| | | | |
|---|
| Last TSC meeting | - M3: delayed one week until 2 September
- Jenkins availability problems prior to 8/24
- Goal was 85% of epics closed for projects – 80% closed on 8/24
- M4: remains 16 September
- REQ-760: IPv4/IPv6 Dual Stack - Global Requirement (all code)
- Chaker will do an architecture review and get alignment among Damian, Timo, Chaker, et al
- Use of integration team base images
- Java/Python version tests show use of the integration team base images is low
- Integration team base image will be proposed a Best Practice for Jakarta
- TSC voted to approve the OOM GitLab POC using CLA validation demonstrated by Krzysztof O until EasyCLA supports GitLab
- LFNGB special meeting on 8/25
- Reviewed LFN priorities for 2021-2022
- ONESummit (11-12 October) - virtual only
| ongoing |
|
| Last PTLs meeting | Finally executed, but SECCOM message remains: | ongoing | to close tickets for projects not participating in Istanbul release - done. |
| Software BOMs, Hardware BOMs - Muddasar | We follow PoC idea - first we take a look at the CI/CD pipeline, collect the data and store it as we want it., who is the consumer in ONAP framework, we will have to select one of three formats discussed during the last session. - 26/8 with Jess
- Sonatype will provide CycloneDX in next release
- Sonatype License allows creation of SBOM
- Confirm if LF license include CycloneDX capabilities
- Generate file and make available via gerrit/github
| ongoing | Workflow for the pilot to be prepared by Muddasar.
|
| Seccom criteria for the integration tests to pass a release | Current status: - Current level of 60%
- Achieve 100% levelwith TERN treated as informative
- Follow exception process if relevant
Java/Python version status (8/30) - Adoption of Java 11 and Python 3 is good
- Java: 70/79 containers are Java 11 only (89%)
- Python: 38/46 container are Python 3 only (83%)
- Adoption of recommended version via the Integration team base images not good
- Number of Java 11 versions: 7
- Recommended Java version 11.0.11 usage: 4/79 containers (5%)
- Number of Python 3 versions: 14
- Recommended Python version 3.9.5 usage: 0/46 containers (0%)
- Acceptable Python version 3.8.10+ usage: 11/46 containers (24%)
- Recommendation: Project teams evaluate Java/Python recommended versions at M2
- Next steps: Present recommendation to PTL, Architecture, and TSC
- Mudassar will present CycloneDX findings at 7 Sept meeting
| ongoing |
|
| Security Risk Assessment and Acceptance – revisit Brian’s statement | To be discussed next week. |
|
|
| CII Badging update - Tony | Progress in the applications. Review results at 31 August meeting | ongoing |
|
| Dependency confusion attacks vs. ONAP SW build process | No updates on the Wiki... Bob will work this week and trying to check filtering rules with Jess for this type of threat. | ongoing | Bob to contact Jess. |
| Logging requirement - update from Friday's meeting | Long Format overview by Robert Heinemann - Overview of the updated log event and metadata requirements
- Details here
- Log level, log verbosity, event severity
- Leveraging VNF security requirements, deprecated Logging project requirements, AT&T doc “ONAP Logging Guidelines”
- Wrap up the event work in September to get requirements into the Jakarta release (Best Practice)
- No meeting on 3/9, next meeting 10/9
| ongoing | Meetings held Friday at 4PM CET OOM feedback to be collected on K8s and Docker coexistance.. Byung to send an e-mail to Krzysztof and Sylvain. |
| Logs consumption | Context delivery for the logs by tagging. Currently we are focusing on logs generation and collection but later will will have to cover processing. APIs availability to bring the data back in to make an action. Lot o data collected in DCAE, decision can be taken outside of ONAP system. | ongoing |
Maggie could provide some inputs. |
| LFN Security Group – focus, outcomes, contributions | Kick-off meeting scheduled on 18th of August. - ONAP story and security requirements for normalization
- HTTPs enablement on interfaces (service to service) but sidecar to service container is http based. (reference: ONAP Next Generation Security & Logging Architecture)
- Encrypted protocols
- Events logged by ONAP itself, so security health of ONAP could be monitored by operator
- Robert Heinemann will contribute the ONAP vulnerability management process
| ongoing | Default setting for software configuration to be reviewed i.e. TCP window x, autonegotiate network parameters by default. |
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 14th OF SEPTEMBER'21. | M3 update Software BOMs Logging requirements Security Risk Assessment and Acceptance – revisit Brian’s statement Dependency confusion attacks vs. ONAP SW build process |
|
|