...
Jira No | Summary | Description | Status | Solution | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SECCOM weekly scheduling/timing | We start every Tuesday at 1 PM UTC (currently 2 PM CET) | done | Outlook invitation update was sent as well as an e-mail informing about the meeting to start in 5 minutes. | |||||||||||||||||||||||||
Istanbul security improvements - press reelase proposal | Security is part of the ONAP DNA. The community continued to improve the security of the platform by continuing the migration from Java 8 and Python 2 to Java 11 and Python 3. Approximately 550 security and code quality issues in the ONAP developed code were fixed. Additionally, open source dependency upgrades removed nearly 700 known vulnerabilities. In the effort to shift security further left, a proof of concept was performed that integrates security and code quality tests into the merge process. Unused and unmaintained repos were removed from the release. Finally, a uniform set of security events to be logged and data about the events were defined and will be staged into ONAP beginning with the Jakarta release. | ongoing | ||||||||||||||||||||||||||
TSC meeting report | Requirements subcommittee: just few reqs for Jakarta: -https://wiki.onap.org/display/DW/Jakarta+release+-+functional+requirements+proposed+list OOM repos moving to GitLab 1 week after Istanbul release – what will be the interface for end user. | Istanbul security achievements | Draft slides presented to SECCOM. | ongoing | Deck is ready to be presented at the next TSC meeting.Requirements Subcommittee session | Requirements Subcommittee session held yesterday:
| ongoing | |||||||||||||||||||||
PTL meeting update | Software BOMs presentation by Muddasar. Feedback from Krzysztof Opasiak | ongoing | To be further discussed next week. | |||||||||||||||||||||||||
TSC meeting update |
| ongoing | ||||||||||||||||||||||||||
ONAP code quality improvement | Kevin created a fake project to check the feature. Toine to be contacted by Fabian Update from Toine – ok from the team, questions to be clarified. | ongoing | Toine's detail to be provided by Pawel to Fabian. | SBOM update | To be confirmed if LFN would run SBOMs, as LFN signs the ONAP code. Kenny was contacted at least twice but no feedback. | ongoing | LF IT ticket to be opened by Muddasar. Jess and David will be reached out by Muddassar as well to know where is the best step in the CI/CD pipeline for the SBOM creation. | PTLs meeting update | Meeting on November 1st was cancelled. | Integration/OOM synch | Prometheus maintenance - OOM team does not want to maintain it outside of keeping most recent release due to limited resources. Dashboard already predefined and available for Prometheus in OOM: https://docs.onap.org/projects/onap-oom/en/latest/oom_setup_paas.html#prometheus-stack-optional Using basic image global requirement for Jakarta release. | ongoing | CII Badging | Jira tickets to be created for remaining critical and blocking issues and tight them to req-443 for Jakarta release | ongoing | Tony and Amy will hadle it. | Jakarta release schedule | https://wiki.onap.org/display/DW/Release+Planning%3A+Jakarta Istanbul sign-off date is November 4th. | done | Security requirements | Bob has templates for requirments submission. We will have to provide our reqs presentation to Requirements Subcommittee. | ongoing | Alla to be contacted. | Kubescape | Fabian had a meeting with Michal Jagiello. Fabian will do the comparison between Kube-scape and existing tools. | ongoing | Kevin to be contacted | |
Weekly and daily testing by Integration team |
| ongoing | Are the filebeat containers included in the release? | |||||||||||||||||||||||||
Kubescape comparison | https://docs.sonarqube.org/latest/user-guide/security-hotspots/ This is for security testing - results to be compared. Exception file support under consideration as might not be supported at the very first step. | ongoing | Integration with exception file to be developed. | |||||||||||||||||||||||||
Quality improvements in Istanbul release |
| completed | ||||||||||||||||||||||||||
Hot spot definition |
| |||||||||||||||||||||||||||
Reviewing requirements by SECCOM as part of the process. | E-mail was shared with Catherine. Waiting for a feedback. | ongoing | ||||||||||||||||||||||||||
Kubernetes hardening | Muddasar and Bob provided some feedback to NSA team related to logging requirements | |||||||||||||||||||||||||||
OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 16th OF NOVEMBER'21. | Reviewing requirements by SECCOM as part of the process. | Catherine to be addressed. To be discussed with Amy on Friday. |
Recording:
View file | ||||
---|---|---|---|---|
|
SECCOM presentation:
View file | ||||
---|---|---|---|---|
|