...
| Jira No | Summary | Description | Status | Solution | |||
|---|---|---|---|---|---|---|---|
| Last TSC meeting |
| ongoing | |||||
| Last PTLs meeting | not executed, but SECCOM message remains: -Status update for Global Requirement (https://jira.onap.org/browse/REQ-863): -Thank you all the project taking part of recommended packages upgrades. -All other projects not compliant with this requirement will have issues with SECCOM acceptance to be part of the Istanbul release. | ongoing | to propose the same message for the next PTLs meeting. | ||||
Software BOMs, Hardware BOMs - Muddasar What is the query mechanism? (during onboarding process presentation of manifesto BOM file or during query of EM or VIM from ONAP and get that information from VIMs. | ongoing | Options to be discussed next week i.e. the format to use (3 formats discussed last time), authorship (with company affiliation for accountability). First software side to be moved forward and then to be followed by hardware BOM. PoC proposal by Fabian - select some software module and define what is the atomic level, create BOM. Individual code contribution should be tracked back to individual name. | ongoing | To be decided at the next SECCOM. Scope of the PoC to be proposed. Muddasar to be added to e-mail exchange with Bob and Jess. | |||
Security Event Generation Requirements review (Byung/Chaker/Fabian/Amy): | ONAP Security Event Management Major focus on generation and collection. VES events are generated by service containers. We are focussed on platform containers logs generation. Apache2 Web server has well defined message logging formats based on set of attributes. Retention period is very operator specific. Let's write logs to stdout and stderr. | ongoing | Log file metadata part of the component to be elaborated. | ||||
Security Risk Assessment and Acceptance – revisit Brian’s statement | To be discussed next week. | ||||||
CII Badging update - Tony | To be discussed next week. | ||||||
| Dependency confusion attacks vs. ONAP SW build process | Samuli sent an e-mail to SECCOM distribution list but as no specific feedback received so far, he will send it ot ONAP discuss. Interesting framework by Google: SLSA: Supply-chain Levels for Software Artifacts https://slsa.dev/ https://wiki.onap.org/display/DW/Developing+ONAP Bob created a dependency security wiki snip for Samuli's and his investigation on this topic. Dependency Security | ongoing | Jess to be contacted for CI chain and Nexus for Bob's question. Services term to be modified into Services (xNF, xApps) Plans to be presented to Architecture Subcommittee. | Logging Requirements – meeting update (Amy To be discussed next week. | ongoing | Wiki page to be check by Samuli. | |
Code quality and SonarCloud – achievements deck prepared by Fabian to be presented to TSC on August 12th. | Slot is booked and slides uploaded. Fabian is ready to present the deck to TSC. | ongoing | |||||
SECCOM-269 is the epic for tracking security integration tests. It is blocked by the following project jiras. | ongoing | Some more waivers might be submitted. | |||||
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 17th OF AUGUST'21. | Software BOMs Logging requirements Security Risk Assessment and Acceptance – revisit Brian’s statement Dependency confusion attacks vs. ONAP SW build process |
Recording:
| View file | ||||
|---|---|---|---|---|
|
...