2022-08-16 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 16th of August 2022.

Jira No	Summary	Description	Status	Solution

Summary	Description	Status	Solution
Update on Unmaintained Projects task group	-Policy-mariadb is no longer used by any project and can be removed -Steps to remove unused repo Release notes: list repos removed with release LFIT: remove repo from jenkins jobs OOM: update integration & test scripts; remove disabled code Release mgr: update info.yaml to unmaintained; mark repo unmaintained -RACI matrix: https://lf-onap.atlassian.net/wiki/display/DW/Project+State%3A+Unmaintained OOM contains unused/orphan code: discuss at next unmaintained projects call because it affects security and maintainability
Update on the Security Logging Fields and Global Requirement	-Bob will socialize python & javascript POCs with PTLs -Use language indicator on SonarCloud dashboard to determine programming language Example: https://sonarcloud.io/organizations/onap/projects?sort=-size&languages=jsp see Languages under filters Example: https://sonarcloud.io/project/issues?resolved=false&id=onap_clamp select Languages in second column	ongoing
SBOM creation	dcaegen2-collectors-ves SBOM successful CPS SBOM failing because project not following ONAP versioning rules	ongoing
Superblueprint	Use cases to be added, limited resources to go with E2E solution integration. Weekly meetings: https://wiki.lfnetworking.org/pages/viewpage.action?pageId=50528282 Architecture: https://wiki.lfnetworking.org/pages/viewpage.action?pageId=53609061 Roadmap: https://wiki.lfnetworking.org/display/LN/5G+Super+Blueprint+Roadmap Requirements and Use case Advisory Group: https://wiki.lfnetworking.org/display/LN/Requirements+and+Use+Case+Advisory+Group Use cases: https://wiki.lfnetworking.org/pages/viewpage.action?pageId=68792322 Use cases to be added, limited resources to go with E2E solution integration. Muddasar tasked with specifying detailed use case requirements for creating secure slices: least privilege Eric Kline performing streaming analytics on data to use in closed loop slicing automation	ongoing	Logistic from program perspective needs to be improved.
OOM	Ericsson OOM team is focused on the ONAP security reference implementation. Logging reference implementation is second priority work item for now. Code link was shared with SECCOM before (nordix), but not yet contributed to ONAP
PTL meeting – August 15th	Meeting cancelled - bank holiday in part of Europe
TSC meeting – August 11th	No one on SECCOM call attended
ONE Summit NA	Pawel and Amy submitted proposal: ONAP’s Recipe for Managing CVEs and Securing Open Source Software Byung will present service descriptor and potentially new ONAP security architecture with service mesh.
LFN Developer & Testing Forum NA	Productization of Assured Opensource Software - Muddasar SBOM implementation and challenges in ONAP - Muddasar 5G orchestration with ONAP, AI and ML. - Maggie		Brian to be asked by Muddasar as co-presenter for SBOM.
SECCOM MEETING CALL WILL BE HELD ON 23rd OF August'22.

Recordings:

audio1015335947.m4a

video1015335947.mp4

SECCOM presentation:

2022-08-16 ONAP Security Meeting - AgendaAndMinutes.pptx