2021-07-27 Security Subcommittee Meeting Notes

Seccom criteria for the integration tests to pass a release

• Add Python and Java version checks

• Achieve 100% level

• Follow exception process if relevant

ongoing

To be presented at the TSC meeting

Last PTLs meeting

• Few (3 or 4) projects should add ONAP wording in their description as they do not show up in CII Badging dasboard.

• https://logs.onap.org/onap-integration/daily/onap_daily_pod4_master/2021-07/15_02-27/ For the security testing we score at 40% as of today - our target is to add java and python version testing ar reach 100% to release.

• Please update statuses of your Jira tickets for SECCOM Global Requirements

ongoing

Waiting for a list of project not participating in Istanbul release. 

ESR Waiver

Currently 3 use cases are using ESR:

• ETSI alignement (AAI external system directory API)

• Network slicing (ESR server) but can use AAI external system directory API

• CCVPN case (using ESR GUI server) , they can use AAI sending notification oto DMaaP and SDNC and VFC can pick-up

SO currently ESR in maintenance mode but can be obsolete. If nobody is using ESR, let's remove it from the Istanbul release.

ongoing

CCVPN to be check by Byung if they will use AAI. 

Software BOMs, Hardware BOMs - Muddasar

Presentation:

Open

ongoing

Dependency confusion attacks vs. ONAP SW build process

Packages are downloaded from Internet for ONAP. To be further elaborated with Bob and Samuli.

ongoing

E-mail to be sent to SECCOM distribution list/ONAP distribute.

Update from LFN 

(IT-22333by Pawel, and IT-22334by Thierry)

• Waiting for Thierry’s return

ongoing

Code quality and SonarCloud

Achievements to be presented to TSC

ongoing

Pawel to work with Fabian to present progress and achievements to TSC in this domain.

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 3rd OF AUGUST'21. 

SBOM/HBOM continuation.