Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • CPS Security questionnaire review by SECCOM.
  • IT-24999 Security Issue - Sensitive information leakage 
  • Python PoC by Bob – Work in Progress – Fiachra still to be contacted
  • Progress on package upgrades
  • Progress on unmaintained repos
Jira No
SummaryDescriptionStatusSolution

Wrapping up the unmaintained repo task force 

Amy presented actual updated status.

Recap of the new process to remove repos and artifacts from the release.

  1. Identifying the candidate (no PTL), Jenkins script verifies for not updated artifact  for last 12 months
  2. Investigating if it is still needed, migration path from getting supported to getting removed. Jira for ArchiCOM to be issued.
  3. Removal - remove Jenkins job that generates images for the release. Jira tickets to be created for Doc and OOM projects.

Byung is working on updated architecture drawing for ONAP.

TSC to be informed on what are the components as part of the release. This could come from Docs project but earlier than at the moment of releasing.Security Questionnaire for CPS

ARCHCOM LFN DTF presentation, https://wiki.lfnetworking.org/download/attachments/82904014/ONAP-ARCCOM-Update-London-2023-02-14-Final2.pptx?version=1&modificationDate=1676388390000&api=v2  - see page 6 for the security framework component

  • Review SECCOM feedback on 28 February call
  • Invite CPS to 7 March SECCOM call

PTL meeting (February 27th)

Continuation of Release Management tasks review

SECCOM MEETING CALL WILL BE HELD ON 7th March 2023. 

Recordings: 

...

link

2 processes to follow:

  • PTL exists and there is normal code maintenance
  • Projects without PTL require TSC decision as not in normal code lifecycle, so not handled with regular jira tickets.
ongoing

During architecture review Archicom can update components statuses.

Architecure review template could be updated.


Security Questionnaire for CPS

As Tony is on PTO, we move this topic to the next week agenda.

moved to nextweek's agenda



PTL meeting (March 6th)

Continuation of Release Management tasks review.

Unmaintained process review.

Attendence was lite ;-(




TSC meeting (March 2nd)

Teaser on Unmaintained progress




SBOM signing

(Info from Anil)

-SBOM signing needs to be enabled for an ONAP $project specifically through JJB, since it's disabled by default at the template level [1.].

-If you want to enable this for a specific ONAP project, that can be done in [2.] or setting  a default value as `true` at a global level for the ci-management repository.

-[1.] https://github.com/lfit/releng-global-jjb/blob/master/jjb/lf-maven-jobs.yaml

-[2.] https://github.com/lfit/releng-global-jjb/blob/master/jjb/lf-maven-jobs.yaml

-The signing of SBOM happens towards the end of the stage/release job which is signed by sigul (key signing service set up specifically for ONAP with each LFN project having unique keys that are not common across all of LFN).

ongoingTo be further elaborated by Muddasar on unique keys on per project and how build process is secured by LF. 

Security issues raised by External researchers

IT-24999 Security Issue - Sensitive information leakage – Fiachra responded (Anuja was informed):

„As we have move sdc away from message router the apikey mentioned is no longer used. There may be some redundant calls to message router from SDC but there is no risk in terms of security.”

closing

Python PoC by Bob 

Work in Progress – Fiachra and Tony were contected.

Reprioritization of resources and no further support for now.

2 issues remaining (Wiki to be created):

  • Java nad Python implementattions – Java containers use software framework easily accessible , not the case for Python containers.
  • Getting environment together to do isolated testing.
closingWiki to be created by Bob.

Security test cases review 

https://logs.onap.org/onap-integration/weekly/onap-weekly-dt-oom-kohn/2023-02/25_04-42/

Unlimited pods refers to unlimited resources, comes from CIS benchmark and concerns consuming lots of resources.


Muddasar to analyse tests taht are under the attached link.

SECCOM MEETING CALL WILL BE HELD ON 14th March 2023. 

  • CPS Security updated questionnaire review by SECCOM.






Recordings: 

2023-03-07_SECCOM_week.mp4

SECCOM presentation:

2023-03-07 ONAP Security Meeting - AgendaAndMinutes.pptx