Page Comparison

Presentation provided by Brianna and Bert. Great job (150 hours → 2 hours)! Safes a lot of manual work for us.

Enhancements for the future:

• flag for failing CLM scanning jenkins job (older than 1 week)
• CVE list with threat levels ratio
• remove _xD000_ for CVE's names
• log4j-core recommended version to be updated into 2.17.1 
• usage of Wiki reference with recommended versions as single source of true as dynamic
• configure other jobs option - non master that would be usefull for Maintenance Release analysis
• additional tab with unstructured data

import excel into confluence:

https://community.atlassian.com/t5/Confluence-articles/How-to-import-an-excel-file-into-Confluence-using-Elements/ba-p/1672151

Event June 13th-16th Porto, Portugal

Please register: https://events.linuxfoundation.org/lfn-developer-testing-forum/

• SECCOM topics proposal:

  • SECCOM retrospectives:
    • Log4j fix implementation in Istanbul Maintenance Release
    • Jakarta security status update
  • Kohnsecuritygoals:
    • Global Requirements and Best Practices
    • Security PoCs:
    • logging req
    • code quality quality
    • service mesh
  • SBOM enablement and maintenance, and packaging
  • Waiver policy update
  • Unmaintained projects joint meeting with Amy, Thomas and Andreas, Chaker and Byung.
  • On the road to gold badge - Tony and Toine
  others?
  • Operator perspective on ONAP security
  -
  • – Amy
  ?
  • , Andreas?
  ,
  • Brian? Fabian?
  • Security principles in the implementation – Tony, Maggie

Topic Remaining topic proposals to be submitted.

Brian to share what kind of security due diligence is performed by BellCanada. ONAP is used for 5G slicing orchestration.

Bug in SBOM software - ticket was opened to LFN IT by Vijay.

Majority of the fields implemented in CPS. 2 topics to be addressed:

• ordering if the fields
• format of how would be outputed

Fabian to check if could contribute on how qualify software to be deployed, what duediligence was performed. 

• ONAP unmaintained and deprecated functions – Amy – presentation of updated version at PTL yesterday
• RACI matrix by Muddasar – waitig for a feedback from PTLs and Chaker
• Update on failing security tests below:
• Synch with OOM:
  • Security dashboard: https://logs.onap.org/onap-integration/daily/onap-daily-dt-oom-master/2022-04/
  05
  • 18_
  09
  • 06-
  02
  • 28/ and
  • Versions reporting: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2022-
  02
  • 04/
  25
  • 18_
  20
  • 00-
  26/security/versions/versions.html to be
  • 27/ latest run by Michal for the weekend
  • Failing security tests:
  • fix nonssl_endpoints in Jakarta release:

1.SDC-3954 - open

2.SDNC-1692 -

done

3.OOM-2957

– open – reassigned to Fiachra

• • fix root_pods in Jakarta release:

1.OOM-2958 – open -

reassigned to Fiachra

2.INT-2104

Michał to run additional run to get status update.

– in progress

• https://gerrit.onap.org/r/c/ci-management/+/128405

-Jess is trying to validate the procedure

Dedicated meeting to be scheduled – 2 tickets created at LFN IT:

• IT-23828 2FA (2 Factor Authentication) needed for merging to Gerrit in ONAP
• IT-23829 Hardening LFN hosted ONAP project web sites – goodprogress
  • Gerrit has now been updated to receive and A grade on securityheaders.com (thanks to this change we will be getting this on all of the Gerrit we operate as the systems pick up their updates).
  • We are still working on getting the headers fixed for the nexus systems (getting a C) as well as the wiki and jira systems (getting an A but could be stronger).

https://lfnetworking.org/wp-content/uploads/sites/7/2022/04/LFN-Security-Whitepaper-v4.pdf?utm_campaign=LFN%20Newsletter&utm_medium=email&_hsmi=210819121&_hsenc=p2ANqtz-8l0-nc3Y9V0NGaQ63h3EBkuxAT5KxkeHGJJ_bM7pbtql_aQEOQvjeTpEsJrDmEQCzJ2c2Ar7yeIU45g9PD0JX30oKCkQ&utm_content=210819121&utm_source=hs_email

Link to recording and slide deck: 

https://wiki.lfnetworking.org/display/LN/LFN+Security+Forum

review for the near future – are our pipeline or processes optimal?

-[REQ-437 -> REQ-800] -> REQ-1067 -> REQ-1208 COMPLETION OF PYTHON LANGUAGE UPDATE (v2.7 → v3.8)

-[REQ-438 -> REQ-801] -> REQ-1068 -> REQ-1209 COMPLETION OF JAVA LANGUAGE UPDATE (v8 → v11)

-[REQ-439 -> REQ-863] -> REQ-1066  -> REQ-1211 CONTINUATION OF PACKAGES UPGRADES IN DIRECT DEPENDENCIES

-[REQ-443] -> REQ-1069 -> REQ-1210 CONTINUATION OF CII BADGING SCORE IMPROVEMENTS FOR SILVER LEVEL

SECCOM MEETING CALL WILL BE HELD ON 3rd OF MAY'22.