2022-08-09 Security Subcommittee Meeting Notes
- Paweł Pawlak
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 9th of August 2022.
Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| Update on the Security Logging Fields and Global Requirement | Bob on holidays. Byung's account on O-RAN was disabled. Bob was in touch with Dan Timoney, potential issue with interface container which is Java based Vijay’s opinion on 4 hours LoE: a bit too optimistic, non java projects (java script) to be explored as higher impact. | ongoing | Byung to re-gain access to O-RAN. |
| SBOM creation | Muddasar talked to Jess last week. CPS was not failing due to path parameter, version was not according to LF recommendation: Release Versioning Strategy. Muddasar shared this info with PTLs on August 8th. | ongoing |
|
| Java script containers | Info from Tony: Node.js The even-numbered versions of Node.js roll through “current” status, “Active LTS” status, and “Maintenance LTS” status. New releases come out every 6 months. So a current release becomes LTS 1 year later, then Maintenance LTS 1 year after that for an additional 1.5 years. The current version is v18, the active LTS is v16, and maintenance LTS is v14. V14 is active through Apr 2023. We should make sure that we are using Containers with Node.js v14, v16 or v20. This MIGHT be automatic if we are using current node.js containers. | started | to be further explored the number of java script containers and recommended releases. |
| Superblueprint | Use cases to be added, limited resources to go with E2E solution integration. Weekly meetings: https://wiki.lfnetworking.org/pages/viewpage.action?pageId=50528282 Architecture: https://wiki.lfnetworking.org/pages/viewpage.action?pageId=53609061 Roadmap: https://wiki.lfnetworking.org/display/LN/5G+Super+Blueprint+Roadmap Requirements and Use case Advisory Group: https://wiki.lfnetworking.org/display/LN/Requirements+and+Use+Case+Advisory+Group Use cases: https://wiki.lfnetworking.org/pages/viewpage.action?pageId=68792322 Use cases to be added, limited resources to go with E2E solution integration. ØNext meeting later today, resource assignment needs to be done Secure slicing needs to be better defined. Major focus on setting up 5G with open source components. | ongoing | Logistic from program perspective needs to be improved. |
| PTL meeting – August 8th | Naming convention has an impact on SBOM creation, PTLs need to follow LF recommended naming convention: https://lf-onap.atlassian.net/wiki/display/DW/Release+Versioning+Strategy Unmaintained projects. |
|
|
| TSC meeting – July 28th | -Confluence injection attack – plugin disabled -DTF submissions, no deadline yet |
|
|
| Pawel and Amy submitted proposal: ONAP’s Recipe for Managing CVEs and Securing Open Source Software Byung will present service descriptor and potentially new ONAP security architecture with service mesh. |
|
| |
| Productization of Assured Opensource Software - Muddasar SBOM implementation and challenges in ONAP - Muddasar 5G orchestration with ONAP, AI and ML. - Maggie |
| Brian to be asked by Muddasar as co-presenter for SBOM. | |
| Node.js recommended upgrades | We start this topic. The even-numbered versions of Node.js roll through “current” status, “Active LTS” status, and “Maintenance LTS” status. New releases come out every 6 months. So a current release becomes LTS 1 year later, then Maintenance LTS 1 year after that for an additional 1.5 years. The current version is v18, the active LTS is v16, and maintenance LTS is v14. V14 is active through Apr 2023. We should make sure that we are using Containers with Node.js v14, v16 or v20. This MIGHT be automatic if we are using current node.js containers. | strated | to be further explored the number of java script containers and recommended releases. |
| SECCOM MEETING CALL WILL BE HELD ON 16th OF August'22. |
|
|
|
Recording:
SECCOM presentation:
