Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

Last TSC update

CNF Task Force meeting on 16th moved to 31st of March, US governement support may help increasing open source „apps 5G”. 

https://zoom.us/j/219945081?pwd=ZEN3U3daem9oMGJuZ3BXZExCdldkUT09

ogoingSECCOM representatives will join this session with US military on open source secure software development for 5G.Exceptions for Java and Python

Requests were reviewed and recommendations will be provided to TSC for an approval. Still missing ones (38 for Java and 40 for Python).

ongoing

To find a solution to encourage PTLs to raise exception requests or simply complete the cleaning in their containers.SECCOM requirements for Istanbul release

Template to be fulfilled per each requirement

Associated Jira epics and stories to be created.

ongoingTo be checked whether for global requirements we could Next PTLs meeting SECCOM topics

For next meeting open point for justification – not using basic image.

SonarCloud scans percentage target.

ongoingto be proposed to meeting agendaSonarcloud scans

Problem integrating jacoco (for an automated testing) unit test results with SonarCloud to create code coverage reports – ticket was opened to Sonatype. Impact: so 55% code coverage might be not reached by some projects (SDC, SO...).

ongoingstatus of the ticket submitted to be checked with Jess.

Logs management – follow up by Samuli 

Update from Samuli: security audit logs must be produced. What types of events to logging to security  and what information must be logged to each log entry.

Syslog RFC5424.

ongoing

Logging requirements for containers and what it means to manage logs.

Stdout usage document to be shared by Fabian.Last PTL meeting
  • Exceptions for Honolulu - still for some scans we lack exception requests (see Honolulu Impact View per Component) - exceptions to be merged.
  • Moving best practice requirements (CII Badging, upgrading packages) to global  - no feedback received.
  • Discussion point on SonarCloud code coverage separate targets per project, results are seen by the project after the merge.
  • Discussion point on why basic images are sometimes not used by projects, Alpine basic image does not work.
  • CCSDK and SDNC moved to basic image - more documentation is needed - Morgan provided it.
  • In some cases JDK needed in runtime - basic image does not have it. 
  • Basic Image Documentation:

Separate meetings with projects to be organized on SonarCloud code coverage target goals per project.

Sonarcloud, gerrit and Jenkins feedback to be shared by Fabian. 


How to create secure applications

Following last request from Chaker and discussion at the last PTLs meeting Tony prepared proposal: 

https://wikilf-onap.onapatlassian.orgnet/wiki/display/DW/Secure+Programming+Practices

pending

SECCOM will provide comments, proposals by next week.

Comments/proposals/modifications were provided.

pending

Chaker to be informed about this draft - e-mail to be  sent by Pawel.

In 2 weeks Next week PTLs to be updated with this proposal.

Daylight savingsWe keep for the moment UTC reference time, even if next week in US there is time shift. If there would be an alternative

proposal

, let's review it together

.

done


OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 23rd OF MARCH'21. 





...