Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IT-23621

Log4j status update – we recommendreleasing Istanbul Maintenancerelease*

All related jira tickets closed:

  • AAI-3431 - AAI status (4 components with log4j) COMPLETE
    • aai-graph-admin, aai-resources, aai-traversal, aai-common : log4j <2.17.1 Direct dependencies updated
    • Waiting for OOM code merge - COMPLETE
  • DMAAP-1704 - DMAAP status (1 component with log4j) COMPLETE
    • dmaap-messagerouter-messageservice: log4j <2.17.1 Direct dependencies updated
  • SDNC-1655 - SDNC status (1 component with log4j) – COMPLETE - Latest CLM scans for SDNC-OAM do not contain any version of log4j, so it is removed
    • sdnc-oam: log4j 1.2.17 Direct dependency -> Dan created a ticket for an upgrade in Istanbul with low priority (https://jira.onap.org/browse/SDNC-1591) – “data-migrator needs to be migrated from log4j to log4j2 - which mostly entails just updating properties file and command line arguments in run script. Note: data-migrator is not currently used”. I have increased priority to high and added fixed version: Istanbul Maintenance release + comment under the ticket on the need to migrate to log4j-core 2.17.1.
  • VNFSDK-827 - VNFSDK status (1 component with log4j) COMPLETE - Kanagaraj removedvnfsdk-ves-agent from Istanbul & Jakarta
    • vnfsdk-ves-agent: no scans for Istanbul branch -> as per Kanagaraj’s email sent on 24th of August, he mention that vnfsdk-ves-agent is not an active VNFSDK repo, so I have sent him an e-mail today to configure his jjb file accordingly.
    Jira No
    SummaryDescriptionStatusSolutionIT-23622IT-23622 API documentation for SonarCloud (continuation of IT-23519)

    New ticket was opened as old one was closed by Jess. Reference link provided by Jess points out to the deprecated API documentation. Tony provided his comment under the ticket. It seems that the new reference is for API documentation that will stop working in a few months. So it is a workaround and not ultimate solution.

    The replacement we should be using accroding SonarCloud requires explicit permissions to search varoius different repos to be granted to the person doing search which is not a good solution. 

    ongoing

    Log4j upgradecompleted

    New Ticket opened to LFN IT CLM jobs failing.

    IT-23650ONAP Security logging PoC requirements - Byung

    https://lists.onap.org/g/onap-requirements-sub/viewevent?eventid=1437425&calstart=2022-02-28

    Presentation available at the bottom of this page. Security Logging Requirements were presented to Use Case Subcommittee.

    Toine agreed to be a project for a PoC.

    startedPresentation on proposed logging fields to be provided to PTLs community on 14th of March. To be folloed by architecture information as a separate presentation/topic.
    IT-23650Unmaintained projects – ticket creation for failing Jenkins jobs 

    Issue seems to be finally resolved.

    homas asked to propose a patch for the composite release notes that includes info from slide 6.

    done

    LFN preparing document on ONAP security

    https://wiki.lfnetworking.org/display/LN/2022+LFN+Security+whitepaper

    Contribution needed for SBOM part – Sean/Bob done

    -NTIA paper could be a good reference.

    done

    Unmaintained projects Discussion on how to represent unmainained project, yaml vs. Json file, type of information.ongoing
    IT-23622IT-23622 API documentation for SonarCloud (continuation of IT-23519)

    Tony and Amy will try to use AT&T leverage as SonarCloud customer to get info on API documentation.

    ongoing

    Unmaintained projects - Istanbul Maintenance Release NotesTicket creation for failing Jenkins jobs. Thomas asked to propose a patch for the composite release notes that includes info from slide 6 but we first need to solve failing Jenkins jobs.doneFailing Jenkins jobs issue to be escalated.

    Process for Security review question for the period of last 5 years - we move this topic to next week agenda, so Muddasar could participate.
     
    • Tony (slides 8 and 9):
    • Maggie:

    (1) OWASP Top 10

    (2) BSIMM

    (3) Secure Software Development Framework 

      This publication is a little different and is actually geared more for when selecting products and making good choices on deployment across the   enterprise.  However, it does bring up points that we may want to consider addressing across the architecture.

    (4) CIS Critical Security Controls

    • Muddasar:

    -Security Belts structures activities of the secure software development

    -https://github.com/AppSecure-nrw/security-belts

    -OWASP Devsecops Maturity Model       

    -https://dsomm.timo-pagel.de

    -DevSecOps Platform-Independent Model: Requirements and Capabilities-SEI (FFRDC) Technical report (figure 7)

    -https://apps.dtic.mil/sti/pdfs/AD1152747.pdf

    -ISACA Cybersecurity Maturity Assessment (self-assessment)

    -https://www.isaca.org/enterprise/cmmi-cybermaturity-platform#cmmicp-tabs

    ongoing

    ONAP 5Y assessment should be a group capability assessment where we stand for the security measures that we have and how we measure it.

    From assessment on per each project level we will get an image of ONAP as a whole.

    Pawel to create criteria's proposal (kind of high level document propsoal) for futher review based on Figure 7.

    TSC meeting update

    Log4j SECCOM recommendation for Istanbul Maintenance release presented

    Security logging update 

    https://wiki.onap.org/display/DW/Jakarta+Best+Practice+Proposal+for+Standardized+Logging+Fields

    Some more clarifications planned, naming causing some confusion.


    ongoing

    One more session (on 25th of February) to complete fields review.

    Next to be reviewed with PTLs.

    SBOM creation - we move this topic to next week agenda

    Jess had trouble with polling dependencies from some project. All CLM jenins jobs are failing now.

    We want to make SBOM available to end user.

    We are compliant to MVP for fields for SBOM.

    SPDX 3.0 standard will have an extended field capability (long list of optional atributes) and there will be a new ISO standard associated.

    ongoing

    SonarCloud findingsTony will open direct tickets to projects.startedTickets to be open by Tony.LFN preparing document on ONAP security

    Amy made some contributions already. Contribution needed for SBOM part – Sean to be addressed.

    https://wiki.lfnetworking.org/display/LN/2022+LFN+Security+whitepaper

    NTIA paper could be a good reference.
    startedE-mai lto Sean/Bob to be sent by Amy.

    Badging - no update

    Tony working with David and Dave on getting projects moved from having owner from project and replacing with David for Badging. Some owners gone away... Additional editors do not have rights to remove somebody from the project (can only add additional people).

    No movement. Waiting for an answer from David Wheeler.


    Tony to reach out David.

    Final SCA scan for Istanbul Maintenance release.List of projects with transitive dependencies to be provided by Amy.


    Quality gatesNo update so far from Seshu.ongoing

    To join SO meeting.

    To drop an e-mail to Toine.


    Issue with Wiki creation by TonyTicket to be created to solve the issue







    SECCOM MEETING CALL WILL BE HELD ON 8th OF MARCH'22. 

    Quality gates for code quality improvements - continuation of the discussion.

    5Y review criteria.





    Recording: 

    View file
    name2022-03-01_SECCOM_week.mp4
    height150


    SECCOM presentation:

    View file
    name2022-03-01 ONAP Security Meeting - AgendaAndMinutes.pptx
    height150