Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

CVE-2021-44228

Issue impacting specific versions of log4j-core. ONAP projects still using version 1 that might not be (depends on configuration) but it is not supported for a long time (since 2012).

We recommend immediate upgrade to latest log4j-core version: 2.16 in both Istanbul maintenance release and in Jakarta. 

How vulnerability message reaches end user?

ongoingFor tracking purpose dedicated Jira tickets to be opened per project and per both releases.

DMaaP upgradesLogj-core  to be upgraded but for others there are transitive dependencies. Comments to be provided in the sestricted Wiki.ongoing

Maybe worth to open a ticket to Sonatype with dependecies issues. 

AJSC dependencies - Amy will check with AT&T maintainer.


Trivi scans

Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman.

Threadfix removes duplication of findings from different sources.

ongoingBrian to share info on their Jfrog  for Image scanning.

Jakarta proposed versions update

https://wiki.onap.org/display/DW/Database%2C+Java%2C+Python%2C+Docker%2C+Kubernetes%2C+and+Image+Versions

  • CentOS version – verify AS-IS state to define TO-BE state, if version 8 used - > 8 stream proposed.
  • Additional environmental components - updated

Centos images used: https://logs.onap.org/onap-integration/daily/onap_daily_pod4_master/2021-12/06_03-20/infrastructure-healthcheck/k8s/kubernetes-status/versions.html

ongoingCentos issue to be raised at the upcoming PTLs call.

SCA analysisJira tickets created for each project.ongoingTicket to be submitted via LF IT to Sonatype - issue with API documentation.

PTL meeting update
  • SECCOM GRs and BPs reminder
  • Info on CVE-2021-44228
  • architecture review with Chaker
  • unmaintaned meeting 
doneNext week meeting with Thomas for unmaintained presentation for DDF

TSC meeting update

Request on supporting unmaintned topic 

VVP and VNFSDK no nominations for PTL

Issue with use case slicing

Modelling has PTL and co-PTL.

M1 approved

27th January for M2

done

SBOMs

Which repos/projects to take into account?

Start with pilot (1 or 2 projects) – info e-mail to be sent to PTLs

  • DCAE (Vijay)
  • CPS (Toine)

Work required: review of the artifacts generated if it is accurate.

ongoing

info e-mail to be sent to

PTLs 
SECCOM presentations for incoming DDF (January).ongoingJakarta proposed versions update: 

https://wiki.onap.org/display/DW/Database%2C+Java%2C+Python%2C+Docker%2C+Kubernetes%2C+and+Image+Versions

  • for CentoS there is a discrepency between SECCOM proposal and version submitted by Morgan, 
  • SBOMS would help
  • Elasticsearch - probably we are not going to use it? If not, we will remove it from the list.
  • Filebeat (based on Go) in the context of java and python versions - filebeat uses an optional python script for data migration
ongoing

CentOS versionits usage by ONAP community to be elaborated with Fabian.

Column to be added on what applies to container run time and what applies to node

Jakarta basic images

Michal is working for both Java and PythonongoingRecommended versions to be shared with Amy.SCA analysis

Ongoing - direct dependencies transferred to excel.

Failing Jenkins jobs for AAI.

Jira tickets created per project.

ongoingPTL meeting update
  • Reminder about SECCOM requirements (slide 11) for Jakarta release :
    • Requirements were created accordingly in Jira,
    • REQ-1070 LOGS MANAGEMENT - PHASE 1: COMMON PLACE FOR DATA – description to be elaborated - done
  • Jakarta M1 date change – December 9th
ongoing

TSC meeting update

SECCOM requirements were approved by TSC.

done

Meeting yesterday on unmaintained projects/repos

We need an audit on project dependencies – current projects that are unmaintained (and repos).

ongoingDavid to lead this audit and bring it to TSC.Quality gates for code quality improvements 

PTLs.

Jess to be contacted.

Amy to send an e-mail to Vijay. 

Muddasar to prepare info on what is needed on PTLs side to review artifacts.


Quality gates

3 levels under consideration: bronze, silver and gold. Basic level could be reacjing 55% of code coverage.

https://docs.sonarqube.org/latest/user-guide/metric-definitions/

Tables about project maturity (self reported) while we are doing measured approach.

startedTo review levels from sonarqube and tables for project maturity. SECCOM ongoing

SECCOM presentations for incoming DDF (January).

SECCOM topics and overall agenda proposal:

Interproject proposals:

      • SBOMs ONAP story – Muddasar/Pawel Topic
      • Monday, 10th of January, 2:30 UTC
ongoing



SECCOM MEETING CALL WILL BE HELD ON 21st OF DECEMBER'21. 

Quality gates for code quality improvements - continuation of the discussion.

SBOM next steps - which repos/projects to take into account?



...

View file
name2021-12-14_SECCOM_week.mp4
height150


SECCOM presentation:

View file
name2021-12-14 ONAP Security Meeting - AgendaAndMinutes.pptx
height150