Versions Compared

Old Version 1

changes.mady.by.user Paweł Pawlak

Saved on

compared with

New Version Current

changes.mady.by.user Paweł Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

TSC meeting updateSECCOM contribution to ONAP qualityincreaseappreciated!!!
  • THANK YOU for all the contributions.
    		• ongoing

    Jira Legacy
    serverSystem Jira
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyOOM-2734

    DCAE update

    • Requirement to support by DCAE registry for HELM charts. Chartmuseum is maintained by Chart team.
    • 3 types of authentication supported.
    • Proposal is to restrict the client's list, once they have user names and passwords only ones who have to update/delete charts limits writing and access considerable just for those particular clients. → separate sidecar that can do client authentication
    • FW to be used to limit the access for reading to strictly ONAP applications.
    • mTLS could be a solution for read - Tony passed this idea to right people, mTLS would have to be supported on both sides (DCAE subproject and Chartmuseum). 
    • Would service Mesh simplify authentication?
    • More readers expected in the future for things in the repository
    		ongoingmTLS to be further elaborated

    Jakarta proposed dates

    Global Requirements/Best Practice deadline for submission: 2nd of December by SECCOM:

    • [REQ-xxx] SECURITY LOGS MANAGEMENT
    • [REQ-xxx] Feature intake template
    • [REQ-xxx] Using basic image from OOM
    • [REQ-xxx] Software BOMs
    		ongoingLast PTL meeting

    Portal and VID dependencies (i.e., portal, portal-sdk & vid repos):

    Portal -> SDC UI (user authentication) -> Other projects are dependent on SDC (e.g., CLAMP GUI)

    VID to be removed , portal SDK as well.

    Projects unmaintained shall have their repos excluded from scans.

    EoL/EoS nomenclature could be used, open source communities do not maintain older versions, but encouraging to use latest greatest.

    		ongoing

    SCA automation efforts

    		We are xploring automation capabilities for moving data from Nexus-IQ to Wiki.strated

    New Best practice for Jakarta release – new req to be open for Security logging

    Set of questions prepared by Bob, to be addressed.

    Sidecar for logging - to be further decided by TSC who is going to maintain it.

    		ongoingPTLs meeting to be used for collecting info on logging capabilities per project.Feature intake template

    Muddasar did not find prove of tracking the feature after its approval.

    		ongoing

    To reach out PTLs on what could be the best way to tackle Jira template.

    Muddasar will propose some initial template, contributions are welcome.

    Muddasar will also reach out Alla as a follow up, feedback from testers might be also valuable.Honolulu maintenance release approved

    Jakarta timeline proposed: Release Planning Jakarta

    Participants reminded to vote for TSC membership




    		PTL meeting update

    Michal to remove vid from OOM

    Investigating portal-sdk removal

    Reminded projects to update Security Vulnerabilities tables on protected wiki (CLI, EXTAPI, VNFSDK have made no progress; AAI, MSB have not reported status)




    		Angular experience on dependencies

    Jared presented his development results on app dependency cluster graph.

    Slides presented - please refer to thebottom of this page for a link.
     

    		started

    ONAP release notes and dependencies

    Thomas was contacted. He is retrieving info via script about all the components. Output:

    View file
    nameonap_tables_210601.xlsx
    height150

    Dependencies between components or with external projects are not tracked here.

    		ongoingTo review the context of this request.

    		Feature template follow-upMuddasar had a meeting with Alla. Muddasar is preparing a slide deck to be presented at the TSC.ongoingSlides with the proposal to be presented at the TSC.

    		SonarCloud coverage for Jakarta releaseFocus on security vulnerabilities that have blocker or critical rank. In Sonar it is called hotspot.started

    [REQ-441]

    		New Global Requirement

     [REQ-441] LOGS MANAGEMENT - PHASE 1: COMMON PLACE FOR DATA – PROPOSAL FOR JAKARTA

    		ongoingNext PTLs meeting on 18th of October - agenda

    		Kubernetes hardening

    Shared by Brian: https://deploy-preview-29791--kubernetes-io-main-staging.netlify.app/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/

    CubeCon next week, slack channel exists for Kubernetes security.

    		started


    		OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 12th OF OCTOBER'21. 

    Kubernetes hardening (Brian)

    CADI and AAF replacement (Byung) 




    Recording: 

    View file
    name2021-10-05_SECCOM_week.mp4
    height150

    SECCOM presentation:

    View file
    name2021-10-05 ONAP Security Meeting - AgendaAndMinutes.pptx
    height150

    ApplicationVisualization_2021_05_10.pptx