2022-01-18 Security Subcommittee Meeting Notes (under construction)

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 18th of January 2022.

Jira No	Summary	Description	Status	Solution
	Log4j upgrade	Log4j 2.17.1 was released. It provides a fix for a vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832	ongoing	For tracking purpose dedicated Jira tickets to be opened per project and per both releases.
https://jira.onap.org/browse/INT-2039	Limit number of images	Images lifecycle management - need to limit number of images. Need to keep Istanbul scanning (different from what is in Master).	ongoing
	Centos usage	Used by Postgres with version 8 - we are targetting version 8 stream.
	Unmainained projects	Meeting done last Monday - to be continued on Thursday (DOC) meeting.
	Jakarta SCA analysis	New Wiki created for log4j recommended upgrade: Log4j upgrade recommendation Ticket was opened by Amy on Sonatype API documentation: https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23426		Update recommendations for log4j into 2.17 Post log4j info on ONAP security Wiki.
	TSC meeting update	Log4j Istanbul maintenance release Steve Winslow left LFN		Steve move ement Impact on Tony for CII Badging?
	PTL meeting update	log4j update
	SBOMs	Muddasar sent e-mail to Vijay and Toine.	ongoing
	Quality gates	Fabian will have a meeting with Seshu for SO. Next update in January.	ongoing
	Kubescape and Trivi scans	https://hub.armo.cloud/docs/c-0009 , limitation is on the pod and not cron job. Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman. Fabian opened the ticket at Trivi. Threadfix removes duplication of findings from different sources.	ongoing	Fabian will have a meeting with Kubescape. Brian to share info on their Jfrog for Image scanning.
	SECCOM presentations for incoming DDF (January).	SECCOM topics and overall agenda proposal: https://teamup.com/ksgw6qzqcmg9zbzsfq?view=MD&date=2022-1-10&calendars=8227292,8227785,8227782,8310707,8310614 ONAP Security: Jakarta Global Requirements and Best Practices Tuesday, 11th of January, 4:30 UTC Unmaintained code handling and its impact on documentation (SECCOM + Documentation) - main session stream Amy/Pawel/Thomas/Eric – Topic Wednesday, 12th of January, 2:30 UTC Code quality demo - main session stream – Fabian/Pawel/Kevin/Toine – Topic Tuesday, 11th of January, 3:30 UTC Interproject proposals: SBOMs ONAP story – Muddasar/Pawel Topic Monday, 10th of January, 2:30 UTC	ongoing
	SECCOM MEETING CALL WILL BE HELD ON 25th OF JANUARY'22.	Review - SECCOM presentations for DDF events. Quality gates for code quality improvements - continuation of the discussion. SBOM next steps - which repos/projects to take into account?

Recording:

SECCOM presentation: