...
Jira No | Summary | Description | Status | Solution | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Updates to Secure Design Questionnaire - Maggie | Know Secure Design Just wording change:
Larger comment
Implement Secure Design
Crypto Call – Generic
Crypto Random - Generic (NIST SP 800-90C)
90C is about putting various pieces together (entropy source and the "pseudo-random number generator" PRNG). 90A has the PRNG algorithms. 90B has testing requirements for entropy sources. | ongoing | Update to be incorporated by Maggie into the existing Wiki: https://wiki.onap.org/display/DW/ONAP+Security+Review+Questionnaire+Template Muddasar will prepare grade rate assessment proposal. | New SECCOM contributor | Welcome on board Alexander from Samsung. Major interests:
| Ticket to be opened by Alexander to LFN-IT - done https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23764# ticket created E-mail about SPDX SBOM configuration to be shared by Muddasar with Alex. | Istanbul Maintenance Release Notes on Log4j transitive dependencies | ongoing | To be checked with Dan if Reload4j is a good alternative for his projects. | ONAP Jakarta: Vulnerable Package Upgrades - Amy | We reached 60% of packages upgraded. | ongoing | Quality gates - PoC with SO. | Meeting with Seshu done. SO would like to use https://www.sonarlint.org/ , Looking for IDE expertise. https://docs.sonarqube.org/latest/user-guide/clean-as-you-code/ - quality code would be for a new code. | ongoing | Ticket to be opened to LFN-IT to get clarification on SonarLint licensing. Maggie will check for IDE expertise. Details on IDE environment (Dual Studio?) to be provided by Fabian. | Security Logging requirements | Bob provided logging update presentation to last PTL's meeting. Comment from Dan on potential conflicting with Logging Analytics project (unmaintained). Dan will do some research. | ongoing | Synch up with Toine by Bob to address timeline for PoC. | Out of band planning for issues and topics, technical debt | Target of 10-20% of development capacity on technical debt. This should be discussed at the planning meetings. El-Alto release was focussed on technical debt. Now we have Global Requirements implemented and reviewed compliance every release. We first focussed on Java and Python upgrades, but also to take all of the interfaces to support HTTPs, upgrade direct dependencies, or Sonarcloud findings that are security related that are critical to be fixed. Other activity is code quality improvement. ODL allignement is managed by Dan who does the upgrade based on what is available on ODL side. Mainly requirement coming from security point of view are the recurring ones (every 6 months cycle), except for code quality improvement requirement. Log4j was a good example of out of band planning, extraordinary event that we responded. | started | Meeting with David is planned. Waiting for Kenny's feedback. Correlation with ODL meeting. | SBOM meetings | The meeting on March 7th was focussed on fixing the issue with Maven which was resolved. There are no other meetings scheduled. | ongoing | SECCOM calendar - old link | In the list.onap.org for SECCOM meetings there is an old link - tobe fixed | done | Pawel to replace old zoom link with the new one - done Maggie merged the changes on the Wiki. Tony's comment to keep naming convention from headings as it corresponds to Badging questionaire. Most of the changes are usefull. Thank you Maggie! | ongoing | Muddasar will prepare grade rate assessment proposal. | |
ONAP policy update | Ramesh (ONAP Policy) gave a presentation again on enabling cluster role in policy k8s-participant’s OOM chart since they have implemented the security requirements suggested by SECCOM. REST endpoints disabled by default.
| ongoing | E-mail to be sent by Ramesh to Sylvain before end of march. | |||||||||||||||||||||||||||||||
Badging dashboard | For dynamic code analysis the answer from projects should be answered Unmet. We have static analysis buit not dynamic. Jenkins jobs for SonarCloud configured on a weekly basis - licence level we are using. | ongoing | ||||||||||||||||||||||||||||||||
Linux Security Summit - CFP | Linux Security Summit, happening June 23-24 in Austin, Texas + Virtual!
| started | Amy and Pawel to submit proposal. Tony and Maggie to provide proposal as well. | |||||||||||||||||||||||||||||||
SECCOM MEETING CALL WILL BE HELD ON 5th OF April'22. | Quality gates for code quality improvements - Fabian's presentation. 5Y review criteria - finalization of the proposal. SonarCloud fixing with new code focus. |
Recording:
View file | ||||
---|---|---|---|---|
|
SECCOM presentation:
View file | ||||
---|---|---|---|---|
|