Versions Compared

Old Version 1

changes.mady.by.user Paweł Pawlak

Saved on

compared with

New Version Current

changes.mady.by.user Paweł Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

SECCOM elections – call for candidates!E-mail with call for candidates was sent to SECCOM distribution list. Candidates submitted

Finally candidates approved by TSC:

  • Amy Zwarico for SECCOM Vice Chair
  • Pawel Pawlak for SECCOM Chair

Elections later this week.

ongoingE-mail to be sent to Kenny with request to initiate elections this week. ONAP discussion on Global Requirements vs. Best Practices in Honolulu release

Amy's presentation provided at the last PTL's call:

Proposal for global requirements for Honolulu release.

Formal approval from PTLs would require process elaboration.

SECCOM requirements are known by the community for a long time.

Global requirement has to be fixed within particular release.  As long as project does not meet the global requirment that wa snot met in the past, will not be allowed to provide a new container.

Security framework is crucial for the ONAP success in operator environment.

Quality of the code is also crucial. Process of code delivery requires review and change. Insufficient code coverage should not allow for +1 for a code acceptance.

Maintenance project should be called end of support mode.

ongoingSCA: Whitesource vs. Nexus-IQ

The best would be to run both tools for one release to compare results. 

Projects fix direct dependencies.

ongoing

To gain resources, deprecated repos should be exluded.

Sonarcloud capabilities to be further investigated
completed

New ONAP project intro to SECCOM

Toine Siebelink new elected PTL - Configuration & Persistency Service R7

Action point from last PTL meeting - Determine what can be achieved regarding the approved best practices for the Honolulu release.

SECCOM runs (among other things):

  • Software Composition Analysis with Nexus-IQ for vulnerabilities and re commended upgrades for direct dependencies.
  • CII Badging (passing, silver and gold levels) - self reported. Majority of projects are at passing level.
  • SonarCloud scans - used for an automated code coverage (80-90% of code). Use of various cryptography under exploration.
  • Securing communication (https protocol) - tested at build time
  • Removing secrets
  • Not running as root

Jenkins jobs for CPS need to be revised (last time scan failed) - ticket to be opened to LFN for that.

Access to Nexus-IQ reports for Toine - ticket to be opened to LFN for that.

Under SonarCloud nearly 50% achieved so far by CPS.

Access to security vulnerability space Wiki to be organized for Toine - ticket to be opened to LFN for that.

ongoing

Links for Toine:

https://jenkins.onap.org/view/CLM/job/cps-maven-clm-master/

/wiki/spaces/SV/overview


Last PTL meeting outputs

Feedback from the PTLs about the SECCOM plan on proposing that Python 2 -> 3 and Java 8 -> 11 become Honolulu Global requirements

Guilin Java upgrade results: onap-guilin-java-versions.xlsx

Guilin Python upgrade results: onap-guilin-python-versions.xlsx

Exception process is needed, PostgreSQL mentionned by Vijay. List of impacted projects requested by Seshu.

ongoingNext step is to book the slot at the TSC (already done by Amy) to request TSC for an approval for those 2 reqs to be Honolulu Global requirements. 

Next ONAP eventsongoingPlease think about topics we could propose - > to be discussed next week.

Exception process

SECCOM does +1 or -1 and we need TSC to provide +1 or -1 before we put +2.

TSC shall approve exception.

ongoingWe need to have TSC involved in every exception.


OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 5th 12th OF JANUARY'21. 





Recording:

View file
name2021-01-05_SECCOM_week.mp4
height150


SECCOM presentation:

View file
name2021-01-05 ONAP Security Meeting - AgendaAndMinutes.pptx
height150