2019-10-15 Security Subcommittee Meeting Notes
Please see the Minutes of Meetings and recording for the SECCOM meeting that was held on 15th of October 2019.
Jira No | Summary | Description | Status | Solution |
---|---|---|---|---|
| Review of El Alto key figures tracking ONAP progress in the security domain | -Release key achievements from SECCOM perspective (to be answered to Amar’s e-mail): State of ONAP security is improving. We are not there yet to say that ONAP is a secure piece of software but we are definitely going in the right direction. Some key facts from this release: -Number of exposed HTTP ports has been significantly reduced (21 currently but I hope that we can reduce this number even more till Thursday) -12 CVEs has been fixed, 7 still being worked on (out of total 26) -44 OJSI tickets has been resolved and 19 still in progress (some may be fixed till Thursday but most will be probably deferred to Frankfurt), 66 still untouched. -Updating CII Badging answers (to be consulted with Tony):
-Analyzing known vulnerabilities – first component upgrades were introduced by Portal project Springframework: from v 4.2.3 to 4.3.24. Next upgrades not yet pushed into ONAP gerrit due to resource constraints for testing the recent changes. |
|
|
- | Review of El Alto key deliverables | -Known vulnerabilities analysis - ongoing -Synch with Portal team on their components upgrades – it seems that only few were upgraded – feedback from Portal team received under jira ticket. -OJSI tickets tracking – Jim/Pawel/Krzysztof/Amy
-CII Badging updates – first positive feedbacks -Communication matrix – ongoing exchanges with Vijay – Krzysztof’s scripts would be very helpfull (both local host and external world) -Recommended upgrades – see presentation -Nexus IQ vs. Whitesoftware
-ODL synch meeting was finally organized on 10th of October – MoM were prepared and shared with participants: 1. Dan shared the link to ONAP ODL MVP, 2. Luis will now compile the package based on MVP scope to avoid potential issues with licensing.3. Once ODL customized package is shared with ONAP (Dan), Jessica will work on preparation of Jenkins jobs with Nexus-IQ scanning, 4.Once it is done Amy will create vulnerability tables and we will organize a next call with ODL team to review findings, discuss priorities and assess whether it is ODL or upstream vulns. -What do we do with MSB or other kind of projects? – security implications…
Action with TSC was taken! List of projects with lack of reaction on security best practices to be provided. |
|
|
- | Alpine recommended version | Jonathan suggested to have Alpine with JDK 11 embedded. E-mail was sent to Morgan and Brian for consultancy. |
|
|
| Synch meeting with Architecture Subcommittee | Still waiting for a confirmation from Hampus on possible dates |
|
|
| Synch call with SDNC for OJSIs | It was agreed that organization of conf call should be more efficient - e-mail was sent to Dan to setup the call - waiting for his feedback. |
|
|