...
Jira No | Summary | Description | Status | Solution | |||||||
---|---|---|---|---|---|---|---|---|---|---|---|
IT-23622 | IT-23622 API documentation for SonarCloud (continuation of IT-23519) | New ticket was opened as old one was closed by Jess. Reference link provided by Jess points out to the deprecated API documentation | ongoing | Tony to provide documentation. Tony provided his comment under the ticket. It seems that the new reference is for API documentation that will stop working in a few months. So it is a workaround and not ultimate solution. The replacement we should be using accroding SonarCloud requires explicit permissions to search varoius different repos to be granted to the person doing search which is not a good solution. | ongoing | ||||||
Log4j upgrade | Log4j status update – we recommendreleasing Istanbul Maintenancerelease*
Following All related jira tickets openedclosed:
| completed | completed | New Ticket opened to LFN IT on NexusIQ reporting false positive log4j direct dependencies.To provide SECCOM recommendation at the TSC for releasing Istanbul Maintenance releaseCLM jobs failing. | |||||||
IT-23650 | Unmaintained projects - Istanbul Maintenance Release Notes | Ticket creation for failing Jenkins jobs. Thomas asked to propose a patch for the composite release notes that includes info from slide 6 but we first need to solve failing Jenkins jobs. | ongoing | Failing Jenkins jobs issue to be escalated. | |||||||
Process for Security review question for the period of last 5 years - we move this topic to next week agenda, so Muddasar could participate. |
(1) OWASP Top 10 (2) BSIMM (3) Secure Software Development Framework This publication is a little different and is actually geared more for when selecting products and making good choices on deployment across the enterprise. However, it does bring up points that we may want to consider addressing across the architecture. (4) CIS Critical Security Controls
-Security Belts structures activities of the secure software development -https://github.com/AppSecure-nrw/security-belts -OWASP Devsecops Maturity Model -DevSecOps Platform-Independent Model: Requirements and Capabilities-SEI (FFRDC) Technical report (figure 7) -https://apps.dtic.mil/sti/pdfs/AD1152747.pdf -ISACA Cybersecurity Maturity Assessment (self-assessment) -https://www.isaca.org/enterprise/cmmi-cybermaturity-platform#cmmicp-tabs | startedongoing | ONAP 5Y assessment should be a group capability assessment where we stand for the security measures that we have and how we measure it. From assessment on per each project level we will get an image of ONAP as a whole. Pawel to create criteria's proposal (kind of high level document propsoal) for futher review based on Figure 7. Distinction between SCA scans: source code (better) vs. executables. Industry best practice is to find 3rd party packages in your code or to generate an SBOM. Having SCA scans against source code provides full information about composition of your application. | ongoing | |||||||
TSC meeting update | Discussion on alternative ways of packaging CNFs to ETSI SOL (option 2 supported with package signature) and ASD (some extra metadata), need to ensure signing capabilities. Istanbul Maintenance -> 17th of February | ASD package Wiki: Application Service Descriptor (ASD) Onboarding Packaging Format | PTL meeting update | Conversation on umnainatined vs. included in the build. | Unmaintained projects | JSON file review, what repo to be stored and where. | New repo to be requested by Thomas. | Log4j SECCOM recommendation for Istanbul Maintenance release presented | |||
Security logging update | https://wiki.onap.org/display/DW/Jakarta+Best+Practice+Proposal+for+Standardized+Logging+Fields Some more clarifications planned, naming causing some confusion.Good progress. | ongoing | One more session (on 25th of February) to complete fields review. Next to be reviewed with PTLs. | ||||||||
SBOM creation creation - we move this topic to next week agenda | Jess had trouble with polling dependencies from some project. All CLM jenins jobs are failing now. We want to make SBOM available to end user. We are compliant to MVP for fields for SBOM. SPDX 3.0 standard will have an extended field capability (long list of optional atributes) and there will be a new ISO standard associated. | ongoing | |||||||||
SonarCloud findings | Tony will open direct tickets to projects. | started | Tickets to be open by Tony. | ||||||||
LFN preparing document on ONAP security | Amy made some contributions already. Contribution needed for SBOM part – Sean to be addressed. https://wiki.lfnetworking.org/display/LN/2022+LFN+Security+whitepaper NTIA paper could be a good reference. | started | E-mai lto Sean/Bob to be sent by Amy. | ||||||||
Badging - no update | Tony working with David and Dave on getting projects moved from having owner from project and replacing with David for Badging. Some owners gone away... Additional editors do not have rights to remove somebody from the project (can only add additionl additional people). | ||||||||||
SECCOM MEETING CALL WILL BE HELD ON 1st OF MARCH'22. | Quality gates for code quality improvements - continuation of the discussion. 5Y review criteria. |
Recording:
View file | ||||
---|---|---|---|---|
|
SECCOM presentation:
View file | ||||
---|---|---|---|---|
|