2022-02-01 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 1st of February 2022.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

TSC update

Security improvements in ONAP recognized by LFN Governance Board. Big thanks and kudos to SECCOM team, PTLs and all contributors! Over 7000 vulns fixed!

https://security.lfx.linuxfoundation.org/#/

Majority (over 99%) discovered with NEXUS-IQ scans, none? raised by end user.

Documented process: ONAP Vulnerability Management

 

 

 

Process for Security review question for the period of last 5 years
 

Scope to be proposed by Tony and Muddasar (with wider E2E coverage). 

NIST proposal that needs to be reviewed: 

https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final

started

Next discussion in 2 weeks time frame.

Pawel to recheck with Catherine for her feedback.

 

 

 

 

 

 

 

https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23423

Log4j upgrade

Target version 2.17.1: https://logging.apache.org/log4j/2.x/changes-report.html#a2.17.1

Following tickets opened:

  • AAI-3431 - AAI status (4 components with log4j) COMPLETE

    • aai-graph-admin, aai-resources, aai-traversal, aai-common : log4j <2.17.1 Direct dependencies updated

  • DMAAP-1704 - DMAAP status (1 component with log4j) COMPLETE

    • dmaap-messagerouter-messageservice: log4j <2.17.1 Direct dependencies updated

  • SDNC-1655 - SDNC status (1 component with log4j)

    • sdnc-oam: log4j 1.2.17 Direct dependency -> Dan created a ticket for an upgrade in Istanbul with low priority (https://jira.onap.org/browse/SDNC-1591) – “data-migrator needs to be migrated from log4j to log4j2 - which mostly entails just updating properties file and command line arguments in run script. Note: data-migrator is not currently used”. I have increased priority to high and added fixed version: Istanbul Maintenance release + comment under the ticket on the need to migrate to log4j-core 2.17.1.

  • VNFSDK-827 - VNFSDK status (1 component with log4j)

    • vnfsdk-ves-agent: no scans for Istanbul branch -> as per Kanagaraj’s email sent on 24th of August, he mention that vnfsdk-ves-agent is not an active VNFSDK repo, so I have sent him an e-mail today to configure his jjb file accordingly.

  • Restricted Wiki for Istanbul Maintenance release created

  • CVE creation: no need to do it, simply we will document in the Release Notes repos that were impacted and fixed (direct) and document transitive dependencies. CVE is raised for vulnerability discovered in the code.

  • ONAP CVEs opened so far: https://docs.onap.org/projects/onap-osa/en/latest/osalist.html

ongoing

To check with Jess statuses of the tickets that were recently closed.

CLM scans per each project to be done by 4th of February.

 

Update of https://lists.onap.org/g/onap-security/members - updated list

List of the participants was updated with Maggie. Krzysztof was removed.

done

 

 

SBOM creation 

Jess created a ticket whichis in progress but now occupied with Nexus3 issue.

ongoing

 

 

Security logging next steps

Bob presented phased approch for security logging which was consulted with SECCOM team.

ONAP Security Event Management

ongoing

Meeting on Friday at 3 PM UTC to be organized  by Amy to have a working group session with Fiachra, Toine, Sylvain.

 

ONAP quality gates 

Quality asessment mainly for the submitted code (=delta)

  • Integrate tests with CPS

  • SO PoC

no update

Waiting for a feedback from Seshu.

 

SECCOM MEETING CALL WILL BE HELD ON 8th OF FEBRUARY'22. 

Quality gates for code quality improvements - continuation of the discussion.

SBOM next steps - status update with DCAE.

 

 

 

Recording: 

 

SECCOM presentation: