2021-06-29 Security Subcommittee Meeting Notes

Owned by Paweł Pawlak
Last updated: Jul 01, 2021
2 min read

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 29th of June 2021.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

DCAE plans for Istanbul with regards to Security/global requirements – Vijay

Firstfeedback from SECCOM: 

org.apache.tomcat.embed : tomcat-embed-core : although the latest from 9.x train is 9.0.48, there might be some issue with licensing there, so please consider 9.0.46

Slide deck presented by Vijay:

Regular exception process will be used, Vijay provided detailed explaination on the scans findings for it.

For: dcaegen2-platform-inventory-api and dcaegen2-platform-servicechange-handler with architecture change with deployment via HELM,  those components from Honolulu version will be used in Istanbul to be finally retired in Jakarta. 

We are not scanning containers but repos in the SCA.

For Java and Python we run container scans.

In Orange labs (but not for other labs like Windriver) one component is failing with resource limit - exception might be required. https://gerrit.onap.org/r/c/oom/+/122079/9/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml

Internal ONAP HELM registry with fine grained authorization supported by Chartmuseum. It will be explored for next release based on other projects integration scope:

https://gerrit.onap.org/r/c/oom/+/121693

ongoing

Vijay to update Jira tickets with comments on exception request justifications.

SECCOM:  to include 2 additional repos with microservices in the SCA analysis output- done. 

 

 

 

 

 

 

 

 

 

 

 

To be further discussed:

 

Software BOMs - Muddasar

Atomic level to be explored for ONAP  - major ONAP modules, OSes, DBs etc. And how to move on with the upgrade. What should be the smalled unit of tracking for software upgrade. Track it to the level where operator may take actions.

Source of details:

https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2021-06/28_21-34/security/tern/index.html

We should be able to look into the individual software components which form the package.

Tony will search for a reference from CI Badging for SBOM format.

ongoing

To be further discussed.

 

Jenkins, Gerrit and Sonar

Following the meeting held last week 2 tickets were opened to LFN IT support:

  • IT-22333 for using Confluence as a web server.

  • IT-22334 to describe sonar Jenkins template improvement.

ongoing

 

 

Last TSC meeting update

Critical Jira issue - explained to TSC by Tony

ongoing

 

 

PTLs meting update

ongoing

 

 

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 6th OF JULY'21. 

  • Feedback on Byung's AAF Service Mesh proposal - Al Laing

  • Next steps for Infrastructure Logging Requirements – Bob

  • Software BOMs - Muddasar

 

 

Recording:

SECCOM presentation: