2021-12-07 Security Subcommittee Meeting Notes

Owned by Paweł Pawlak
Last updated: Dec 08, 2021
2 min read

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 7th of December 2021.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

SECCOM presentations for incoming DDF (January).

SECCOM topics backlog for DDF (4 bullets we merge into one Topic):

  • Logging requirements clarification – Bob/Byung - https://wiki.lfnetworking.org/display/LN/2022-01-DD+-+ONAP%3A+Security+and+Logging

    • New requirements for Jakarta – Amy/Pawel – all in one – GR review with David

    • Recommended versions (SECCOM and OOM) – Amy/Pawel/Sylvain

    • Packages upgrades - Jakarta update - Amy/Pawel

  • Unmaintained code handling and its impact on documentation (SECCOM + Documentation) - main session stream Amy/Pawel/Thomas/Eric - Topic

  • Code quality demo - main session stream – Fabian/Kevin/Toine - Topic

Interproject proposals:

  • SBOMs ONAP story – Muddasar/Pawel Topic

ongoing

 

 

Jakarta proposed versions update: 

https://wiki.onap.org/display/DW/Database%2C+Java%2C+Python%2C+Docker%2C+Kubernetes%2C+and+Image+Versions

  • for CentoS there is a discrepency between SECCOM proposal and version submitted by Morgan, 

  • SBOMS would help

  • Elasticsearch - probably we are not going to use it? If not, we will remove it from the list.

  • Filebeat (based on Go) in the context of java and python versions - filebeat uses an optional python script for data migration

ongoing

CentOS versionits usage by ONAP community to be elaborated with Fabian.

Column to be added on what applies to container run time and what applies to node

 

Jakarta basic images

Michal is working for both Java and Python

ongoing

Recommended versions to be shared with Amy.

 

SCA analysis

Ongoing - direct dependencies transferred to excel.

Failing Jenkins jobs for AAI.

Jira tickets created per project.

ongoing

 

 

PTL meeting update

  • Reminder about SECCOM requirements (slide 11) for Jakarta release :

    • Requirements were created accordingly in Jira,

    • REQ-1070 LOGS MANAGEMENT - PHASE 1: COMMON PLACE FOR DATA – description to be elaborated - done

  • Jakarta M1 date change – December 9th

ongoing

 

 

TSC meeting update

SECCOM requirements were approved by TSC.

done

 

 

Meeting yesterday on unmaintained projects/repos

We need an audit on project dependencies – current projects that are unmaintained (and repos).

ongoing

David to lead this audit and bring it to TSC.

 

Quality gates for code quality improvements 

3 levels under consideration: bronze, silver and gold. Basic level could be reacjing 55% of code coverage.

https://docs.sonarqube.org/latest/user-guide/metric-definitions/

Tables about project maturity (self reported) while we are doing measured approach.

started

To review levels from sonarqube and tables for project maturity.

 

SECCOM MEETING CALL WILL BE HELD ON 14th OF DECEMBER'21. 

Quality gates for code quality improvements - continuation of the discussion.

SBOM next steps - which repos/projects to take into account?

 

 

 

Recording: 

 

SECCOM presentation: