Content Comparison

...

Workflow for the pilot to be prepared by Muddasar.

Current status:

Current level of 60%

Achieve 100% levelwith TERN treated as informative

Follow exception process if relevant

Java/Python version status (8/30)

Adoption of Java 11 and Python 3 is good
- Java: 70/79 containers are Java 11 only (89%)
- Python: 38/46 container are Python 3 only (83%)
Adoption of recommended version via the Integration team base images not good
- Number of Java 11 versions: 7
- Recommended Java version 11.0.11 usage: 4/79 containers (5%)
- Number of Python 3 versions: 14
- Recommended Python version 3.9.5 usage: 0/46 containers (0%)
- Acceptable Python version 3.8.10+ usage: 11/46 containers (24%)
Recommendation: Project teams evaluate Java/Python recommended versions at M2
Next steps: Present recommendation to PTL, Architecture, and TSC
Mudassar will present CycloneDX findings at 7 Sept meeting

Maggie could provide some inputs.

Jira No	Summary	Description	Status	Solution	Last TSC meeting	M3: delayed one week until 2 September Jenkins availability problems prior to 8/24 Goal was 85% of epics closed for projects – 80% closed on 8/24 M4: remains 16 September REQ-760: IPv4/IPv6 Dual Stack - Global Requirement (all code) Chaker will do an architecture review and get alignment among Damian, Timo, Chaker, et al Use of integration team base images Java/Python version tests show use of the integration team base images is low Integration team base image will be proposed a Best Practice for Jakarta TSC voted to approve the OOM GitLab POC using CLA validation demonstrated by Krzysztof O until EasyCLA supports GitLab LFNGB special meeting on 8/25 Reviewed LFN priorities for 2021-2022 ONESummit (11-12 October) - virtual only	ongoing	Last PTLs meeting	Finally executed, but SECCOM message remains: -Confirmed that vnfsdk-ves-agent is not used	ongoing	to close tickets for projects not participating in Istanbul release - done.	Software BOMs, Hardware BOMs - Muddasar
We follow PoC idea - first we take a look at the CI/CD pipeline, collect the data and store it as we want it., who is the consumer in ONAP framework, we will have to select one of three formats discussed during the last session. 26/8 with Jess Sonatype will provide CycloneDX in next release Sonatype License allows creation of SBOM Confirm if LF license include CycloneDX capabilities Generate file and make available via gerrit/github	ongoing	Seccom criteria for the integration tests to pass a release	ongoing	Security Risk Assessment and Acceptance – revisit Brian’s statement	To be discussed next week.	CII Badging update - Tony	Progress in the applications. Review results at 31 August meeting	REQ-801 REQ-800 REQ-863 REQ-443	M3 update	Java upgrades - good progress. Python good progress as well. Packages upgrades - very good progress - 16 tickets closed already - vulnerabilities removed: 679/776 (based on tickets). Still some pprojects that did some upgrades but no update on the restricted Wiki. New Sonatype function to filter direct vs. transitive dependencies. Weak cryptography and injection items - excellent progress. There are still few there open (projects no longer maintained - e.g. Portal). For Jakarta, few other items that SonarCloud highlights - Jira tickets to be written for those (blocking and critical).	ongoing	To be checked if we have waivers for all remaining ticktets. PTLs meeting shall address the gaps on the restricted Wiki. Projects with open status on their Jira tickets to be elaborated. Will Portal be excluded from ONAP future releases? - Byung to investigate.
	Software BOMs	Documentation review - nexus account manager contacted. It is part of Nexus product lifecycle licence (cyclone DX format). APIs for info extraction to be checked. Access to Nexus-IQ server - what group shall be used for that - REST API calls are possible now - will be used for SW BOMs.	ongoing
	Logging requirements	Almost 50% of the metadata fields defined - good progress. In some of the GitHub repos md (markdown) files with good description for logging - SO is a good example.	ongoing
	Dependency confusion attacks vs. ONAP SW build process	No updates on the Wiki... Bob will work this week and trying to check filtering rules with Jess for this type of threat.	ongoing	Bob to contact Jess.	Logging requirement - update from Friday's meeting	Long Format overview by Robert Heinemann Overview of the updated log event and metadata requirements Details here Log level, log verbosity, event severity Leveraging VNF security requirements, deprecated Logging project requirements, AT&T doc “ONAP Logging Guidelines” Wrap up the event work in September to get requirements into the Jakarta release (Best Practice) No meeting on 3/9, next meeting 10/9	ongoing	Meetings held Friday at 4PM CET OOM feedback to be collected on K8s and Docker coexistance.. Byung to send an e-mail to Krzysztof and Sylvain.	Logs consumption	Context delivery for the logs by tagging. Currently we are focusing on logs generation and collection but later will will have to cover processing. APIs availability to bring the data back in to make an action. Lot o data collected in DCAE, decision can be taken outside of ONAP system.	ongoing	LFN Security Group – focus, outcomes, contributions	Kick-off meeting scheduled on 18th of August. ONAP story and security requirements for normalization HTTPs enablement on interfaces (service to service) but sidecar to service container is http based. (reference: ONAP Next Generation Security & Logging Architecture) Encrypted protocols Events logged by ONAP itself, so security health of ONAP could be monitored by operator Robert Heinemann will contribute the ONAP vulnerability management process	ongoing	Default setting for software configuration to be reviewed i.e. TCP window x, autonegotiate network parameters by default.Bob had exchanges with Jess on filtering rules and dependencies management software.	on hold	To be further elaborated with Samuli.
	Security Risk Assessment and Acceptance	Excel table that was initially prepared 3 years ago to be shared and reviewed at the next SECCOM, frameworks to be reviewed as well (MIST and ISO).	ongoing
	Feature request template	Alla leading ONAP Requirements Subcommittee to be contacted to provide details.	ongoing	Muddasar to be introduced to Alla by Pawel.
	Last TSC meeting	TSC Voted to approve M3, 90% issues closed due to good progres 16th of September for M4 gating Jakarta relese and timeline discussed Michal Jagiello – new PTL for integration	ongoing
	Code quality update	Status to be checked, there were some exchanges with Thierry and Jess.	ongoing	Slide to be presented to next PTLs meeting.
	Last PTLs meeting	Meeting was cancelled (Labor day in US)	ongoing	slot to be booked for the next PTLs meeting.
	CADI and AAF replacement	DCAE and DMaaP communication - new proposal to be presented today at the Architecture Subcommittee.	ongoing	Byung to present update for the next SECCOM
	OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 14th OF SEPTEMBER'21.	M3 update - waivers review Software BOMs Logging requirements update Security Risk Assessment and Acceptance – revisit Brian’s statementreview frameworks and old excel file Dependency confusion attacks vs. ONAP SW build process - synch with Samuli Code quality update CADI and AAF replacement

Recording:

View file

name	2021-09-07_SECCOM_week.mp4
height	150

SECCOM presentation:

View file

name	2021-09-07 ONAP Security Meeting - AgendaAndMinutes_v2.pptx
height	150

Version	Old Version 3	New Version 4
Changes made by	Paweł Pawlak	Paweł Pawlak
Saved on	Sept 07, 2021	Sept 07, 2021

Versions Compared

Key