Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

  • Update on requirement for projects to update out of date direct dependencies. (REQ-263)

Description and examples of the CLAMP script

Feedback from the PTLs\ meeting was to not run the script because the Jira tickets would create addtional work. They would prefer to track progress using gerrit reviews.

SECCOM:

  • jenkins runs unit tests for major and minor versions.
  • junit tests may not catch all impacts of upgraded packages. Results may be repo dependent
  • it may be possibly to leverage the oparent

Actions: put ideas on onap-discuss and set up a separate meeting if there is enough interest

On Hold

Remediating Known Vulnerabilities in Third Party Packages


Automated K8S tests enabled for Frankfurt

Feedback from PTLs

Propose enabling

Present to TSCDocker and Kubernetes Security

Secrets encryption

Krzysztof has a draft wiki page documenting the approach for ONAP secrets management and would like feedback

Questions for Krzysztof:

  • Are secrets stored as clear text or base 64.
  • Which projects have had the clear text secrets removed.
  • How is the master password protected


In ProgressONAP secret management

SECCOM chair and vice chair electionsConfirm that the correct voting member for your company is on the Security Sub-committee Members list


Java and the new model of licensing for Oracle JDK versus Open JDK – Natacha

Oracle JDK which is commercial - benefits updates

Open JDK - like open source so free of charge but support for java 11 but not earlier versions.

2/11 update

Docker images for both the Debian and Alpine releases of the Java 11 JDK will be available for all projects

Docker images for both the Debian and Alpine releases of the Java 11 JDK will be available for all projects

TSC wants to know which distribution of the OpenJDK is used – Integration team/OOM to be contacted - discussion planned for next status meeting on Wednesday. SECCOM cares Java 11 and not particular distribution - we appreciate common image from governance perspective and harmonization - coordination on release manager side.

Next steps:

E-mail to be sent to Morgan with Pawel B. in copy to confirm if image is already created.

2/11: Confirm documentation and location of Debian and Alpine images

Secrets managementAgreement achieved last week (Krzysztof and Samuli)Written description is needed on the Wiki.Once we have a written recommendation, it would be reviewed at the next SECCOM meeting and further presented at the TSC for an prroval - once gained it would become best practice.Script for automatic jira ticket generation of direct dependencies to be upgraded was successfully tested with CLAMP by Julien and Pierre.

2 scripts were created in Python

  • script 1: uses maven and creates json of direct dependencies to be upgraded
  • script 2: takes json generated by script 1 and creates Jira tickets for each package to be upgraded
Scripts were reviewed as well as CLAMP. No specific feedback from SECCOM received from demo till today. 

Nexts steps: 

  • Wiki with script description to be created
  • Before creating a ticket script could check if it does not exist.
  • Scripts available under Julien's github: https://github.com/JulienBe/onap-dep
  • Present solution to PTLs and get feedback on how to integrate the scripts into the ONAP development cycle to generate the project jiras for package upgrades

New xtesting security docker has been integrated end of last week.Meeting on Wednesday with OOM and Integration.Update next week.Frankfurt M2/M3 scorecard SECCOM requirements update

Items reviewed:

  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-207
  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-215
  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-219
  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-223
  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-227
  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-231
  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-235
  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-239
  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-243
  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-247
  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-251
  • Jira Legacy
    serverSystem Jira
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyREQ-263
Status
colourYellow
titleYELLOW

Status
colourRed
titleRED

StatuscolourYellowtitleYELLOW

Status
colourRed
titleRED

StatuscolourYellow StatuscolourGreen StatuscolourYellow StatuscolourGreen

Status
colourGreen
titleGREEN

StatuscolourRedtitleRED StatuscolourGreen

Status
colourRed
titleRED

OJSI status update - projects to be reasked - if no feedback - slot to be assigned on the next PTL call

CII Badging - Jira tickets to be isued with script usage. Some answers from hardening questions.

ONES NA CFP

SECCOM presentations submitted:

  • ODL and ONAP (Pawel & Luis)
  • Password generation with ONAP (Krzysztof)
  • Cloudnative deployment of ONAP with ingress controller (Krzysztof)
  • Kubernetes and security aspects (Samuli & Amy)

To be further discussed the scope of SECCOM F2F in LA:

ONAP security requirements and allignment with VNF security requirements

VNF security requirements

CMPv2 update

Buiding containers in an unified way for ONAP

Upcoming F2F meetings

Decide which meeting(s) SECCOM wants to focus on

Start collecting topics for the meeting(s)

In Progress

 OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 11TH 18TH OF FEBRUARY'20



View file
name2020-02-04_SECCOM_week_01_28_zoom_0.mp4
height150

View file
name2020-02-04 11 ONAP Security Meeting - AgendaAndMinutesAgenda.pptx
height150