...
Jira No | Summary | Description | Status | Solution | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CVE-2021-44228 |
Issue impacting specific versions of log4j-core. ONAP projects still using version 1 that might not be (depends on configuration) but it is not supported for a long time (since 2012). We recommend immediate upgrade to latest log4j-core version: 2.16 in both Istanbul maintenance release and in Jakarta. How vulnerability message reaches end user? | ongoing | For tracking purpose dedicated Jira tickets to be opened per project and per both releases. | |||||||||||||||||||||||||
DMaaP upgrades | Logj-core to be upgraded but for others there are transitive dependencies. Comments to be provided in the sestricted Wiki. | ongoing | Maybe worth to open a ticket to Sonatype with dependecies issues. AJSC dependencies - Amy will check with AT&T maintainer. | |||||||||||||||||||||||||
Trivi scans | Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman. Threadfix removes duplication of findings from different sources. | ongoing | Brian to share info on their Jfrog for Image scanning. | |||||||||||||||||||||||||
Jakarta proposed versions update | https://wiki.onap.org/display/DW/Database%2C+Java%2C+Python%2C+Docker%2C+Kubernetes%2C+and+Image+Versions
Centos images used: https://logs.onap.org/onap-integration/daily/onap_daily_pod4_master/2021-12/06_03-20/infrastructure-healthcheck/k8s/kubernetes-status/versions.html | ongoing | Centos issue to be raised at the upcoming PTLs call. | |||||||||||||||||||||||||
SCA analysis | Jira tickets created for each project. | ongoing | Ticket to be submitted via LF IT to Sonatype - issue with API documentation. | |||||||||||||||||||||||||
PTL meeting update |
| done | Next week meeting with Thomas for unmaintained presentation for DDF | |||||||||||||||||||||||||
TSC meeting update | Request on supporting unmaintned topic VVP and VNFSDK no nominations for PTL Issue with use case slicing Modelling has PTL and co-PTL. M1 approved 27th January for M2 | done | ||||||||||||||||||||||||||
SBOMs | Which repos/projects to take into account? Start with pilot (1 or 2 projects) – info e-mail to be sent to PTLs
Work required: review of the artifacts generated if it is accurate. | ongoing | info e-mail to be sent to PTLs | SECCOM presentations for incoming DDF (January). | ongoing | Jakarta proposed versions update: |
| ongoing | CentOS versionits usage by ONAP community to be elaborated with Fabian. Column to be added on what applies to container run time and what applies to node | Jakarta basic images | Michal is working for both Java and Python | ongoing | Recommended versions to be shared with Amy. | SCA analysis | Ongoing - direct dependencies transferred to excel. Failing Jenkins jobs for AAI. Jira tickets created per project. | ongoing | PTL meeting update |
| ongoing | TSC meeting update | SECCOM requirements were approved by TSC. | done | Meeting yesterday on unmaintained projects/repos | We need an audit on project dependencies – current projects that are unmaintained (and repos). | ongoing | David to lead this audit and bring it to TSC. | Quality gates for code quality improvements PTLs. Jess to be contacted. Amy to send an e-mail to Vijay. Muddasar to prepare info on what is needed on PTLs side to review artifacts. | |
Quality gates | 3 levels under consideration: bronze, silver and gold. Basic level could be reacjing 55% of code coverage. https://docs.sonarqube.org/latest/user-guide/metric-definitions/ Tables about project maturity (self reported) while we are doing measured approach. | started | To review levels from sonarqube and tables for project maturity. | SECCOM ongoing | ||||||||||||||||||||||||
SECCOM presentations for incoming DDF (January). | SECCOM topics and overall agenda proposal:
Interproject proposals:
| ongoing | ||||||||||||||||||||||||||
SECCOM MEETING CALL WILL BE HELD ON 21st OF DECEMBER'21. | Quality gates for code quality improvements - continuation of the discussion. SBOM next steps - which repos/projects to take into account? |
...
View file | ||||
---|---|---|---|---|
|
SECCOM presentation:
View file | ||||
---|---|---|---|---|
|