Versions Compared

Old Version 2

changes.mady.by.user Amy Zwarico

Saved on

compared with

New Version Current

changes.mady.by.user Paweł Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

-[REQ-437 -> REQ-800] -> REQ-1067 -> REQ-1208 COMPLETION OF PYTHON LANGUAGE UPDATE (v2.7 → v3.8)

-[REQ-438 -> REQ-801] -> REQ-1068 -> REQ-1209 COMPLETION OF JAVA LANGUAGE UPDATE (v8 → v11)

-[REQ-439 -> REQ-863] -> REQ-1066  -> REQ-1211 CONTINUATION OF PACKAGES UPGRADES IN DIRECT DEPENDENCIES

-[REQ-443] -> REQ-1069 -> REQ-1210 CONTINUATION OF CII BADGING SCORE IMPROVEMENTS FOR SILVER LEVEL

Jira No
SummaryDescriptionStatusSolution

Vulnerable package reportion automation 

Presentation provided by Brianna and Bert. Great job (150 hours → 2 hours)! Safes a lot of manual work for us.

Enhancements for the future:

  • flag for failing CLM scanning jenkins job (older than 1 week)
  • CVE list with threat levels ratio
  • remove _xD000_ for CVE's names
  • log4j-core recommended version to be updated into 2.17.1 
  • usage of Wiki reference with recommended versions as single source of true as dynamic
  • configure other jobs option - non master that would be usefull for Maintenance Release analysis
  • additional tab with unstructured data
ongoing

import excel into confluence:

https://community.atlassian.com/t5/Confluence-articles/How-to-import-an-excel-file-into-Confluence-using-Elements/ba-p/1672151

LFN Developer & Testing Forum

Event June 13th-16th Porto, Portugal

Please register: https://events.linuxfoundation.org/lfn-developer-testing-forum/

started


  • SECCOM topics proposal:

    • SECCOM retrospectives:
      • Log4j fix implementation in Istanbul Maintenance Release
      • Jakarta security status update
    • Kohnsecuritygoals:
      • Global Requirements and Best Practices
      • Security PoCs:
      • logging req
      • code quality
      • service mesh
    • SBOM enablement and maintenance, and packaging
    • Waiver policy update
    • Unmaintained projects joint meeting with Amy, Thomas and Andreas, Chaker and Byung.
    • On the road to gold badge - Tony and Toine - potential issue with remote participation for Tony.
    • Operator perspective on ONAP security – Amy, Andreas? Brian? Fabian?
    • Security principles in the implementation – Tony, Maggie - work in progress, risk to deliver for one of next conference.
started

Remaining topic proposals to be submitted.

Brian to share what kind of security due diligence is performed by BellCanada. ONAP is used for 5G slicing orchestration.

Fabian to check if could contribute on how qualify software to be deployed, what duediligence was performed. 

Follow-up with Kenny to be done.



OSA documentation update per release Thomas asked for a branch to be created for JakartastartedPawel to to be done.

Last PTLs meeting – 25th of April

1.SDC-3954 - open

2.SDNC-1692 - done

3.OOM-2957 – open – reassigned to Fiachra

    • fix root_pods in Jakarta release:

1.OOM-2958 – open - reassigned to Fiachra

2.INT-2104in progress




Last PTLs meeting – 9th of May

Tony presented 5Y project review – CPS volunteered to be PoC and review questionaire.

ongoingOnce Toine completes, we will review the questionnaire. SECCOM to be updated.

Unmaintained Projects

Amy presented to ArchCom and to present

unmaintained project deck

to

Architecture subcommittee on 3 May and

TSC

on

12 May. Good exchanges with Chaker, Byung:

Amy to book slot
  • we should make dependency on OOM before removing Jenkins jobs (including projects without PTLs).
  • change to repo to be verified, if no change it means repo was not touched and to be validated by Architecture Subcommittee

Updated presentation is available below.


Amy to present at 12 May TSC call

logging PoC reportAjay (Ericsson) is working on the connection between FluntBit and ElasticSearch. He is leaving Ericsson end of this week, so some of our OOM team members have key learning sessions with him. I told Ajay to check in his code. We plan to report our log PoC progress/demo to SECCOM sometime soon. That is the plan.ongoing

.

Outline for the yellow to be added.


Update on failing security tests below:

1.SDC-3954 - open

2.SDNC-1692 - done

3.OOM-2957 – open – reassigned to Fiachra

    • fix root_pods in Jakarta release:

1.OOM-2958 – open - reassigned to Fiachra

2.INT-2104in progress


Security tests taht are performed to be reviewed for test coverage and identification of missing items.

