Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 3rd of August 2021.

Jira No
SummaryDescriptionStatusSolution

Last TSC meeting

Test criteria for Istanbul Release – deck prepared by Eric and Andreas

ongoing

Last PTLs meeting

https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2021-07/12_13-15/

ONAP Security Exception Process

Security related integration issues will be collected under an Epic filed in the INT Jira project.

For Istanbul, the Tern results in integration test will be informational and not gating.  Need to consult with TSC to make results blocking for future releases.

Must complete exception filing by M3, using the protocol described in the link above.

ongoingAWX and CDS to be identified as part of ONAP project - done it is part of CCSDK.

ESR WaiverMost probably ESR will be exluded from ONAP Istanbul release.ongoingFinal check to be done by Byung.

Updated Seccom criteria for the integration tests to pass a release

  • Add Python and Java version checks

  • Achieve 100% level with TERN treated as informative (=not blocking, or decreasing 100% of security test score)

  • Follow exception process if relevant

ongoingTo be presented at the TSC meeting

Software BOMs, Hardware BOMs - Muddasar

Feedback for Muddasar's presentation is welcome.

Muddasar is thinking of how the date can be collected, where should be stored and how could be shared. Next week presentation might be provided by Muddasar.


ongoingWhat is the query mechanism? (during onboarding process presentation of manifesto BOM file or during query of EM or VIM from ONAP and get that information from VIMs.

Dependency confusion attacks vs. ONAP SW build process

Samuli sent an e-mail to SECCOM distribution list but as no specific feedback received so far, he will send it ot ONAP discuss.

Interesting framework by Google:

SLSA: Supply-chain Levels for Software Artifacts https://slsa.dev/

https://wiki.onap.org/display/DW/Developing+ONAP
https://wiki.onap.org/display/DW/ONAP+Security+Event+Management+-+DRAFT

Bob created a dependency security wiki snip for Samuli's and his investigation on this topic. Dependency Security

ongoing

Jess to be contacted for CI chain and Nexus for Bob's question.

Services term to be modified into Services (xNF, xApps)

Plans to be presented to Architecture Subcommittee.


Update from LFN 

(IT-22333by Pawel, and IT-22334by Thierry)

  • Waiting for Thierry’s return
ongoing

Code quality and SonarCloud

Achievements to be presented to TSC:

Risk Acceptance statement by TSC. We have a resource shortage to address security concerns for % value of code coverage (as a minimum 55% in the past).

ongoingPawel and Fabian to present progress and achievements to TSC on August 12th in this domain.


OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 10th OF AUGUST'21. SBOM/HBOM continuation.

Recording:

SECCOM presentation:

  • No labels