Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 21st of December 2021.
Jira No | Summary | Description | Status | Solution |
---|
- https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/
- https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/vulnerabilities/CVE-2021-44228:
Issue impacting specific versions of log4j-core. ONAP projects still using version 1 that might not be (depends on configuration) but it is not supported for a long time (since 2012).
We recommend immediate upgrade to latest log4j-core version: 2.16 in both Istanbul maintenance release and in Jakarta.
Log4j upgrade | Feedback from Robert Varga from ODL received. Log4j 2.17 was released and is recommended by SECCOM.
| ongoing | For tracking purpose dedicated Jira tickets to |
info e-mail to be sent to PTLs.
Jess to be contacted.
Amy to send an e-mail to Vijay.
Muddasar to prepare info on what is needed on PTLs side to review artifacts.
3 levels under consideration: bronze, silver and gold. Basic level could be reacjing 55% of code coverage.
https://docs.sonarqube.org/latest/user-guide/metric-definitions/
Tables about project maturity (self reported) while we are doing measured approach.
be opened per project and per both releases. |
Maybe worth to open a ticket to Sonatype with dependecies issues.
AJSC dependencies - Amy will check with AT&T maintainer.
Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman.
Threadfix removes duplication of findings from different sources.
https://wiki.onap.org/display/DW/Database%2C+Java%2C+Python%2C+Docker%2C+Kubernetes%2C+and+Image+Versions
- CentOS version – verify AS-IS state to define TO-BE state, if version 8 used - > 8 stream proposed.
- Additional environmental components - updated
Centos images used: https://logs.onap.org/onap-integration/daily/onap_daily_pod4_master/2021-12/06_03-20/infrastructure-healthcheck/k8s/kubernetes-status/versions.html
- SECCOM GRs and BPs reminder
- Info on CVE-2021-44228
- architecture review with Chaker
- unmaintaned meeting
Request on supporting unmaintned topic
VVP and VNFSDK no nominations for PTL
Issue with use case slicing
Modelling has PTL and co-PTL.
M1 approved
27th January for M2
Which repos/projects to take into account?
Start with pilot (1 or 2 projects) – info e-mail to be sent to PTLs
- DCAE (Vijay)
- CPS (Toine)
Work required: review of the artifacts generated if it is accurate.
https://jira.onap.org/browse/INT-2039 | Limit number of images | Images lifecycle management - need to limit number of images. Need to keep Istanbul scanning (different from what is in Master). | ongoing | |
Centos usage | Used by Postgres with version 8 - we are targetting version 8 stream. | |||
Unmainained projects | Meeting done last Monday - to be continued on Thursday (DOC) meeting. | |||
Jakarta SCA analysis | New Wiki created for log4j recommended upgrade: Log4j upgrade recommendation Ticket was opened by Amy on Sonatype API documentation: https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23426 | Update recommendations for log4j into 2.17 Post log4j info on ONAP security Wiki. | ||
TSC meeting update |
| Steve move ement Impact on Tony for CII Badging? | ||
PTL meeting update | log4j update | |||
SBOMs | Muddasar sent e-mail to Vijay and Toine. | ongoing | ||
Quality gates | Fabian will have a meeting with Seshu for SO. Next update in January. | ongoing | ||
Kubescape and Trivi scans | https://hub.armo.cloud/docs/c-0009 , limitation is on the pod and not cron job. Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman. Fabian opened the ticket at Trivi. Threadfix removes duplication of findings from different sources. | ongoing | Fabian will have a meeting with Kubescape. Brian to share info on their Jfrog for Image scanning. | |
SECCOM presentations for incoming DDF (January). | SECCOM topics and overall agenda proposal:
Interproject proposals:
| ongoing | ||
SECCOM MEETING CALL WILL BE HELD ON 4th OF JANUARY'22. | Review - SECCOM presentations for DDF events. Quality gates for code quality improvements - continuation of the discussion. SBOM next steps - which repos/projects to take into account? |
Recording:
View file | ||||
---|---|---|---|---|
|
SECCOM presentation:
View file | ||||
---|---|---|---|---|
|