...
Jira No | Summary | Description | Status | Solution | |||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Log4j upgrade | Log4j 2.17.1 was released. It provides a fix for a vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832
| ongoing | For tracking purpose dedicated Jira tickets to be opened per project and per both releases. | https://jira.onap.org/browse/INT-2039 | Limit number of images | Images lifecycle management - need to limit number of images. Need to keep Istanbul scanning (different from what is in Master). | ongoing | Centos usage | Used by Postgres with version 8 - we are targetting version 8 stream. | Unmainained projects | Meeting done last Monday - to be continued on Thursday (DOC) meeting . Jakarta SCA analysis | New Wiki created for log4j recommended upgrade: Log4j upgrade recommendation Ticket was opened by Amy on Sonatype API documentation: https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23426 | Update recommendations for log4j into 2.17 Post log4j info on ONAP security Wiki. | TSC meeting update |
| Steve move ement Impact on Tony for CII Badging? | PTL meeting update | log4j update | SBOMs | Muddasar sent e-mail to Vijay and Toine. | ongoing | Quality gates | Fabian will have a meeting with Seshu for SO. Next update in January. | ongoing | |||||||
Kubescape and Trivi scans | https://hub.armo.cloud/docs/c-0009 , limitation is on the pod and not cron job. Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman. Fabian opened the ticket at Trivi. Threadfix removes duplication of findings from different sources. | ongoing | Fabian will have a meeting with Kubescape. Brian to share info on their Jfrog for Image scanning. | SECCOM presentations for incoming DDF DTF (January). | SECCOM topics and overall agenda proposal:
Interproject proposals:
| ongoing | |||||||||||||||||||||||||
SECCOM MEETING CALL WILL BE HELD ON 18th OF JANUARY'22. | Review - SECCOM presentations for DDF events. Quality gates for code quality improvements - continuation of the discussion. SBOM next steps - which repos/projects to take into account? |
Recording:
View file | ||||
---|---|---|---|---|
|
SECCOM presentation:
View file | ||||
---|---|---|---|---|
|