Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 8th of March 2022.
| Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| Synch with ONAP documentation - Thomas | Release Notes organization: Log4j vulnerabilities in direct dependencies were removed from A&AI, DMAAP, SDNC and VNFSDK. Log4j vulnerabilities introduced by transitive dependencies are still in A&AI, CCSDK, DCAE, DMAAP, MULTICLOUD, SDNC, SO, VNFSDK. https://docs.onap.org/en/latest/release/index.html#istanbul-maintenance-release-9-0-1
Projects/functional repos with transitive dependencies for log4j:
| ongoing | Tickets to be open by Pawel for remaining transitive dependencies on per relevant project basis: | |
| Security Logging Presentation to Akraino TSC - Bob | Logging today at 1500 UTC. Here is the meeting info if you would like to join. https://wiki.akraino.org/display/AK/TSC+2022-03-08+%28Tuesday%29+7%3A00+am+Pacific | ongoing | ||
ONAP Security Review Questionnaire template first cut – Tony | https://wiki.onap.org/display/DW/ONAP+Security+Reviews We want to start simple and small. Time it takes to document vulnerabilities and time it takes to resolve it. Assurance section might be expanded. | ongoing | SECCOM members to review proposed draft and further discuss next week. | |
| Packages upgrades for Jakarta | As of today the project teams have upgraded 103 of 299 identified vulnerable direct dependencies for the release (~34%). | Ask TSC to have focus on security by sending an e-mail to TSC and discuss this issue on Thursday. | ||
| Time shift in US on 13th March and in EU on 27th March. | Please check if the meeting invitations are displayed accordingly. | |||
| Quality gates | ||||
| ONAP Security logging PoC requirements - Byung | https://lists.onap.org/g/onap-requirements-sub/viewevent?eventid=1437425&calstart=2022-02-28 Presentation available at the bottom of this page. Security Logging Requirements were presented to Use Case Subcommittee. Toine agreed to be a project for a PoC. | started | Presentation on proposed logging fields to be provided to PTLs community on 14th of March. To be folloed by architecture information as a separate presentation/topic. | |
| IT-23650 | Unmaintained projects – ticket creation for failing Jenkins jobs | Issue seems to be finally resolved. homas asked to propose a patch for the composite release notes that includes info from slide 6. | done | |
| LFN preparing document on ONAP security | https://wiki.lfnetworking.org/display/LN/2022+LFN+Security+whitepaper Contribution needed for SBOM part – Sean/Bob done -NTIA paper could be a good reference. | done | ||
| Unmaintained projects | Discussion on how to represent unmainained project, yaml vs. Json file, type of information. | ongoing | ||
| IT-23622 | IT-23622 API documentation for SonarCloud (continuation of IT-23519) | Tony and Amy will try to use AT&T leverage as SonarCloud customer to get info on API documentation. | ongoing | |
| Unmaintained projects - Istanbul Maintenance Release Notes | Ticket creation for failing Jenkins jobs. Thomas asked to propose a patch for the composite release notes that includes info from slide 6 but we first need to solve failing Jenkins jobs. | done | Failing Jenkins jobs issue to be escalated. | |
| Security logging update | https://wiki.onap.org/display/DW/Jakarta+Best+Practice+Proposal+for+Standardized+Logging+Fields Some more clarifications planned, naming causing some confusion. | ongoing | One more session (on 25th of February) to complete fields review. Next to be reviewed with PTLs. | |
| SonarCloud findings | Tony will open direct tickets to projects. | started | Tickets to be open by Tony. | |
| Badging - no update | Tony working with David and Dave on getting projects moved from having owner from project and replacing with David for Badging. Some owners gone away... Additional editors do not have rights to remove somebody from the project (can only add additional people). No movement. Waiting for an answer from David Wheeler. | Tony to reach out David. | ||
| Final SCA scan for Istanbul Maintenance release. | List of projects with transitive dependencies to be provided by Amy. | |||
| Quality gates | No update so far from Seshu. | ongoing | To join SO meeting. To drop an e-mail to Toine. | |
| Issue with Wiki creation by Tony | Ticket to be created to solve the issue | |||
SECCOM MEETING CALL WILL BE HELD ON 15th OF MARCH'22. | Quality gates for code quality improvements - continuation of the discussion. 5Y review criteria. |
Recording:
SECCOM presentation: