...
| Jira No | Summary | Description | Status | Solution | Java and python upgrades in Istanbul release | We do not plan on creating tickets for unmaintained projects, instead we should add those repos to Morgan’s exception list. Looking for info on which projects are responsible for the following repos:(responses from PTLs in parentheses)
| ongoing | Security and critical vulns per project | Orange developer strated with DMaap: 421 issues down to 53 - at the last PTLs meeting DMaaP PTL promissed to review the proposed changes and merge it. Next step will be to analyze SO. | ongoing | NSA contribution proposal for ONAP security | Vijay reached-out Maggie, establishing contact with relevant ONAP community members. | ongoing | Next meeting to be booked. | CNF Task Force enterprise business workgroup | Meeting on April 14th at 2:00 UTC - Work with O-RAN to use ONAP for service management and orchestration, how to handle Magma - no decision yet on how to treat access control gw? ONAP Architecture Subcommittee to be involved. | ongoing | Feedback collection on Magma | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| [WAIVERS] Set Honolulu security waivers | Merge done | done | Meeting with Jess and SECCOM on Jenkins/Gerrit and SonarCloud | Meeting done on April 15th - integration between Wikimedia and Sonar: https://phabricator.wikimedia.org/phame/post/view/160/introducing_the_codehealth_pipeline_beta/ | ongoing | Fabian will come back to us with an update. | Slide deck for new Global Requirements | No slot again at the last TSC, although booked. - e-mail request was sent to TSC distribution list | ongoing | Waiting for TAC approval | Training for SonarCloud | Please refer to slides in the slide deck below for a complete list of the questions. Additional question identified on possibility to integrate SonarCloud with Gerrit – scan before merge. | ongoing | Updated list of questions to be shared by Jess with SonarCloud team. | CII Badging – automation support for Tony | Dave Wheeler was able to create a base library that could be used to do an update. Tony created a Python script that would allow updates to big number of projects based on configuration file. | ongoing | Next step is to get additional people and try it out - especially David McBride. Code is available in Tony's GitHub private area. | Container logging requirements | Container application logging ok but for container not. Logging is stored in stdout, how it gets out of the container?. Kubernetes can capture both stdout and stderr. Additional component is needed like FluentD to push those logs to an external system. How does container know from which container logs come from? It is important to know what security information in the logging has | ongoing | General link to requirements to be added. | TSC meeting update |
-CONTINUATION OF PACKAGES UPGRADES IN DIRECT DEPENDENCIES -CONTINUATION OF CII BADGING SCORE IMPROVEMENTS FOR SILVER LEVEL
-LOGS MANAGEMENT - PHASE 1: COMMON PLACE FOR DATA | done | Jira tickets per projecs to be created. | |
| NSA proposal follow-up | Meeting scheduled on May 3rd. | ongoing | All interested contributors are wlecome to join this follow-up session. | ||||||||||||||||||||||||
Questions for SonarCloud (slides 4 and 5) | Already shared with SonarCloud - waiting for a feedback. | ongoing | To check with SonarCloud representative (Sylvain) when feedback could be expected. | ||||||||||||||||||||||||
New Jira tasks for java and python upgrades in Istanbul release | Were already created - couple of project claimed that they already done. | ongoing | To check next test results. | ||||||||||||||||||||||||
| NEXUS-IQ container scanning | Scans of the containers show the same vulns as scans of the source code. On container scans there is no indication on transitive/direct dependencies, so PTLs lose infrmation - update of the transitive dependency might break the code! We would like to surpress all the results that are not in the code base. | ongoing | Sonatype to be contacted via Jess to check if ability to do the correlation exists or is planned. | ||||||||||||||||||||||||
IT-21675 Jacoco integration with SonarCloud (info from Christophe) | As Sonar team and Jacoco team are still arguing on this topic on forums, target was reached using unit tests only (so this is not critical anymore) | ongoing | |||||||||||||||||||||||||
NEXUS-IQ – SCA analysis started for Istanbul release | DCAE made a good progress - some repos free of critical vulnerabilities. For some repos upgrade is not enough as no remedy exists yet - to be docuemented properly. | ongoing | To complete SCA analysis by end of next week. | ||||||||||||||||||||||||
Continuation of discussion on Fabian’s comment on logging management | Logs management to be taken up to Archiecture Subcommittee, so beyond security. We do have standard what to do with logs but it was not followed for a while. Container run time requirement and entire virtualized requirement (all event types collected)- we mix those 2. Logs transfer need to be secured. Bob shared the link: ONAP Application Logging Specification v1.3 (Frankfurt)#MDC-InvocationIDMDC-InvocationID | ongoing | Fabian to present most recent logging management archiecture to Archiecture Subcommittee. Bob to elaborate the link provided. | ||||||||||||||||||||||||
| Additional 2 resources from Orange to improve ONAP security | DMaaP PTL integrated changes and additional 8 new blocking points had to be fixed. Next step started work on security for SO. This will be rather for Istanbul. | Done for DMaaP ongoing for SO | |||||||||||||||||||||||||
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 4th OF MAY'21. | Whe start pushing few other items in CII Badging or SonarCloud? To adrress it next week at the SECCOM. Review of the document (link) provided by Bob. |
Recording:
| View file | ||||
|---|---|---|---|---|
|
SECCOM presentation:
| View file | ||||
|---|---|---|---|---|
|