2020-01-28 Security Subcommittee Meeting Notes

Script for automatic jira ticket generation of direct dependencies to be upgraded was successfully tested with CLAMP by Julien and Pierre.

2 scripts were created in Python

• script 1: uses maven and creates json of direct dependencies to be upgraded

• script 2: takes json generated by script 1 and creates Jira tickets for each package to be upgraded

Scripts were reviewed as well as CLAMP

Nexts steps: 

• Before creating a ticket script could check if it does not exist.

• Scripts available under Julien's github: https://github.com/JulienBe/onap-dep

• Present solution to PTLs and get feedback on how to integrate the scripts into the ONAP development cycle to generate the project jiras for package upgrades

Java and the new model of licensing for Oracle JDK versus Open JDK – Natacha

Oracle JDK which is commercial - benefits updates

Open JDK - like open source so free of charge but support for java 11 but not earlier versions. 

JRE (compilation not possible) vs JDK (compilation possible). Packaging change for java 11.

Presentation to be submitted to next TSC meeting to ensure the common understanding of the risk. Java 8 JRE is bundled with the Java 8 JDK.

2 ways to deploy ONAP:

• out of the box - without hardcoded passwords but generated ones with single master password, for some cases with already existing secrets,

• providing few hundreds of passwords by user

For container we should be able to provide plain text passwords

ONAP out of the box is using password generator of certain type - to be documented for ONAP.

• What secret names are used

• documentation is needed

• HELM template is used

PTLs cal

• Asked PTLs to link SECCOM requirements with their project Jira tickets.

• Meeting with OOM team to help develop a template so that projects can correctly configure their containers to pass the Integration kubernetes tests.  

Template to be created. 

 OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 4TH OF FEBRUARY'20