Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 27th of April 2021.
Jira No | Summary | Description | Status | Solution |
---|---|---|---|---|
TSC meeting update |
-CONTINUATION OF PACKAGES UPGRADES IN DIRECT DEPENDENCIES -CONTINUATION OF CII BADGING SCORE IMPROVEMENTS FOR SILVER LEVEL
-LOGS MANAGEMENT - PHASE 1: COMMON PLACE FOR DATA | done | Jira tickets per projecs to be created. | |
NSA proposal follow-up | Meeting scheduled on May 3rd. | ongoing | All interested contributors are wlecome to join this follow-up session. | |
Questions for SonarCloud (slides 4 and 5) | Already shared with SonarCloud - waiting for a feedback. | ongoing | To check with SonarCloud representative (Sylvain) when feedback could be expected. | |
New Jira tasks for java and python upgrades in Istanbul release | Were already created - couple of project claimed that they already done. | ongoing | To check next test results. | |
NEXUS-IQ container scanning | Scans of the containers show the same vulns as scans of the source code. On container scans there is no indication on transitive/direct dependencies, so PTLs lose infrmation - update of the transitive dependency might break the code! We would like to surpress all the results that are not in the code base. | ongoing | Sonatype to be contacted via Jess to check if ability to do the correlation exists or is planned. | |
IT-21675 Jacoco integration with SonarCloud (info from Christophe) | As Sonar team and Jacoco team are still arguing on this topic on forums, target was reached using unit tests only (so this is not critical anymore) | ongoing | ||
NEXUS-IQ – SCA analysis started for Istanbul release | DCAE made a good progress - some repos free of critical vulnerabilities. For some repos upgrade is not enough as no remedy exists yet - to be docuemented properly. | ongoing | To complete SCA analysis by end of next week. | |
Continuation of discussion on Fabian’s comment on logging management | Logs management to be taken up to Archiecture Subcommittee, so beyond security. We do have standard what to do with logs but it was not followed for a while. Container run time requirement and entire virtualized requirement (all event types collected)- we mix those 2. Logs transfer need to be secured. Bob shared the link: ONAP Application Logging Specification v1.3 (Frankfurt)#MDC-InvocationIDMDC-InvocationID | ongoing | Fabian to present most recent logging management archiecture to Archiecture Subcommittee. Bob to elaborate the link provided. | |
Additional 2 resources from Orange to improve ONAP security | DMaaP PTL integrated changes and additional 8 new blocking points had to be fixed. Next step started work on security for SO. This will be rather for Istanbul. | Done for DMaaP ongoing for SO | ||
OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 4th OF MAY'21. | Whe start pushing few other items in CII Badging or SonarCloud? To adrress it next week at the SECCOM. Review of the document (link) provided by Bob. |
Recording:
SECCOM presentation: