...
Jira No | Summary | Description | Status | Solution |
---|---|---|---|---|
TSC update | Security improvements in ONAP recognized by LFN Governance Board. Big thanks and kudos to SECCOM team, PTLs and all contributors! Over 7000 vulns fixed! https://security.lfx.linuxfoundation.org/#/ Majority (over 99%) discovered with NEXUS-IQ scans, none? raised by end user. Documented process: ONAP Vulnerability Management | |||
Process for Security review question for the period of last 5 years | Scope to be proposed by Tony and Muddasar (with wider E2E coverage). NIST proposal that needs to be reviewed: https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final | started | Next discussion in 2 weeks time frame. Pawel to recheck with Catherine for her feedback. | |
https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23423 | Log4j upgrade | Target version 2.17.1: https://logging.apache.org/log4j/2.x/changes-report.html#a2.17.1 Following tickets opened:
| ongoing | To check with Jess statuses of the tickets that were recently closed. CLM scans per each project to be done by 4th of February. |
Update of https://lists.onap.org/g/onap-security/members - updated list | List of the participants was updated with Maggie. Krzysztof was removed. | done | ||
SBOM creation | Jess created a ticket whichis in progress but now occupied with Nexus3 issue. | ongoing | ||
Security logging next steps | Bob presented phased approch for security logging which was consulted with SECCOM team. | ongoing | Meeting on Friday at 3 PM UTC to be organized by Amy to have a working group session with Fiachra, Toine, Sylvain. | |
ONAP quality gates | Quality asessment mainly for the submitted code (=delta)
| no update | Waiting for a feedback from Seshu. | |
SECCOM MEETING CALL WILL BE HELD ON 8th OF FEBRUARY'22. | Quality gates for code quality improvements - continuation of the discussion. SBOM next steps - status update with DCAE. |
...