Versions Compared

Old Version 1

changes.mady.by.user Paweł Pawlak

Saved on

compared with

New Version Current

changes.mady.by.user Paweł Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 18th of January 2022.

Jira No
SummaryDescriptionStatusSolution

Issue with ONAP zoom13  Waiting room seems to be not disabled, we had to use Pawel's zoom instead.startedKenny to be contacted to help in solving the issue. 









https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23423

Log4j upgrade

Log4j 2.17.1 was released. It provides a fix for a vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832

 ongoing

For tracking purpose dedicated Jira tickets to be  opened per project and per both releases.

https://jira.onap.org/browse/INT-2039Limit number of imagesImages lifecycle management - need to limit number of images. Need to keep Istanbul scanning (different from what is in Master).ongoingCentos usageUsed by Postgres with version 8 - we are targetting version 8 stream.Unmainained projectsMeeting done last Monday - to be continued on Thursday (DOC) meeting.Jakarta SCA analysis

New Wiki created for log4j recommended upgrade: Log4j upgrade recommendation

Ticket was opened by Amy on Sonatype API documentation: https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23426

Update recommendations for log4j into 2.17

Post log4j info on ONAP security Wiki. 

TSC meeting update
  • Log4j Istanbul maintenance release
  • Steve Winslow left LFN
Steve move ement Impact on Tony for CII Badging?PTL meeting updatelog4j updateSBOMsMuddasar sent e-mail to Vijay and Toine.ongoingQuality gatesFabian will have a meeting with Seshu for SO. Next update in January.ongoing

Kubescape and Trivi scans

https://hub.armo.cloud/docs/c-0009 , limitation is on the pod and not cron job.

Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman. Fabian opened the ticket at Trivi.

Threadfix removes duplication of findings from different sources.

ongoing

Fabian will have a meeting with Kubescape.

Brian to share info on their Jfrog  for Image scanning.

SECCOM presentations for incoming DDF (January).

SECCOM topics and overall agenda proposal:

https://teamup.com/ksgw6qzqcmg9zbzsfq?view=MD&date=2022-1-10&calendars=8227292,8227785,8227782,8310707,8310614

.

  • AAI – sent an e-mail to William, he promised to work with Rob on failing Jenkins jobs. It might be that all failing jobs are due to the fact that AAI is not using those repos anymore, so no log4j impact at all – but this is a know-how on PTL’s side, to be confirmed with William.
  • DMaaP – according our restricted Wiki in progress, according Nexus-IQ scans – not affected anymore.
  • NC (former SDNC) – info under restricted Wiki: Impacted code is not currently used (i.e. not part of any docker container). Will be addressed before data-migrator is included in any docker. Tracking Jira :  SDNC-1591 - Upgrade data-migrator to log4j2 OPEN
  • VNFSDK – according to Kanag vnfsdk-ves-agent repo not used anymore – e-mail sent to David to exclude from scans unused repos for this project.

Muddasar shared https://github.com/lfscanning by Gary O'Neall (lfScanningAgent) <garylegal@sourceauditor.com>

Following the exchanges with Jess under the LFN IT ticket, there is a need to create new branches by each PTL for Istanbul maintenance release and then configure jjb with Nexus-IQ scans for it. 

ongoing

For tracking purpose dedicated Jira tickets to be  opened per project and per both releases.

David to be contacted to coordinate building Istanbul Maintenance branches.


Update of https://lists.onap.org/g/onap-security/members - updated listList of the participants was reviewed and updated inline with contributions.doneAdded people to this distribution list.

SECCOM presentations for DTF (January).

Thank you SECCOM team for great presentations and all exchanges during the event!

  • Interproject proposals: SBOMs ONAP story – Muddasar/Pawel  - Topic, Monday 10th of January, 2:30 UTC (30 minutes session)
  • Code quality demo - Fabian/Pawel/Kevin/Toine – Topic, Tuesday, 11th of January, 3:30 UTC (30 minutes session)
  • ONAP Security: Jakarta Global Requirements and Best Practices
  • Topic, Tuesday, 11th of January, 4:30 UTC Bob/Byung/Muddasar/Tony/Amy/Pawel (60 minutes session)
  • Unmaintained code handling and its impact on documentation
(SECCOM + Documentation)
  • - main session stream Thomas/Amy/Pawel
/Thomas
  • , Wednesday, 12th of January, 2:30 UTC
  • Code quality demo - main session stream – Fabian/Pawel/Kevin/Toine – Topic
    • Tuesday, 11th of January, 3:30 UTC

    • Interproject proposals:

  • SBOMs ONAP story – Muddasar/Pawel Topic
    • Monday, 10th of January, 2:30 UTC
    • (30 minutes session)
    		done

    		Sonarcloud API documentationAs discussed SonarCloud has changed their API and available documentation is insufficient. Need to open a ticket to Jess to help in exchanges with SonarCloud and obtain better API documentation.done

    Ticket to LFN IT was opened:



    		ONAP quality gates 

    Quality asessment mainly for the submitted code (=delta)

    • Integrate tests with CPS
    • SO PoC
    		ongoing

    SECCOM MEETING CALL WILL BE HELD ON 25th OF JANUARY'22. 

    Review - SECCOM presentations for DDF events.

    Quality gates for code quality improvements - continuation of the discussion.

    SBOM next steps - which repos/projects to take into account?




    Recording: 

    View file
    name2022-01-18_SECCOM_week.mp4
    height150


    SECCOM presentation:

    View file
    name2022-01-18 ONAP Security Meeting - AgendaAndMinutes.pptx
    height150