Page Comparison

REQ-801

REQ-800

REQ-863

REQ-443

Java and Python - waivers issued after PTL's meeting. Merges issued by SECCOM.

Strong improvement from Honolulu release.

To create best practice for standard integration images, so we could get rid of old Python and Java.

Security scans 100% → 57% - to be further investigated.

• Waivers tracing for SECCOM global requirements:
  • vfc-huawei-vnfm-driver -pending question
  • Wildcard not supported in waiver management (message-router-* was replaced by message-router-kafka and message-router-zookeeper
  • other yellow line
    • framework-artifactbroker remaining in java (dual version)
    • modeling-etsicatalog
    • uui/uui-server
  • pnf-macro-test-simulator shall be very soon run in a different namespace and shoudl disapeear, it is a simulator it coudl also be under waiver (not released with ONAP)
• Security scans: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2021-09/14_13-40/

The gaps on the restricted Wiki shall be covered by respective PTLs.

• Nexus upgraded to latest version, LFN decision to use SPDX format and not cyclone or DX
• Research on how the missing information can be collected (plugin to be used?), info.yaml, POM file for Maven and Jira on who submitted the code
• We are not tracking 1to1 contribution tracing in the repository, so the information is upstream when commiter merges the code

Final set of metadata fields, which ones would be provided by logging service and which by developers. PTLs invited for Friday’s meetings.

Welcome Sean who is helping in prototyping for SW BOMs.

Guide for threat modeling for developers:

https://martinfowler.com/articles/agile-threat-modelling.html

We would like to get some help from the guys who are doing the actual development.

Excel file shared with Brian, Amy shared also framework info on two references for threat modeling.

1.ISO 27005 : https://www.iso.org/standard/75281.html

2.NIST Special Publication 800-154 2 Guide to Data-Centric System Threat Modeling

https://csrc.nist.gov/CSRC/media/Publications/sp/800-154/draft/documents/sp800_154_draft.pdf

Good progress on fulfilling global requirements from SECCOM.

Fabian presented the status of code quality

• we need to create a page in confluence to describe the way to improve quality (page directly under SECCOM)
• we need to open an another ticket of services hosting
• jiras for python and java were updated

Pawel to create the page. ONAP code quality improvement

Fabian to create a Jira ticket to LFN IT:

https://jira.linuxfoundation.org/plugins/servlet/theme/portals

Muddasar was introduced to Alla who is leading ONAP Requirements Subcommittee to be contacted to provide details.

We need to have a standard template for the feature to be accepted (visibility, security and usability sections should be there).

To create a Jira ticket template.

To be checked if the feature specific information is further tracked.

• TSC elections, nominations close on September 21st
• Nominations for Honolulu awards extended to September 17th
• Spark in New Zeland going with ONAP in the production

• The official policy of the TSC on including unmaintained components in a release: Continue to use the latest version of the component (latest docker) if there is a dependency in other components.
• 3 unmaintained components: portal, portal SDK and VID
• Global Requirements are not tracked well, apart from the SECCOM ones , but Release Manager does not track them ;-(, should be tracked by proper integration tests but it would be problematic for vulnerabilities management (packages upgrades).

To further investigate Jira or feature template capability for that to include compliance requirement for Globar Requirement or Best Practice and then turnet into mnual or automatic validation. 

From green user perpective - a lot of info is missing on how to install ONAP or upgrade it - lot of missing information from ONAP documentation. Troubleshooting based on logs is painfull... Solution level thinking from user perpective, how to start and what is the sequence to install ONAP.

Sean is exploring POM file and some documented ONAP interdependencies.

In Amy'steam some developer is also doing similar effort.

Pawel to sent an information to documentation team. We need a dependency map.

Angular experience to be shared if possible.

Muddasar did not find prove of tracking the feature after its approval.

To reach out PTLs on what could be the best way to tackle Jira template.

Muddasar will propose some initial template, contributions are welcome.

Muddasar will also reach out Alla as a follow up, feedback from testers might be also valuable.

Apart from current global requirements we might want to follow any other requirements:

• Security logging as best practice for Jakarta, it is not exactly REQ-441
  • good feedback from Vijay and Toine
  • our proposed format is from the perspective of logging outbound networks connections.  Bob thinks we may need to add some fields to handle the logging of inbound connections as well as general events that  originate internal to the container
  • Bob shared excel file for logging, container info is missing

New requirement to be created for security logging but PoC with CPS or best practice for Jakarta.

Base images provision by Integration team to PTLs as a good foundation for logging and logger helper.

Slides presented by Tony uploaded below.

Requirement to support by DCAE registry for HELM charts. Chartmuseum is maintained by Chart team. 3 types of authentication supported.

Proposal is to restrict the client's list, once they have user names and passwords only ones who have to update/delete charts limits writing and access considerable just for those particular clients. FW to be used to limit the access for reading to strictly ONAP applications.

mTLS could be a solution for read?   Side car with cert could be interesting.