2021-12-14 Security Subcommittee Meeting Notes
- Paweł Pawlak
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 14th of December 2021.
Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| CVE-2021-44228 |
Issue impacting specific versions of log4j-core. ONAP projects still using version 1 that might not be (depends on configuration) but it is not supported for a long time (since 2012). We recommend immediate upgrade to latest log4j-core version: 2.16 in both Istanbul maintenance release and in Jakarta. How vulnerability message reaches end user? | ongoing | For tracking purpose dedicated Jira tickets to be opened per project and per both releases. |
| DMaaP upgrades | Logj-core to be upgraded but for others there are transitive dependencies. Comments to be provided in the sestricted Wiki. | ongoing | Maybe worth to open a ticket to Sonatype with dependecies issues. AJSC dependencies - Amy will check with AT&T maintainer. |
| Trivi scans | Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman. Threadfix removes duplication of findings from different sources. | ongoing | Brian to share info on their Jfrog for Image scanning. |
| Jakarta proposed versions update |
Centos images used: https://logs.onap.org/onap-integration/daily/onap_daily_pod4_master/2021-12/06_03-20/infrastructure-healthcheck/k8s/kubernetes-status/versions.html | ongoing | Centos issue to be raised at the upcoming PTLs call. |
| SCA analysis | Jira tickets created for each project. | ongoing | Ticket to be submitted via LF IT to Sonatype - issue with API documentation. |
| PTL meeting update |
| done | Next week meeting with Thomas for unmaintained presentation for DDF |
| TSC meeting update | Request on supporting unmaintned topic VVP and VNFSDK no nominations for PTL Issue with use case slicing Modelling has PTL and co-PTL. M1 approved 27th January for M2 | done |
|
| SBOMs | Which repos/projects to take into account? Start with pilot (1 or 2 projects) – info e-mail to be sent to PTLs
Work required: review of the artifacts generated if it is accurate. | ongoing | info e-mail to be sent to PTLs. Jess to be contacted. Amy to send an e-mail to Vijay. Muddasar to prepare info on what is needed on PTLs side to review artifacts. |
| Quality gates | 3 levels under consideration: bronze, silver and gold. Basic level could be reacjing 55% of code coverage. https://docs.sonarqube.org/latest/user-guide/metric-definitions/ Tables about project maturity (self reported) while we are doing measured approach. | ongoing |
|
| SECCOM presentations for incoming DDF (January). | SECCOM topics and overall agenda proposal:
Interproject proposals:
| ongoing |
|
| SECCOM MEETING CALL WILL BE HELD ON 21st OF DECEMBER'21. | Quality gates for code quality improvements - continuation of the discussion. SBOM next steps - which repos/projects to take into account? |
|
|
Recording:
SECCOM presentation:
