Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

Seccom criteria for the integration tests to pass a release

  • Add Python and Java version checks
  • Achieve 100% level
  • Follow exception process if relevant
ongoing

To be presented at the TSC meetingLast TSC meeting

Test criteria for Istanbul Release – deck prepared by Eric and Andreas

ongoing

Last PTLs meeting
  • Few (3 or 4) projects should add ONAP wording in their description as they do not show up in CII Badging dasboard.
  • https://logs.onap.org/onap-integration/

    daily

    weekly/onap_

    daily

    weekly_pod4_master/2021-07/

    15

    12_

    02

    13-

    27/ For the security testing we score at 40% as of today - our target is to add java and python version testing ar reach 100% to release.
  • Please update statuses of your Jira tickets for SECCOM Global Requirements
  • ongoingWaiting for a list of project not participating in Istanbul release. ESR Waiver

    Currently 3 use cases are using ESR:

    • ETSI alignment (AAI external system directory API)
    • Network slicing (ESR server) but can use AAI external system directory API
    • CCVPN case (using ESR GUI server) , they can use AAI sending notification oto DMaaP and SDNC and VFC can pick-up

    SO currently ESR in maintenance mode but can be obsolete. If nobody is using ESR, let's remove it from the 15/

    ONAP Security Exception Process

    Security related integration issues will be collected under an Epic filed in the INT Jira project.

    For Istanbul, the Tern results in integration test will be informational and not gating.  Need to consult with TSC to make results blocking for future releases.

    Must complete exception filing by M3, using the protocol described in the link above.

    ongoingAWX and CDS to be identified as part of ONAP project - done it is part of CCSDK.

    ESR WaiverMost probably ESR will be exluded from ONAP Istanbul release.ongoingCCVPN Final check to be check done by Byung if they will use AAI. 

    note: Henry Yu from CCVPN confirmed they can use the direct AAI APIs for Istanbul.

    Also, I am checking with Kamel Idir for the Network Slicing case. Last time, he said they could use the direct AAI, but I am waiting for his confirmation for Istanbul.

    ETSI alignment already uses the direct AAI APIs

    Updated Seccom criteria for the integration tests to pass a release

    • Add Python and Java version checks

    • Achieve 100% level with TERN treated as informative (=not blocking, or decreasing 100% of security test score)

    • Follow exception process if relevant

    ongoingTo be presented at the TSC meeting

    Software BOMs, Hardware BOMs - Muddasar

    Presentation:

    ongoing

    Feedback for Muddasar's presentation is welcome.

    Muddasar is thinking of how the date can be collected, where should be stored and how could be shared. Next week presentation might be provided by Muddasar.


    ongoingWhat is the query mechanism? (during onboarding process presentation of manifesto BOM file or during query of EM or VIM from ONAP and get that information from VIMs.

    Dependency confusion attacks vs. ONAP SW build processPackages are downloaded from Internet for ONAP. To be further elaborated with Bob and Samuli.ongoingE-mail to be sent to SECCOM distribution list/ONAP distribute

    Samuli sent an e-mail to SECCOM distribution list but as no specific feedback received so far, he will send it ot ONAP discuss.

    Interesting framework by Google:

    SLSA: Supply-chain Levels for Software Artifacts https://slsa.dev/

    https://wiki.onap.org/display/DW/Developing+ONAP
    https://wiki.onap.org/display/DW/ONAP+Security+Event+Management+-+DRAFT

    Bob created a dependency security wiki snip for Samuli's and his investigation on this topic. Dependency Security

    ongoing

    Jess to be contacted for CI chain and Nexus for Bob's question.

    Services term to be modified into Services (xNF, xApps)

    Plans to be presented to Architecture Subcommittee.


    Update from LFN 

    (IT-22333by Pawel, and IT-22334by Thierry)

    • Waiting for Thierry’s return
    ongoing

    Code quality and SonarCloud

    Achievements to be presented to TSC:

    View file
    nameCodeOnap_TSC_meetingp.pptx
    height150

    Risk Acceptance statement by TSC. We have a resource shortage to address security concerns for % value of code coverage (as a minimum 55% in the past).

    ongoingPawel and Fabian to present progress and achievements to TSC on August 12th in this domain.


    OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 10th OF AUGUST'21. SBOM/HBOM continuation.

    August 12thRecordingRecording:

    View file
    name2021-08-03_SECCOM_week.mp4
    height150

    ...