. What should be the smalled unit of tracking for software upgrade. Track it to the level where operator may take actions. Source of details: We should be able to look into the individual software components which form the package. Tony will search for a reference from CI Badging for SBOM format. | ongoing | To be further discussed. | ||||||||||||||||||||||||
Jenkins, Gerrit and Sonar | Following the meeting held last week 2 tickets were opened to LFN IT support: | ongoing | |||||||||||||||||||||||||
Last TSC meeting update | Critical Jira issue - explained to TSC by Tony | ongoing | |||||||||||||||||||||||||
PTLs meting update |
| ongoing | |||||||||||||||||||||||||
OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 6th OF JULY'21. Continuation on atomic level of ONAP discussion. |
|
Recording:
View file | ||||
---|---|---|---|---|
|
SECCOM presentation:
View file | ||||
---|---|---|---|---|
|