Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 21st of December 2021.

How vulnerability message reaches end user?
Jira No
SummaryDescriptionStatusSolution
CVE-2021-44228

Issue impacting specific versions of log4j-core. ONAP projects still using version 1 that might not be (depends on configuration) but it is not supported for a long time (since 2012).

We recommend immediate upgrade to latest log4j-core version: 2.16 in both Istanbul maintenance release and in Jakarta. 


Log4j upgrade

Feedback from Robert Varga from ODL received. Log4j 2.17 was released and is recommended by SECCOM.

View file
name2021-12-21 ONAP Security Subcommittee recommendation log4j issue v4.pptx
height150

ongoing

For tracking purpose dedicated Jira tickets to

be

info e-mail to be sent to PTLs.

Jess to be contacted.

Amy to send an e-mail to Vijay. 

Muddasar to prepare info on what is needed on PTLs side to review artifacts.

Quality gates

3 levels under consideration: bronze, silver and gold. Basic level could be reacjing 55% of code coverage.

https://docs.sonarqube.org/latest/user-guide/metric-definitions/

Tables about project maturity (self reported) while we are doing measured approach.

ongoing

be  opened per project and per both releases.

DMaaP upgradesLogj-core  to be upgraded but for others there are transitive dependencies. Comments to be provided in the sestricted Wiki.ongoing

Maybe worth to open a ticket to Sonatype with dependecies issues. 

AJSC dependencies - Amy will check with AT&T maintainer.

Trivi scans

Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman.

Threadfix removes duplication of findings from different sources.

ongoingBrian to share info on their Jfrog  for Image scanning.Jakarta proposed versions update

https://wiki.onap.org/display/DW/Database%2C+Java%2C+Python%2C+Docker%2C+Kubernetes%2C+and+Image+Versions

  • CentOS version – verify AS-IS state to define TO-BE state, if version 8 used - > 8 stream proposed.
  • Additional environmental components - updated

Centos images used: https://logs.onap.org/onap-integration/daily/onap_daily_pod4_master/2021-12/06_03-20/infrastructure-healthcheck/k8s/kubernetes-status/versions.html

ongoingCentos issue to be raised at the upcoming PTLs call.SCA analysisJira tickets created for each project.ongoingTicket to be submitted via LF IT to Sonatype - issue with API documentation.PTL meeting update
  • SECCOM GRs and BPs reminder
  • Info on CVE-2021-44228
  • architecture review with Chaker
  • unmaintaned meeting 
doneNext week meeting with Thomas for unmaintained presentation for DDFTSC meeting update

Request on supporting unmaintned topic 

VVP and VNFSDK no nominations for PTL

Issue with use case slicing

Modelling has PTL and co-PTL.

M1 approved

27th January for M2

doneSBOMs

Which repos/projects to take into account?

Start with pilot (1 or 2 projects) – info e-mail to be sent to PTLs

  • DCAE (Vijay)
  • CPS (Toine)

Work required: review of the artifacts generated if it is accurate.

ongoing
https://jira.onap.org/browse/INT-2039Limit number of imagesImages lifecycle management - need to limit number of images. Need to keep Istanbul scanning (different from what is in Master).ongoing

Centos usageUsed by Postgres with version 8 - we are targetting version 8 stream.


Unmainained projectsMeeting done last Monday - to be continued on Thursday (DOC) meeting.


Jakarta SCA analysis

New Wiki created for log4j recommended upgrade: Log4j upgrade recommendation

Ticket was opened by Amy on Sonatype API documentation: https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23426


Update recommendations for log4j into 2.17

Post log4j info on ONAP security Wiki. 


TSC meeting update
  • Log4j Istanbul maintenance release
  • Steve Winslow left LFN

Steve move ement Impact on Tony for CII Badging?

PTL meeting updatelog4j update


SBOMsMuddasar sent e-mail to Vijay and Toine.ongoing

Quality gatesFabian will have a meeting with Seshu for SO. Next update in January.ongoing

Kubescape and Trivi scans

https://hub.armo.cloud/docs/c-0009 , limitation is on the pod and not cron job.

Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman. Fabian opened the ticket at Trivi.

Threadfix removes duplication of findings from different sources.

ongoing

Fabian will have a meeting with Kubescape.

Brian to share info on their Jfrog  for Image scanning.


SECCOM presentations for incoming DDF (January).

SECCOM topics and overall agenda proposal:

Interproject proposals:

      • SBOMs ONAP story – Muddasar/Pawel Topic
      • Monday, 10th of January, 2:30 UTC
ongoing



SECCOM MEETING CALL WILL BE HELD ON 4th OF JANUARY'22. 

Review - SECCOM presentations for DDF events.

Quality gates for code quality improvements - continuation of the discussion.

SBOM next steps - which repos/projects to take into account?




Recording: 

View file
name2021-12-21_SECCOM_week.mp4
height150


SECCOM presentation:

View file
name2021-12-21 ONAP Security Meeting - AgendaAndMinutes.pptx
height150