| | | | |
|---|
| Java release strategy | https://en.wikipedia.org/wiki/Java_version_history | | Use only Long Term Support versions: v11 (and v17 in the future) |
| Java and Alpine upgrade for Frankfurt | -SECCOM requires that Java projects upgrade to Java 11 (Java SE 11.0.5) and Alpine 3.10.3 in Frankfurt -PTL latest feedback (call on 18th of November) Martial shared his container with Java 11.0.5 and Alpine 3.10.3 Pam proposed to synch with Integration Team - we will join their weekly call on Wednesday 2PM UTC and address: Container management OJSIs context (but Krzysztof will be not available), including scripts for http vs. https Moving to later version than Java 11 may cause problem for oparent, which specifies Java 11 Frankfurt version of oparent is 3.x (is it available on Nexus already?) and specifies Java 11 All projects in El Alto use oparent 2.x Distinction between the Java runtime and the Java source code versions Java runtime is backward compatible Source code can be Java 8 or higher Runtime can be Java 11 Java 11: Java SE 11.0.5
| | -SECCOM recommendation (modified) Prebuilt images CLAMP has a created a Java 11 Docker image that can be used by other projects -
https://gerrit.onap.org/r/c/clamp/+/91241/4/src/main/docker/backend/Dockerfile Java 12 or 13 ( both not recommended due to its short LCM) SECCOM updated REQ-219 with the following Required version of Java 11 JDK: Java SE 11.0.5 Requirement that shared libraries must run in JDK 11 Due to end of support for Java 8, SECCOM recommends all ONAP projects to analyze for their specific case the impact of migration from Java 8 to Java 11, the next long term support (LTS) version. In order to provide feasible requirements to the teams, we propose: All projects SHOULD be migrated to Java 11 (Java SE 11.0.5) for the Frankfurt release
Python – Vijay poposed image with 3.7 version and Alpine: https://hub.docker.com/_/python - to be further analyzed (Amy) |
| Password encryption | Passwords encrypted before putting passwords in OOM - efforts to make more secrets – not to put private key in the same place Certificate, private key are on a shared volume There should be no passwords in OOM, should use init config Password and encryption key are both on the shared volume
| | Krzysztof, Jonathan, Samuli will discuss solutions and provide a recommendation |
| ONAP SECCOM and MSB synch call (15/11/19) | -OJSI review and explaination (Krzysztof) -CII Badging review (Tony) – feedback was already provided | | |
| SECCOM and CLI synch call proposed to Kanagaraj | but no answer so far… | | Update 22/11/2019: Meeting to be scheduled on Monday 25th of November. |
| Nexus-IQ vs. Whitesource | -Renan was reasked for the status update – feedback received that some effort is planned in current week (W47), Jess confirmed her availability -Dan completed his analysis for known vulns in CCSDK | | Update 22/11/2019: Meeting scheduled between Jess and Renan on Friday 22nd of November at noon. |
| initial PoC for OOM call for OOM common secrets (Krzysztof) | | | |
| ONAP F2F in Prague – topics proposals (https://wiki.lfnetworking.org/display/LN/Call+for+ONAP+DDF+Topics+-+Prague+2020 ): | SECCOM F2F Working session – testable VNF security requirements Joint discussion with CNTT on security like security requirements, Status update OOM password removal Status update ingress controller introduction ISTIO common discussion Communication matrix update – diagram and interactions from it
| | |
| Remediating direct and transitive third party dependencies (topic for 19/11/19) | -PTL feedback Determining effective and ineffective status of vulnerabilities is extremely time consuming Analysis direct and transitive is time consuming Determining remediation action difficult NexusIQ does not provide this analysis directly
-Proposal for dependency remediation in Frankfurt Require projects to upgrade their direct dependencies to latest version of package at M1 Considered industry best practice Will not eliminate all vulnerabilities, but will reduce the number KPI – number of packages upgraded Edge cases Projects with ODL dependencies
| | |
