Page Comparison

...

Jira No

Summary

Description

Status

Solution

Log4j upgrade

Log4j 2.17.1 was released.

ongoing

For tracking purpose dedicated Jira tickets to be opened per project and per both releases.

It provides a fix for a vulnerability: https://

jira

cve.

onap

mitre.org/

browse/INT-2039

Limit number of images

Images lifecycle management - need to limit number of images. Need to keep Istanbul scanning (different from what is in Master).

ongoing

Centos usage

Used by Postgres with version 8 - we are targetting version 8 stream.

Unmainained projects

Meeting done last Monday - to be continued on Thursday (DOC) meeting.

Jakarta SCA analysis

New Wiki created for log4j recommended upgrade: Log4j upgrade recommendation

Ticket was opened by Amy on Sonatype API documentation: https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23426

Update recommendations for log4j into 2.17

Post log4j info on ONAP security Wiki.

TSC meeting update

Log4j Istanbul maintenance release
Steve Winslow left LFN

Steve move ement Impact on Tony for CII Badging?

PTL meeting update

log4j update

SBOMs

Muddasar sent e-mail to Vijay and Toine.

ongoing

Quality gates

Fabian will have a meeting with Seshu for SO. Next update in January.

ongoing

Kubescape and Trivi scans

https://hub.armo.cloud/docs/c-0009 , limitation is on the pod and not cron job.

Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman. Fabian opened the ticket at Trivi.

Threadfix removes duplication of findings from different sources.

ongoing

Fabian will have a meeting with Kubescape.

Brian to share info on their Jfrog for Image scanning

cgi-bin/cvename.cgi?name=CVE-2021-44832

View file

name	2022-01-04 ONAP Security Subcommittee recommendation log4j issue v5.pptx
height	150

ongoing

For tracking purpose dedicated Jira tickets to be opened per project and per both releases.

SECCOM presentations for incoming DDF DTF (January).

SECCOM topics and overall agenda proposal:

https://teamup.com/ksgw6qzqcmg9zbzsfq?view=MD&date=2022-1-10&calendars=8227292,8227785,8227782,8310707,8310614
ONAP Security: Jakarta Global Requirements and Best Practices
- Tuesday, 11th of January, 4:30 UTC
Unmaintained code handling and its impact on documentation (SECCOM + Documentation) - main session stream Amy/Pawel/Thomas/Eric – Topic
- Wednesday, 12th of January, 2:30 UTC
Code quality demo - main session stream – Fabian/Pawel/Kevin/Toine – Topic
- Tuesday, 11th of January, 3:30 UTC

Interproject proposals:

- - SBOMs ONAP story – Muddasar/Pawel Topic
  - Monday, 10th of January, 2:30 UTC

ongoing

SECCOM MEETING CALL WILL BE HELD ON 18th OF JANUARY'22.

Review - SECCOM presentations for DDF events.

Quality gates for code quality improvements - continuation of the discussion.

SBOM next steps - which repos/projects to take into account?

Recording:

View file

name	2022-01-04_SECCOM_week.mp4
height	150

SECCOM presentation:

View file

name	2022-01-04 ONAP Security Meeting - AgendaAndMinutes.pptx
height	150

Versions Compared

Old Version 1

New Version Current

Key