Versions Compared

Old Version 1

changes.mady.by.user Paweł Pawlak

Saved on

compared with

New Version Current

changes.mady.by.user Paweł Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

New ONAP project intro to SECCOM

Toine Siebelink new elected PTL - Configuration & Persistency Service R7

Action point from last PTL meeting - Determine what can be achieved regarding the approved best practices for global requirements

#AGREED The TSC approves REQ-437 (Python 2 -> 3) and REQ-438 (Java 8 -> 11) as Global Requirements beginning with the Honolulu release.

SECCOM runs (among other things):

  • Software Composition Analysis with Nexus-IQ for vulnerabilities and re commended upgrades for direct dependencies.
  • CII Badging (passing, silver and gold levels) - self reported. Majority of projects are at passing level.
  • SonarCloud scans - used for an automated code coverage (80-90% of code). Use of various cryptography under exploration.
  • Securing communication (https protocol) - tested at build time
  • Removing secrets
  • Not running as root

Jenkins jobs for CPS need to be revised (last time scan failed) - ticket to be opened to LFN for that.

Access to Nexus-IQ reports for Toine - ticket to be opened to LFN for that.

Under SonarCloud nearly 50% achieved so far by CPS.

Access to security vulnerability space Wiki to be organized for Toine - ticket to be opened to LFN for that.

ongoing

Links for Toine:

https://jenkins.onap.org/view/CLM/job/cps-maven-clm-master/

/wiki/spaces/SV/overview

Last PTL meeting outputs

Feedback from the PTLs about the SECCOM plan on proposing that Python 2 -> 3 and Java 8 -> 11 become Honolulu Global requirements

Guilin Java upgrade results: onap-guilin-java-versions.xlsx

Guilin Python upgrade results: onap-guilin-python-versions.xlsx

Exception process is needed, PostgreSQL mentionned by Vijay. List of impacted projects requested by Seshu.

ongoingNext step is to book the slot at the TSC (already done by Amy) to request TSC for an approval for those 2 reqs to be Honolulu Global requirements. Next ONAP eventsongoingPlease think about topics we could propose - > to be discussed next week.Exception process

SECCOM does +1 or -1 and we need TSC to provide +1 or -1 before we put +2.

TSC shall approve exception.

ongoingWe need to have TSC involved in every exception.

-Exception process – TSC involvement (with +2 acceptance)

done

SECCOM best practices

HELMv3

CII Badging

Packages upgrades




Last PTL session – was in fact a TSC session

Discussion on global requirements and best practices for Honolulu

done



LFN Developer & Testing Forum - Feb 1 - 4, 2021.

Please register (Registration)

SECCOM proposals:

  • Global requirements and DCAE testimony on Java migration
  • Packages upgrades – Focus on most commonly used packages
  • CII Badging – 3 items: additional verification test for crypto weakness (integration team to be addressed), crypto credentials, secure design
  • Service Mesh update (TBC with Krzysztof)?
ongoingPlease propose topics by 15th of January (Proposals Page)

Synch with DCAE

Special guest star: Vijay joined us.

  • DCAE jiras review:

Python: DCAEGEN2-2494, DCAEGEN2-2427

Java: DCAEGEN2-2428, DCAEGEN2-2381

ongoingMichal to be confirmed to support DCAE Python migrations

ONAP and ODL synchNeed to exchange with Dan – which ODL version is considered.ongoingE-mail to be sent to Dan. 


OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 19th OF JANUARY'21. 




Recording:

View file
name2021-01-12_SECCOM_week.mp4
height150


SECCOM presentation:

View file
name2021-01-12 ONAP Security Meeting - AgendaAndMinutes.pptx
height150