Versions Compared

Version Old Version 2 New Version 3
Changes made by

Paweł Pawlak

Paweł Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

TSC meeting (8th December)

  • ONAP consumers requested to provide their feedback
  • TSC approved the creation of the Portal NG as a new ONAP project
  • Commiters from DCAE, AAI and OOF were asked by David to fulfill Release Management tasks while there is no PTL in the project.
  • TSC approved removal of OOM helm charts for appc and vid
  • Vijay was asked to provide his feedback

PTL meeting (5th December)

  • CPS as next project for ONAP security review questionnaire

Weekly scanning report

With latest weekly scans Weekly scans re-enabled with Michal’s support:

https://logs.onap.org/onap-integration/weekly/onap-weekly-dt-oom-kohn/2022-11/28_09-30/

noticed that

-Fiachra responded with srimzi-zk-entrance

is indicated as having some old Java.		SCA - Automated NEXUS-IQ scans and recommendations for packages upgrades for London release 

AAI – 2 items missing proposed release

  • Groovy – 3.0.7
  • Spring-boot – 2.5.14
Amy to check with the team.Unmaintained projects 

LFX insights v2, get rid of old repos, it does not make sense to run jobs for repos that are not going to be fixed.

PTLs to be asked to remove Jenkins jobs that are not needed anymore.ONAP security review questionnaire

Review provided by Muddasar and Amy – Thank you!

Some details in few responses are missing. Some equestions could be expanded into multiple questions (Assurance related).

ongoing

Muddasar to provide proposals for questions improvements.

Amy to share the link with ONAP SECCOM security requirements - done: ONAP Security Requirements

SNMP version used in DCAE to be asked to Vijay.

:

  • This container is required by dmaap message router to connect directly to the strimzi zk for storing some metadata.
  • Strimzi locks it's zk cluster by default and this was advised as a "hack/temporary" solution for MR.
  • https://github.com/scholzj/zoo-entrance
  • I do see that the base image was updated recently though so not sure where the old java version is coming from.
  • AP: to identify where it is getting picked up from
ongoingE-mail with feedback was shared with Fiachra

Security issues raised by External researchers

-IT-24999 Security Issue - Sensitive information leakage

-IT-25000 vulnerability detected(DMARC RECORD MISSING)

ongoingDetails to be reviewed by Pawel and Amy on January 13th. 

Unmaintained projects 

Repos without merge (for last 1 year) identified, at the next PTL meeting Jan 23rd list to be reviewed. Merges by Thomas and Cedric to be excluded.

ongoing

TSC meeting (5th January)

  • Synch on January 11th with OSC (Martin Skorupski)
  • New idea of special squad team to deal with projects without PTLs
  • Updated London release schedule



PTL meeting (9th January)

Check with Fiachra on srimzi container




Logging security discussion (starting from 17:15)

Justin Garrard (jagarra@uwe.nsa.gov) presented application logging presentation and demo.


started

SECCOM MEETING CALL WILL BE HELD ON January 17th 2023. 






...

2023-01-10_SECCOM_week.mp4


SECCOM presentation:

2023-01-10 ONAP Security Meeting - AgendaAndMinutes.pptx