Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolutionTSC meeting update

Honolulu maintenance release approved

Jakarta timeline proposed: Release Planning Jakarta

Participants reminded to vote for TSC membership


Angular experience on dependencies

Jared presented his development results on app dependency cluster graph.

Slides presented - please refer to thebottom of this page for a link.
 

started

ONAP release notes and dependencies

Thomas was contacted. He is retrieving info via script about all the components. Output:

Dependencies between components or with external projects are not tracked here.

ongoingTo review the context of this requestGoogle is investing in open source security 

Google is investing $1 million in the Linux Foundation's Secure Open Source (SOS) pilot program to make open source projects more secure (Amy).

Payment for fixing the bugs.

https://www.zdnet.com/article/open-source-google-is-going-to-pay-developers-to-make-projects-more-secure/

According to Google, SOS is "the starting point for future efforts that will hopefully bring together other large organizations and turn it into a sustainable, long-term initiative under the OpenSSF (Open Source Security Foundation)," a cross-industry forum that collaborates on the improvement of open source software security.

Samuli shared also: https://openssf.org/

started

Kubernetes hardening 

https://deploy-preview-29791--kubernetes-io-main-staging.netlify.app/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/ ,v2 version is coming!

New tool Kube-scape based on  like Kube-bench based on CIScat guidance. Kube-

ongoing

Angular experience on dependencies

Nexus-IQ has some capabilities, Jarred's tool is doing something what NEXUS-IQ does not, so he is building dependency tree of the application written by Amy's tem as oppose to do anything to do with third party packages. We are not capturing as of today repos that nobody is using them. Nexus views is a new feature. Jared's approach allows for inter project dependencies based on AST (work based on source code) vs. Nexus-IQ based on POM files (no reference to the code itself). 

ongoingTo leverage on NEXUS-IQ APIs - some resources could contribute - Bob will make a query.

SonarCloud findings

AAI fixes (95 security hotspots identified by SonarCloud and fixed by Fabian's team member).


ongoingSonarCloud cleaning is needed - list projects and open a ticket to LFN to remove the projects that are not participating.

SCA automation efforts updateaccess granted to Nexus-IQ reports and restricted WikiongoingBob and Shean might be consulted.

Feature template follow-upMuddasar had a meeting with Alla. Muddasar is preparing a slide deck to be presented at the TSC.ongoingSlides with the proposal to be presented at the TSC.SonarCloud coverage for Jakarta releaseFocus on security vulnerabilities that have blocker or critical rank. In Sonar it is called hotspot.startedTSC  - first draft by end of this week or next week

[REQ-441]

New Global Requirement

 [REQ-441] LOGS MANAGEMENT - PHASE 1: COMMON PLACE FOR DATA – PROPOSAL FOR JAKARTA.

ongoingNext PTLs meeting on 18th of October - agenda

Kubernetes hardening

Shared by Brian: https://deploy-preview-29791--kubernetes-io-main-staging.netlify.app/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/

CubeCon next week, slack channel exists for Kubernetes security.

startedONAP code quality improvement Work in Progress, Fabian received an e-mail last week - name of Kevin Sandy from LFN will be contacted.ongoingKevin Sandy from LFN to be contacted.

Software BOMsNTIA recommended minimal requirements will not be met from POM file, soe upsrtream integration will be needed - Muddasar and Sean are woeking on it.ongoingUpdate next week expected.

Jakarta best practices review

-[REQ-xxx] SECURITY LOGS FIELDS - multiple reqs or one per field?

-[REQ-xxx] Feature intake template

-[REQ-xxx] Using basic image from OOM

-[REQ-xxx] Software BOMs – more informative, no impact on pipeline, is it a single BOM for whole ONAP or atomic level, any usit should have its own BOM file.

ongoing

To be confirmed if LFN would run SBOMs, as LFN signes the ONAP code. Kenny to be addressed.


OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 19th OF OCTOBER'21. Kubernetes hardening (Brian)

CADI and AAF replacement (Byung) 



...

View file
name2021-10-12_SECCOM_week.mp4
height150

SECCOM presentation:

View file
name2021-10-12 ONAP Security Meeting - AgendaAndMinutes.pptx
height150