SBOM: patch to add the path for VES 

-Jess is trying to validate the procedure

  • SBOM still not working in sandbox
ongoingMuddasar to share e-mail that Vijay shared with Jess.CPS gold badge Dedicated meeting to be scheduled – 2 tickets created at LFN IT:

Adoption issue requires manual manipulation of workspace flag.

Next step to get PTL onboard and set target date when LF IT would implement ONAP projects

ongoing

CPS gold badge 
  • IT-23828 2FA (2 Factor Authentication) needed for merging to Gerrit in ONAP – info from Andrew G. „It's possible but non-trivial at present. I'm working on trying to make a case for making this easier to do as I can get 2FA turned on, but then if people need to change things related to it it would require helpdesk intervention with no self-service. Basically, our current setup is user hostile and could be made significantly better.”
  • IT-23829 Hardening LFN hosted ONAP project web sites goodprogress
  • Gerrit has now been updated to receive and A grade on securityheaders.com (thanks to this change we will be getting this on all of the Gerrit we operate as the systems pick up their updates).
    • done – info from Andrew G. All 3 Nexus systems for ONAP are now reporting grade A. We'll be taking these changes to our other managed Nexus systems as well, so thanks for the poke to improve our security posturę. We are still working on getting the headers fixed for the nexus systems (getting a C) as well as the strengthening the wiki and jira systems (scores. They're already getting an A but both of them are showing some items that could be made stronger).
Next focus on Nexus to get A grade.LFN white paper 5G E2E security

https://lfnetworking.org/wp-content/uploads/sites/7/2022/04/LFN-Security-Whitepaper-v4.pdf?utm_campaign=LFN%20Newsletter&utm_medium=email&_hsmi=210819121&_hsenc=p2ANqtz-8l0-nc3Y9V0NGaQ63h3EBkuxAT5KxkeHGJJ_bM7pbtql_aQEOQvjeTpEsJrDmEQCzJ2c2Ar7yeIU45g9PD0JX30oKCkQ&utm_content=210819121&utm_source=hs_email

MFA for ONAP

Discussed whether MFA should be natively supported by ONAP.

  • Users of ONAP will likely want to integrate with their own identity and access management (IAM) platforms
  • ONAP could provide out of the box integration with an open source IAM platform such as KeyCloak
Service Mesh

OOM is working on ServiceMesh even though there is no OOM PTL

EST (E///) and DT have a goal is to complete the ServiceMesh in Kohn

  • EST working on integration/implementation
  • DT is doing Testing

Invite ServiceMesh SMEs to SECCOM meeting for update.

Pawel to invite ServiceMesh SMEs to SECCOM call.

Need to identify the EST and DT SMEs

5Y review 

tp be presented on May 9th to PTLs.

  • request volunteers
  • original ONAP projects are highest priority
  • newer projects also eligible for reviews
Tony will present at 9 May PTL call.OpenSSF intro by David Wheeler

Link to recording and slide deck: 

https://wiki.lfnetworking.org/display/LN/LFN+Security+Forum

review for the near future – are our pipeline or processes optimal?

to be done
ongoing

logging PoC report

Ajay (Ericsson) is working on the connection between FluntBit and ElasticSearch. He is leaving Ericsson end of this week, so some of our OOM team members have key learning sessions with him. I told Ajay to check in his code. We plan to report our log PoC progress/demo to SECCOM sometime soon. That is the plan.

Prototype for logging fields.

ongoingupdate and demo will be provided - Byung coordinates that.

CPS PoCFabian tried to join Seshu. How to move forward: share results of the PoC during PTLs meeting to build awarness, followed by proposal to community. Closed loop for results is a defintely a value for the developer.ongoingOutcomes of CPS PoC to be presented in incoming weeks.

NIST 5G Cybersecurity draft documenthttps://csrc.nist.gov/publications/detail/sp/1800-33/draftstartedto be addressed at the next SECCOMKohn SECCOM Global RequirementsstartedLogging requirment - target full PoC for Kohn and then Global Requirement for London releaseongoing

Technical debt

Presentation provided by Muddasar:

View file
nameONAP Technical Debt Management.pptx
height150

El Alto was first release focusing on technical debt and it was a shorter release.

started

We shall have Jira issues for all technical dept issues to track it.

To review last 2 slides ta the next meeting - slides to be shared by Muddasar to SECCOM distribution list - done.

One slide to be prepared and then shared with PTLs and architecture subcommitee.


SECCOM MEETING CALL WILL BE HELD ON 17th OF MAY'22. 


Review of technical debt slides with special focus on 2 last ones.





Recording: 

View file
name2022-05-10_SECCOM_week.mp4
height150


SECCOM presentation:

22_04_18_ONAPUnmaintainedProjects_v5.pdfAttendees:


View file
name2022-05-10 ONAP Security Meeting - AgendaAndMinutes.pptx
height150