Page Comparison

...

Jira No

Summary

Description

Status

Solution

2021 LFN Developer & Testing Forum June 2021-06-07 - 2021-06-10

SECCOM proposal: ONAP: SECCOM activities for Istanbul release

General feedback on event in security context:

Software inventory as part of OOM module (host, OS, language widget) – get the file in json format and make it available
Way to do point upgrade of subcomponents without whole ONAP upgrade
Service mesh security – info to be shared with Maggie and NSA team

completed

Service mesh security – info to be shared with Maggie and NSA team (Amy)

Welcome Leah!

Introduction of new intern for summertime at AT&T

completed

PTLs meting

The permissions are given per repo unfortunately.. not across all at once

Slot was booked at the last PTLs meeting to ask PTLs for their GitHub IDs., so they would get an access to SonarCloud capabilities.

ongoing

PTLs GitHub IDs to be collected once TSC approves the ideaJenkins, Gerrit and Sonar – Thierry Aleno

View file

name	Sonar_Gerrit.pptx
height	150

Master branch content only is analyzed only by SonarCloud.

WikiMedia solution was tested and is based on Sonar Webhook and small web service hosted on Toolforge. Developer proposes a patch on Gerrit, Jenkins job is triggered with patch set event, in the Jenkins job the analysis of the proposed code is launched in SonarCloud, Jenkins job goes to the end if Maven build is ok, we have a very at +1, if failed: verify at -1. after in the endof analysis of the code in SonarCloud, Webhook posts a request with the result of the scan to the web service which gets the request and if the name of the branch is Master, does nothing, if the name of the brach is short life branches, sends +1 in the verify parameter if the scan is OK, and 0 if the scan is NOK - in this case parameter in the gerrit is removed and developer has to correct his/her code before proposing this patch. Patch can not be merged into the branch. When gerrit receives the post request sent by the web service (containing verify parameter + which conditions are OK and which are NOK).

Webservice developped by Wikimedia can be adapted (some URL hardcoded) and to be tested with SonarCloud.io. Estimated LoE (Level of Effort) is very small.

For ONAP quality gate is very low: https://sonarcloud.io/organizations/onap/quality_gates/show/6826

ongoing

Meeting to be organized by Pawel with LFN (Jess, Kenny) and friendly project (CPS) for a PoC later this week. If result of the PoC is positive, it could be generalized to whole ONAP.

We should present the solution to PTLs.

Use cases for a PoC to be defined.

PTLs meting update

What do we do with repos that are not part of the release? PTL has to define a ticket to LFN – 2 steps process.
Integration status by Morgan for base images – at least 1 project needs an another base image.
Critical Jira issue – TSC to be addressed on Thursday (
Jira Legacy
server System Jira
serverId 4733707d-2057-3a0f-ae5e-4fd8aff50176
key VNFSDK-784
).

ongoing

PTLs shall be encouraged to take their actions to deprecate their relevant repos.

TSC meeting update

TSC approved SonarCloud profile management model.

Invitation received from Bengt to ONAP GitHub

ongoing

GitHub IDs to be collected from PTLs - to be checked with David by Pawel.

Amy to follow-up with Bengt directly on being added to ONAP GitHub.

(IT-22048) for direct vs. indirect dependencies with container scans

Feedback from Bengt to move on with ticket at Sonatype by opening a feature request - Amy opened a feature request (IT-22175) - no update

ongoing

Fabian's update - quality of a code

DMaaP all only 16 minor security issues closed, still 18 critical, with SO pending merge , same for service mesh, now started with SDC.E-mail from Jess on Wikimedia – plugin can be deployed but Jenkins job is needed every time before the merge. PoC could be created with DMaaP project. Discussion with LFN and Jess on Jenkins credentials.(e-mail was sent to Seshu - no response so far, but Fabian reports merge)

ongoing

E-mail to be sent to Seshu to try to move forward merge (Pawel).

Meeting to be organized with Jess and LFN on plugin deployment possibility (Fabian)

CIS Benchmark feedback - Muddasar

We have pretty much every requirement already documented, what is missing is auditing capabilities (they are by default turned off).

CIS benchmarking provides guidelines but also commands required. On GitHub automated script that can be downloaded.

ongoing

Morgan's e-mail

Go back to PTL and figure out what do we do with the repo’s not part of the release
Cassandra – owned by Integration team?
Link to Wiki to be included in the minutes: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2021-06/11_22-55/security/versions/versions.html
Database link for recommended versions: https://wiki.onap.org/display/DW/Database%2C+Java%2C+Python%2C+Docker%2C+Kubernetes%2C+and+Image+Versions
We believe that acceptable step is migrating from unsopported versions and second step is to mutualize, have common latest recommeneded version.

ongoing

Book a slot with PTLs on next Monday (Pawel)

Check with Integration team why we can see 3 instances of Cassandra and if they own it (Amy). Software BOM and point upgrade discussion – atomic level of ONAP.

How detailed BOM shall be.

Release Management of a different ONAP components - way to collect information ( ajor ONAP modules, OSes, DBs etc.). Software Bill of Materials - we do not crreate today but we have Nexus-IQ from which information can be retrieved. Contractural aspects to be checked.

How to upgrade vulnerable module?

started

Amy to organize with Muddasar a meeting on Software BOM.

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 22nd 29th OF JUNE'21.

Continuation on atomic level of ONAP discussion.

Recording:

View file

name	2021-06-22_SECCOM_week.mp4
height	150

SECCOM presentation:

View file

name	2021-06-22 ONAP Security Meeting - AgendaAndMinutes.pptx
height	150

Versions Compared

Old Version 1

New Version Current

Key