2020-02-11 Security Subcommittee Meeting Notes

Owned by Amy Zwarico
Last updated: Feb 14, 2020
2 min read

Please find below the Minutes of Meetings and recording for the  SECCOM meeting that was held on 11th of February 2020.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

  • Update on requirement for projects to update out of date direct dependencies. (REQ-263)

Description and examples of the CLAMP script

Feedback from the PTLs\ meeting was to not run the script because the Jira tickets would create addtional work. They would prefer to track progress using gerrit reviews.

SECCOM:

  • jenkins runs unit tests for major and minor versions.

  • junit tests may not catch all impacts of upgraded packages. Results may be repo dependent

  • it may be possibly to leverage the oparent

Actions: put ideas on onap-discuss and set up a separate meeting if there is enough interest

On Hold

Remediating Known Vulnerabilities in Third Party Packages

 

Automated K8S tests enabled for Frankfurt

Feedback from PTLs

Propose enabling

Present to TSC

Docker and Kubernetes Security

 

Secrets encryption

Krzysztof has a draft wiki page documenting the approach for ONAP secrets management and would like feedback

Questions for Krzysztof:

  • Are secrets stored as clear text or base 64.

  • Which projects have had the clear text secrets removed.

  • How is the master password protected

 

In Progress

ONAP secret management

 

SECCOM chair and vice chair elections

Confirm that the correct voting member for your company is on the Security Sub-committee Members list

 

 

 

Java and the new model of licensing for Oracle JDK versus Open JDK – Natacha

Oracle JDK which is commercial - benefits updates

Open JDK - like open source so free of charge but support for java 11 but not earlier versions.

2/11 update

Docker images for both the Debian and Alpine releases of the Java 11 JDK will be available for all projects

Docker images for both the Debian and Alpine releases of the Java 11 JDK will be available for all projects

TSC wants to know which distribution of the OpenJDK is used – Integration team/OOM to be contacted - discussion planned for next status meeting on Wednesday. SECCOM cares Java 11 and not particular distribution - we appreciate common image from governance perspective and harmonization - coordination on release manager side.

Next steps:

E-mail to be sent to Morgan with Pawel B. in copy to confirm if image is already created.

2/11: Confirm documentation and location of Debian and Alpine images

 

Upcoming F2F meetings

Decide which meeting(s) SECCOM wants to focus on

Start collecting topics for the meeting(s)

In Progress

 

 

 OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 18TH OF FEBRUARY'20