Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 18th of January 2022.
Jira No | Summary | Description | Status | Solution |
---|---|---|---|---|
Issue with ONAP zoom13 | Waiting room seems to be not disabled, we had to use Pawel's zoom instead. | started | Kenny to be contacted to help in solving the issue. | |
https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23423 | Log4j upgrade | Log4j 2.17.1 was released. It provides a fix for a vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832.
Muddasar shared https://github.com/lfscanning by Gary O'Neall (lfScanningAgent) <garylegal@sourceauditor.com> Following the exchanges with Jess under the LFN IT ticket, there is a need to create new branches by each PTL for Istanbul maintenance release and then configure jjb with Nexus-IQ scans for it. | ongoing | For tracking purpose dedicated Jira tickets to be opened per project and per both releases. David to be contacted to coordinate building Istanbul Maintenance branches. |
Update of https://lists.onap.org/g/onap-security/members - updated list | List of the participants was reviewed and updated inline with contributions. | done | Added people to this distribution list. | |
SECCOM presentations for |
DTF (January). | Thank you SECCOM team for great presentations and all exchanges during the event!
| done | ||
Sonarcloud API documentation | As discussed SonarCloud has changed their API and available documentation is insufficient. Need to open a ticket to Jess to help in exchanges with SonarCloud and obtain better API documentation. | done | Ticket to LFN IT was opened: |
New Wiki created for log4j recommended upgrade: Log4j upgrade recommendation
Ticket was opened by Amy on Sonatype API documentation: https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23426
Update recommendations for log4j into 2.17
Post log4j info on ONAP security Wiki.
- Log4j Istanbul maintenance release
- Steve Winslow left LFN
Kubescape and Trivi scans
https://hub.armo.cloud/docs/c-0009 , limitation is on the pod and not cron job.
Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman. Fabian opened the ticket at Trivi.
Threadfix removes duplication of findings from different sources.
Fabian will have a meeting with Kubescape.
Brian to share info on their Jfrog for Image scanning.
SECCOM topics and overall agenda proposal:
- https://teamup.com/ksgw6qzqcmg9zbzsfq?view=MD&date=2022-1-10&calendars=8227292,8227785,8227782,8310707,8310614
- ONAP Security: Jakarta Global Requirements and Best Practices
- Tuesday, 11th of January, 4:30 UTC
- Unmaintained code handling and its impact on documentation (SECCOM + Documentation) - main session stream Amy/Pawel/Thomas/Eric – Topic
- Wednesday, 12th of January, 2:30 UTC
- Code quality demo - main session stream – Fabian/Pawel/Kevin/Toine – Topic
- Tuesday, 11th of January, 3:30 UTC
Interproject proposals:
- SBOMs ONAP story – Muddasar/Pawel Topic
- Monday, 10th of January, 2:30 UTC
ONAP quality gates | Quality asessment mainly for the submitted code (=delta)
| ongoing | |
SECCOM MEETING CALL WILL BE HELD ON 25th OF JANUARY'22. |
Quality gates for code quality improvements - continuation of the discussion. SBOM next steps - which repos/projects to take into account? |
Recording:
View file | ||||
---|---|---|---|---|
|
...