Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 25th of January 2022.
| Jira No | Summary | Description | Status | Solution |
|---|
For tracking purpose dedicated Jira tickets to be opened per project and per both releases.
David to be contacted to coordinate building Istanbul Maintenance branches| Securing connection between the Helm Client and Remote Helm Repository (Ramesh/Liam)a subject name |
Helm charts to be held locally and these are the only repos you can pull HELM charts from. Connection authentication services (option 1 and 4) and (option 2 and 3) configurability of destination supported, like a white list. Those 2 layers of security are a better option than single one of them. Use of HTTPS = authenticated repo that HELM chart would be pulled (consumed). Once authenticated restrictions apply while K8s pulling from repo. Client needs to authenticate the repo that is pulling from. Service mesh can handle secure communication and authentication and authorization policies. Begin with HTTPs connection. From the subject field from the repo would have a subject name that would be validated against white list. So first autheticate (HTTPs) and then authorize (white list). It is also crucial to ensure that to push HELM chart to the repo is under control (authentication and authorization. 2 way TLS: client doing a POST would be authenticated by the repo and authorization at the repo level would have to be done based on the subject field of the cert that was passed by the client. Mutual TLS enablement to standard client side. | ongoing | Need to address 2 points to avoid supply chain substitution attack:
Byung will discuss service mesh option with Sylvain and OOM team on Wednesday. | |||||||
https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23423 | Log4j upgrade | Log4j 2.17.1 was released. It provides a fix for a vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832. |
- AAI – sent an e-mail to William, he promised to work with Rob on failing Jenkins jobs. It might be that all failing jobs are due to the fact that AAI is not using those repos anymore, so no log4j impact at all – but this is a know-how on PTL’s side, to be confirmed with William.
- DMaaP – according our restricted Wiki in progress, according Nexus-IQ scans – not affected anymore.
- NC (former SDNC) – info under restricted Wiki: Impacted code is not currently used (i.e. not part of any docker container). Will be addressed before data-migrator is included in any docker. Tracking Jira : SDNC-1591 - Upgrade data-migrator to log4j2 OPEN
- VNFSDK – according to Kanag vnfsdk-ves-agent repo not used anymore – e-mail sent to David to exclude from scans unused repos for this project.
Muddasar shared https://github.com/lfscanning by Gary O'Neall (lfScanningAgent) <garylegal@sourceauditor.com>
Following the exchanges with Jess under the LFN IT ticket, there is a need to create new branches by each PTL for Istanbul maintenance release and then configure jjb with Nexus-IQ scans for it.
| ongoing | To check with Jess statuses of the tickets that were recently closed. CLM scans per each project to be done by 4th of February. |
| Update of https://lists.onap.org/g/onap-security/members - updated list | List of the participants |
| to be updated |
| with |
| Maggie. | done |
Thank you SECCOM team for great presentations and all exchanges during the event!
- Interproject proposals: SBOMs ONAP story – Muddasar/Pawel - Topic, Monday 10th of January, 2:30 UTC (30 minutes session)
- Code quality demo - Fabian/Pawel/Kevin/Toine – Topic, Tuesday, 11th of January, 3:30 UTC (30 minutes session)
- ONAP Security: Jakarta Global Requirements and Best Practices Topic, Tuesday, 11th of January, 4:30 UTC Bob/Byung/Muddasar/Tony/Amy/Pawel (60 minutes session)
- Unmaintained code handling and its impact on documentation - main session stream Thomas/Amy/Pawel/Eric – Topic, Wednesday, 12th of January, 2:30 UTC (30 minutes session)
| Still waiting for Krzysztof's feedback. | ||||
| CVE creation for ONAP | Krzysztof proposed he will issue CVE for ONAP vulnerable to log4j release. | ongoing | Trying to reach out Krzysztof. If someone else knows the process, help is welcome (Muddasar might help as plan B). | |
| Log4j CVEs | could be checked here: https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core | ongoing | ||
| Sonarcloud API documentation | Following our last discussion ticket was opened to LFN IT (https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23519 ) to get the SonarCloud updated API documentation | ongoing | Ticket to LFN IT to be commented by Tony. | |
| ONAP quality gates | Quality asessment mainly for the submitted code (=delta)
| ongoing | Pawel to recheck with Seshu. Pawel to point Toine. | |
| SBOM generation | Jessica will perform SBOM creation - it is in her to do list. Tony;s friend posted on Github tool that will look into Debain packages. Presentation to Governing Board in SBOM topic. Security logging in R-Alliance. | ongoing | Link to be shared by Tony. | |
SECCOM MEETING CALL WILL BE HELD ON 1st OF FEBRUARY'22. | Security logging next steps - timeline Quality gates for code quality improvements - continuation of the discussion. SBOM next steps - |
status update with DCAE. |
Recording:
| View file | ||||
|---|---|---|---|---|
|
SECCOM presentation:
| View file | ||||
|---|---|---|---|---|
|