2021-09-07 Security Subcommittee Meeting Notes

Owned by Paweł Pawlak
Last updated: Sept 10, 2021
2 min read

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 7th of September 2021.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

REQ-801

REQ-800

REQ-863

REQ-443

M3 update

Java upgrades - good progress.

Python upgrades good progress as well.

Packages upgrades - very good progress - 16 tickets closed already - vulnerabilities removed: 679/776 (based on tickets). Still some pprojects that did some upgrades but no update on the restricted Wiki.

New Sonatype function to filter direct vs. transitive dependencies.

Weak cryptography and injection items - excellent progress. There are still few there open (projects no longer maintained - e.g. Portal).  

For Jakarta, few other items that SonarCloud highlights - Jira tickets to be written for those (blocking and critical). 

ongoing

To be checked if we have waivers for all remaining ticktets.

 

PTLs meeting shall address the gaps on the restricted Wiki.

Projects with open status on their Jira tickets to be elaborated.

Will Portal be excluded from ONAP future releases? - Byung to investigate.

 

Software BOMs

Documentation review - nexus account  manager contacted. It is part of Nexus product lifecycle licence (cyclone DX format). APIs for info extraction to be checked.

Access to Nexus-IQ server - what group shall be used for that - REST API calls are possible now - will be used for SW BOMs.

ongoing

 

 

Logging requirements

Almost 50% of the metadata fields defined - good progress.

In some of the GitHub repos md (markdown) files with good description for logging - SO is a good example. 

ongoing

 

 

Dependency confusion attacks vs. ONAP SW build process

Bob had exchanges with Jess on filtering rules and dependencies management software.

on hold

To be further elaborated with Samuli.

 

Security Risk Assessment and Acceptance 

Excel table that was initially prepared 3 years ago to be shared and reviewed at the next SECCOM, frameworks to be reviewed as well (MIST and ISO).

ongoing

 

 

Feature request template

Alla leading ONAP Requirements Subcommittee to be contacted to provide details.

ongoing

Muddasar to be introduced to Alla by Pawel.

 

Last TSC meeting

  • TSC Voted to approve M3, 90% issues closed due to good progres

  • 16th of September for M4 gating

  • Jakarta release and timeline discussed

  • Michal Jagiello – new PTL for integration

ongoing

 

 

Code quality update

Status to be checked, there were some exchanges with Thierry and Jess.

ongoing

Slide to be presented to next PTLs meeting.

 

Last PTLs meeting

Meeting was cancelled (Labor day in US)

ongoing

slot to be booked for the next PTLs meeting.

 

CADI and AAF replacement

DCAE and DMaaP communication - new proposal to be presented today at the Architecture Subcommittee.

ongoing

Byung  to present update for the next SECCOM

 

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 14th OF SEPTEMBER'21. 

M3 update - waivers review

Software BOMs

Logging requirements update

Security Risk Assessment and Acceptance – review frameworks and old excel file

Dependency confusion attacks vs. ONAP SW build process - synch with Samuli

Code quality update

CADI and AAF replacement

 

 

 

Recording: 

SECCOM presentation: