Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

Last TSC update

CNF Task Force meeting moved to 31st of March, US governement support may help increasing open source „apps 5G”. 

https://zoom.us/j/219945081?pwd=ZEN3U3daem9oMGJuZ3BXZExCdldkUT09

ogoingSECCOM representatives will join this session with US military on open source secure software development for 5G.

Last PTL meeting
  • Exceptions for Honolulu - still for some scans we lack exception requests (see Honolulu Impact View per Component) - exceptions to be merged.
  • Moving best practice requirements (CII Badging, upgrading packages) to global  - no feedback received.
  • Discussion point on SonarCloud code coverage separate targets per project, results are seen by the project after the merge.
  • Discussion point on why basic images are sometimes not used by projects, Alpine basic image does not work.
  • CCSDK and SDNC moved to basic image - more documentation is needed - Morgan provided it.
  • In some cases JDK needed in runtime - basic image does not have it. 
  • Basic Image Documentation:

Separate meetings with projects to be organized on SonarCloud code coverage target goals per project.

Sonarcloud, gerrit and Jenkins feedback to be shared by Fabian. 

How to create secure applications

Following last request from Chaker and discussion at the last PTLs meeting Tony prepared proposal: 

https://wiki.onap.orgTSC meeting
  • RC0 merged with RC1 on March 25th
  • Hardcoded certificate in AAI just expired, HELM limitations
  • Istanbul release – kick-off date (M0) April 1st. Full planning redefinition to be determined
  • Our proposal to replace maintained by unmaintained was approved by TSC
  • Chaker integrated security programming best practices
  • We are to book a slot at on e of next TSCs (25th of March) to present our proposal for moving TSC best practices to global requirements by M1 for:
    • CII Badging
    • Upgrading packages
  • Internship – we have to act fast…but we need time to be an active mentor
ongoing

Slot to be booked for the next TSC meeting for moving best practices to global requirements


How to create secure applications

https://lf-onap.atlassian.net/wiki/display/DW/Secure+Programming+Practices

Comments/proposals/modifications were provided.

pending

Chaker to be informed about this draft - e-mail to be  sent by Pawel.

Next week PTLs to be updated with this proposalAlready linked by Chaker, presented to TSC and presented to PTLs.

ongoing

PTLs will provide their feedback by March 29th


SonarCloud findings to fix in Istanbul release
  • Focus on fixing crypto vulnerabilities
  • How to tag unmaintained projects
  • Automation introduction for projects not fixing the vulnerability within 60 days
ongoingTony to contact David Wheeler to check if automation could be introduced

NEXUS-IQ container scanning 

New feature under checking with LFN, but no update from JessongoingAmy to contact Jess for an update

Logs management

Follow up by Amy – container logging requirements review:

View file
name2021-02-22_LoggingRequirementEvents_v4.pptx
height150

ongoingRequirements to be reviewed next week at the SECCOM meeting.


OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 31st 30th OF MARCH'21. 





Recording:

View file
name2021-03-23_SECCOM_week.mp4
height150


SECCOM presentation:

View file
name2021-03-23 ONAP Security Meeting - AgendaAndMinutes.pptx
height150