Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 14th of March 2023.
Jira No | Summary | Description | Status | Solution |
---|---|---|---|---|
Wrapping up the unmaintained repo task force | Amy presented updated status. link 2 processes to follow:
| ongoing | During architecture review Archicom can update components statuses. Architecure review template could be updated. | |
Security Questionnaire for CPS | As Tony is on PTO, we move this topic to the next week agenda. | moved to nextweek's agenda | ||
PTL meeting (March 6th) | Continuation of Release Management tasks review. Unmaintained process review. Attendence was lite ;-( | |||
TSC meeting (March 2nd) | Teaser on Unmaintained progress | |||
SBOM signing | (Info from Anil) -SBOM signing needs to be enabled for an ONAP $project specifically through JJB, since it's disabled by default at the template level [1.]. -If you want to enable this for a specific ONAP project, that can be done in [2.] or setting a default value as `true` at a global level for the ci-management repository. -[1.] https://github.com/lfit/releng-global-jjb/blob/master/jjb/lf-maven-jobs.yaml -[2.] https://github.com/lfit/releng-global-jjb/blob/master/jjb/lf-maven-jobs.yaml -The signing of SBOM happens towards the end of the stage/release job which is signed by sigul (key signing service set up specifically for ONAP with each LFN project having unique keys that are not common across all of LFN). | ongoing | To be further elaborated by Muddasar on unique keys on per project and how build process is secured by LF. | |
Security issues raised by External researchers | IT-24999 Security Issue - Sensitive information leakage – Fiachra responded (Anuja was informed): „As we have move sdc away from message router the apikey mentioned is no longer used. There may be some redundant calls to message router from SDC but there is no risk in terms of security.” | closing | ||
Python PoC by Bob | Work in Progress – Fiachra and Tony were contected. Reprioritization of resources and no further support for now. 2 issues remaining (Wiki to be created):
| closing | Wiki to be created by Bob. | |
Security test cases review | https://logs.onap.org/onap-integration/weekly/onap-weekly-dt-oom-kohn/2023-02/25_04-42/ Unlimited pods refers to unlimited resources, comes from CIS benchmark and concerns consuming lots of resources. | Muddasar to analyse tests taht are under the attached link. | ||
SECCOM MEETING CALL WILL BE HELD ON 21st/28th March 2023. |
|
Recordings:
SECCOM presentation: