Versions Compared

Old Version 2

changes.mady.by.user Paweł Pawlak

Saved on

compared with

New Version Current

changes.mady.by.user Paweł Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

SPDX 3.0 update

Muddasar provided an update on SPDX version 3 and SBOM update.

SLIDES 

Effort to move SPDX 3.0 to ISO standard still to be done.Topic suggestion from OOM 

Jack shared problematic on legacy basic authentication on API communication (DCAE and AAI http communication example with fixed clear text password in configuration file in OOM).

We need to look for the cases where we have some legacy authentication method in ONAP and get rid of it in favor of service mesh.

Service Mesh shall take care of mutual authentication of TLS communication between ONAP components and authorization policies take care of restricting communication between components.

In Montreal all ONAP components will be forced to use only service mesh, and MSB will not be available.

started

Draft presentation to be prepared by Amy with the Global Requirement and shared with ONAP community.

TSC meeting to be used for making intro on the legacy basic authentication.

Infosys team to be contacted for their potential contribution in Montreal release to removal of legacy basic authentication. 


CPS Road to gold 

Tony prepared his part of the deck for a common presentation and shared with Lee AngellaAnjella who shared some input as well.

ongoing

Tony will join next TSC and share SECCOM recommendation for 2FA.

 to be reviewed. Amy will contact Jess.


OJSI list of people to be reviewed. Amy will contact Jess.We started with Amy reviewing the list. In fact there are 2 lists: one for OJSI updating and the other for vulnerability disclosure. Access to OJSI Jira process clarification with Jess is ongoing. ongoing

Logging PoC

https://lf-onap.atlassian.net/wiki/pages/viewpage.action?pageId=16520434

We hope ONAP consumers will benefit from the efforts and take some next steps.

stopped

DTF event and SECCOM presentation

Let's have a common Slide deck to be prepared by Pawel as a SECCOM voice towards ONAP community.

Slide with packages upgrades to be added as well as security template in architecture review template. 

started

Latest weekly scans

Marek was able to initiate latest run of scans.

Results are progressing, cassandra and zk-tunnel-svc to be further elaborated.

Marek does not know which project is using zk-tunnel-svc - it is not in Jenkins

ONAP-discuss question was raised but still no feedback so far.

ongoing

PTL meeting (May 22nd)

-PTLs upgrades for London release

2023-05-22 ONAP London release pakages upgrades.pptx - total vulns reduced significantly!

-Issue raised for images creation (Sigul signing problem) – jira ticket opened by Liam last week: https://jira.linuxfoundation.org/plugins/servlet/desk/portal/2/IT-25552

-RC blocker!

29th)

Cancelled due to day off in USA.




TSC meeting (May 18th25th)

-Review of the deck for Governance Board (presentation last week)

-2FA issue presented as summary of meeting Andreas and LF- IT last week – still some actions pending… but

-Feedback from Andy received ;-)

  • 2FA can be available generally on Linux Foundation IDs and should be turned this on at the individual account level - ticket to be raised individually to LF IT.
  • It can enforceed across the entire Gerrit instance if the TSC were to ratify a request that we do this and an appropriate ticket was raised on it.
  • In either case, when 2FA is enabled on the account the first attempt to login via the UI after having it enabled would walk through a 2FA onboarding workflow.
  • If this done by TSC mandate, then the 2FA would only affect accounts as they access Gerrit via the webUI. If an account holder wants it across _all_ of their LFID web accesses, then they would still need to talk to the support desk individually for that.
    • In no case would enabling 2FA affect SSH transport to Gerrit, nor would it affect HTTPS transport to Gerrit (via the Gerrit supplied HTTPS password which is effectively a user TOKEN) as both of those transports are operating in a manner that would have required an authenticated web session for configuration before being available. This is comparable to both GitHub and GitLab 2FA solutions around git itself.

    Tony presented SECCOM recommendation which was accepted by TSC, we run with CPS PoC for 2FA!!!




    SECCOM MEETING CALL WILL BE HELD ON 6th 13th JUNE 2023. 

    Security review in ARCCOM







    Recordings: 

    2023-05-30_SECCOM_week.mp4

    SECCOM presentation:

    View filenameSPDXV3_MSA.pptxheight2502023-05-30 ONAP Security Meeting - AgendaAndMinutes.pptx