Page Comparison

Amy presented updated status. link

2 processes to follow:

• PTL exists and there is normal code maintenance
• Projects without PTL require TSC decision as not in normal code lifecycle, so not handled with regular jira tickets.

During architecture review Archicom can update components statuses.

Architecure review template could be updated.

As Tony is on PTO, we move this topic to the next week agenda.

PTL meeting (March 6th)

Continuation of Release Management tasks review.

Unmaintained process review.

Attendence was lite ;-(

TSC meeting (March 2nd)

Teaser on Unmaintained progress

(Info from Anil)

-SBOM signing needs to be enabled for an ONAP $project specifically through JJB, since it's disabled by default at the template level [1.].

-If you want to enable this for a specific ONAP project, that can be done in [2.] or setting  a default value as `true` at a global level for the ci-management repository.

-[1.] https://github.com/lfit/releng-global-jjb/blob/master/jjb/lf-maven-jobs.yaml

-[2.] https://github.com/lfit/releng-global-jjb/blob/master/jjb/lf-maven-jobs.yaml

-The signing of SBOM happens towards the end of the stage/release job which is signed by sigul (key signing service set up specifically for ONAP with each LFN project having unique keys that are not common across all of LFN).

IT-24999 Security Issue - Sensitive information leakage – Fiachra responded (Anuja was informed):

„As we have move sdc away from message router the apikey mentioned is no longer used. There may be some redundant calls to message router from SDC but there is no risk in terms of security.”

Work in Progress – Fiachra and Tony were contected.

Reprioritization of resources and no further support for now.

2 issues remaining (Wiki to be created):

• Java nad Python implementattions – Java containers use software framework easily accessible , not the case for Python containers.
• Getting environment together to do isolated testing.

We reviewed updated responses from CPS team and provided some comments.

• Security requirements were added by CPS team
• Architecture diagram is pretty old and should be updated. Reference link: London-R12 Architecture Diagram

• Please elaborate this statement: "Usernames and passwords are configurable by the clients via configuring the application .yml file".

  Expectation: passwords are not in yml file. The yml should point to user store (e.g. LDAP or K8s secrets). 

• Please add these statements to a new Security Assurance section just after: Configuration Persistence Service Project#CPSSECURITYREQUIREMENTS. 

  Also add statements that indicate how you protect your username and password configurations. (See other questions on hashing of secrets, use of crypto and permissions on files.)

https://logs.onap.org/onap-integration/weekly/onap-weekly-dt-oom-kohn/2023-02/25_04-42/

Unlimited pods refers to unlimited resources, comes from CIS benchmark and concerns consuming lots of resources.

-CI/CD pipeline aspects - infrastructure ans security test cases to be further elaborated.

PTL meeting (March 13th)

Unmaintained process review by Amy

TSC meeting (March 9th)

DT ONAP Takeaways by Andreas

Requirements Subcommittee merged with Architecture Subcommittee

SECCOM MEETING CALL WILL BE HELD ON 28th March 2023. 

• CPS Security updated questionnaire review by SECCOM.