Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 15th of March 2022.

ongoing
Jira No
SummaryDescriptionStatusSolution
Synch with ONAP documentation - Thomas

Release Notes organization:

Log4j vulnerabilities in direct dependencies were removed from A&AI, DMAAP, SDNC and VNFSDK. Log4j vulnerabilities introduced by transitive dependencies are still in A&AI, CCSDK, DCAE, DMAAP, MULTICLOUD, SDNC, SO, VNFSDK.

https://docs.onap.org/en/latest/release/index.html#istanbul-maintenance-release-9-0-1

  • Where to place info about transitive dependencies (composite/project/repo release notes) – both composite and per project/functional element
  • The level of detail for this info – just an information about remaining transitive dependency and under bug fixes info on fixing log4j by upgrading relevant repo component.
  • The author for this info - Amy
  • How to communicate it to the projects – with jira’s ticket created per transitive dependency for log4j

Projects/functional repos with transitive dependencies for log4j:

  • onap-aai-aai-common
  • onap-aai-babel
  • onap-aai-resources
  • onap-aai-schema-service
  • onap-aai-traversal
  • onap-ccsdk-apps
  • onap-ccsdk-cds
  • onap-ccsdk-distribution
  • onap-ccsdk-features
  • onap-ccsdk-parent
  • onap-ccsdk-sli
  • onap-dcaegen2-services-mapper
  • onap-dmaap-messagerouter-messageservice
  • onap-multicloud-framework-artifactbroker
  • onap-sdnc-apps
  • onap-so
  • onap-vnfsdk-refrepo
  • onap-vnfsdk-validation
ongoing

Tickets to be open by Pawel for remaining transitive dependencies on per relevant project basis:

Security Logging Presentation to Akraino TSC - Bob

Logging today at 1500 UTC.  Here is the meeting info if you would like to join.

https://wiki.akraino.org/display/AK/TSC+2022-03-08+%28Tuesday%29+7%3A00+am+Pacific


Out of band planning for issues and topics, technical debt

Target of 10-20% of development capacity on technical debt. This should be discussed at the planning meetings.

El-Alto release was focussed on technical debt. Now we have Global Requirements implemented and reviewed compliance every release.

We first focussed on Java and Python upgrades, but also to take all of the interfaces to support HTTPs, upgrade direct dependencies, or Sonarcloud findings that are security related that are critical to be fixed. Other activity is code quality improvement.

ODL allignement is managed by Dan who does the upgrade based on what is available on ODL side.

Mainly requirement coming from security point of view are the recurring ones (every 6 months cycle), except for code quality improvement requirement.

Log4j was a good example of out of band planning, extraordinary event that we responded.

started

Code quality gate 

Meeting with Seshu planned by due to calendar issue it will be moved to next week.

How to turn-on/off Jenkins job example: Enabling Jenkins job sonar-verify

CPS blocks the code if did not pass quality gate.

3 quality gates considered.




Sonartlinthttps://www.sonarlint.org/ - real time information about code quality.


Istanbul Maintenance Release Notes

Tickets were opened by Pawel for remaining transitive dependencies on per relevant project basis:




ONAP Security Review Questionnaire template first cut –
Tony
Tony 

We move discussion on 22nd of March

https://

wiki

lf-onap.

onap

atlassian.

orgongoingSECCOM members to review proposed draft and further discuss next week.Packages upgrades for JakartaAs of today the project teams have upgraded 103 of 299 identified vulnerable direct dependencies for the release (~34%).Ask TSC to have focus on security by sending an e-mail to TSC and discuss this issue on Thursday.Time shift in US on 13th March and in EU on 27th March.Please check if the meeting invitations are displayed accordingly.Quality gatesNo update. Meeting with Seshu to be done.Issue with Wiki creation by TonyTicket to be created to solve the issueTicket to be created to solve the issue

net/wiki/display/DW/ONAP+Security+Reviews
https://wiki.onap.org/display/DW/ONAP+Security+Review+Questionnaire+Template

We want to start simple and small.

Time it takes to document vulnerabilities and time it takes to resolve it. Assurance section might be expanded.

Maggie will present comments.


We book the agenda for next SECCOM.

ONAP Jakarta: Vulnerable Package Upgrades - Amy

DCAE had 35 dependencies to update and upgraded all but one. Nexus-Q is identifying transitive dependencies ad direct ones and there is a fix that is under Jess responsibility.

AA&I upgraded more than half of its packages.




SBOM synch meeting with Jess 

Issue with Maven plugin -bug in the instructions, Jess will try it. 

trivy in now available for SBOM
https://aquasecurity.github.io/trivy/v0.24.2/advanced/sbom/cyclonedx/


To verify with Jess the status update.

PTL meeting

Update on Vulnerable Package Upgrades




TSC meeting

Remaining transitive dependencies in Istanbul Maintenance




SECCOM MEETING CALL WILL BE HELD ON 22nd OF MARCH'22. 

5Y review criteria.

SonarCloud fixing with new code focus.

Quality gates for code quality improvements - continuation of the discussion

.5Y review criteria

.





Recording: 

View file
name2022-03-15_SECCOM_week.mp4
height150


SECCOM presentation:

View file
name2022-03-15 ONAP Security Meeting - AgendaAndMinutes.pptx
height150