...
Jira No | Summary | Description | Status | Solution | |||||
---|---|---|---|---|---|---|---|---|---|
Zoom security issues | Orange team will be banned next week to use zoom due to security reasons. AT&T is not using zoom for internal business - but ONAP is treated as open source, so zoom is allowed. In Samsung zoom can be used by exception. Zoom for the next 90 days will focus on fixining vulnerabilities and not delivering new features. Amy shared the link to blog with description of zoom vulnerabilities. Bad cryptography is one of the biggest issues as of today for zoom. | It is crucial to apply all the updates coming from zoom with vulnerabilities fixes. We continue using our new zoom! | |||||||
Latest feedback received from Integration team | Morgan shared following feedback:
| For the only HTTP port exposed - action Amy – to contact PTL Bharath. - no OJSI ticket assigned as it should have appeared after our scans or component was not responding at the scanning moment. No value to open an additional tickets. MUSIC team should either: remove http, switch to https or ask for a waiver with justification. | |||||||
Virtual ONAP event |
| We should come back to Architecture Subcommittee with a proposal for Service Mesh and once approved we should apprach TSC for a recommendation. | |||||||
Guilin package upgrade proposal. | Availble here. Under restricted access Wiki information about direct dependency vulnerabilities and recommended upgrade version is provided per repository. Additionally status column should reflect actual status of the upgrade process. Priority 1 is the highest and reflects critical vulnerabilities for upgrade. Priority 2 reflects severe level vulnerabilities. Each project will have all the info in one place under its dedicated Wiki. Per each project there will be ajira ticket open with link to the Wiki. In some cases we will not eliminate all vulnerbilities but we will significantly reduce them. CLAMP is the first project without any direct vulnerability - congratulations to Martial and project team! | Jira report update | Report is available here. OJSI-145 on the whitelist - to be checked why. 3 issues from SDC, one issue from VES colector blocked by some integration testing. For VNFSDK - whu they still exposing JDWP? OOM made a really good progress with passwords removal around MariaDB-galera. Morgan reprts scan results of the current ONAP instance. We expect hash commit for removing the vulnerability for transparency. | New zoom bridge for SECCOM | Kenny shared good news. We have a dedicated zoom for SECCOM purposesPTLs meeting update | Proposal for upgrading vulnerable outdated packages in Guilin: -Guilin Package Updates – each project has its restricted access Wiki where ppt was uploaded with all recommended upgrades, importance of tracking progress, some new PTLs must have an access granted! (action on Kenny?) -SECCOM-265 – each project will have a jira ticket created with link to the Wiki – when is the deadline for Guilin requriements? -JIRA report for PTLs regarding OJSIs outstanding SECCOM issues - shall emulator be whitelisted? Exceptional waiver to be granted. In long term all simulators must be fixed. If ports are not closed or moved to https, in Guilin release project will not get SECCOM waiver (as it can be granted only for 1 release!). | To approach David to check who would open Jira tickets per project for package upgrades. Communication of this policy should be done to ONAP community. | ||
Security teast with Integration team | Amy will present relevant tests to next Integration team meeting on Wednesday. Proposed tests: Integration and Built Tests For Releases | To check with OOM team whether Integration or SECCOM should do adding new Jenkins jobs for CIS tests - it should be a part of OOM verify job - those tests should be ran if container changes or even all the time. | |||||||
Service Mesh risk analysis – meeting summary available here | Service mesh requirements from security perspective followed by risk analysis. Logging was discussed with special focus on Fluentd. Fabian created a platform for service mesh. UDP not supported in service mesh? UDP support in service mesh - to be further elaborated. Link provided by Krzysztof https://istio.io/docs/ops/configuration/traffic-management/protocol-selection/ | Images | Lacking image for Go. Ubuntu 18.04 LTS. CoreOS used by ETCD. ETCD is used by MultiCloud. But the point was to update CentOS version. Tool that could be used for drawing graphes for a single image and manage to merge them into a single one. | Hackathon for https | Self-signed tls certificates to be used around begining of the release. Same methodology to be used by all projects. by M1 support for https, then Hackathon organized and by M2 everyone is integrated Review with Chaker | ||||
Jonathan finally resigned from PTL's position for AAF | John Franey is occupied with other activities and not only with AAF. | ||||||||
OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 14th OF APRIL'20 |
...