/
2022-02-08 Security Subcommittee Meeting Notes

2022-02-08 Security Subcommittee Meeting Notes

Owned by Amy Zwarico
Last updated: Feb 08, 2022
3 min read

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 1st of February 2022.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

TSC update

Conditional approval of Jakarta M2

Documented process: ONAP Vulnerability Management

 

 

 

Process for Security review question for the period of last 5 years
 

Scope to be proposed by Tony and Muddasar (with wider E2E coverage). 

Tony provided OpenSSF Badge security review topics (see meeting deck) and email with list of secure design principles from Saltzer and Schroeder

NIST proposal that needs to be reviewed: 

https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final

started

Next discussion in 2 weeks time frame.

Pawel to recheck with Catherine for her feedback.

 

 

 

 

 

 

 

https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23423

Log4j upgrade

Target version 2.17.1: https://logging.apache.org/log4j/2.x/changes-report.html#a2.17.1

Following tickets opened:

  • AAI-3431 - AAI status (4 components with log4j) COMPLETE

    • aai-graph-admin, aai-resources, aai-traversal, aai-common : log4j <2.17.1 Direct dependencies updated

  • DMAAP-1704 - DMAAP status (1 component with log4j) COMPLETE

    • dmaap-messagerouter-messageservice: log4j <2.17.1 Direct dependencies updated

  • SDNC-1655 - SDNC status (1 component with log4j)

    • sdnc-oam: log4j 1.2.17 Direct dependency -> Dan created a ticket for an upgrade in Istanbul with low priority (https://jira.onap.org/browse/SDNC-1591) – “data-migrator needs to be migrated from log4j to log4j2 - which mostly entails just updating properties file and command line arguments in run script. Note: data-migrator is not currently used”. I have increased priority to high and added fixed version: Istanbul Maintenance release + comment under the ticket on the need to migrate to log4j-core 2.17.1.

  • VNFSDK-827 - VNFSDK status (1 component with log4j)

    • vnfsdk-ves-agent: no scans for Istanbul branch -> as per Kanagaraj’s email sent on 24th of August, he mention that vnfsdk-ves-agent is not an active VNFSDK repo, so I have sent him an e-mail today to configure his jjb file accordingly.

  • Restricted Wiki for Istanbul Maintenance release created

  • CVE creation: no need to do it, simply we will document in the Release Notes repos that were impacted and fixed (direct) and document transitive dependencies. CVE is raised for vulnerability discovered in the code.

  • ONAP CVEs opened so far: https://docs.onap.org/projects/onap-osa/en/latest/osalist.html

  • Meeting deck includes vulnerable log4j findings from Trivy, Kubescape and NexusIQ scans

ongoing

To check with Jess statuses of the tickets that were recently closed.

CLM scans per each project to be done by 4th of February.

 

SBOM creation 

Jess created a ticket which is in progress but now occupied with Nexus3 issue.

ongoing

 

 

Security logging next steps

Bob presented phased approach for security logging which was consulted with SECCOM team.

ONAP Security Event Management

Meeting time blocked for recurring logging calls on Fridays at 3PM UTC. Email @Amy Zwarico or the SECCOM mailing list to be added to the invitation

ongoing

Meeting on Friday at 3 PM UTC to be organized  by Amy to have a working group session with Fiachra, Toine, Sylvain.

 

ONAP quality gates 

Quality asessment mainly for the submitted code (=delta)

  • Integrate tests with CPS

  • SO PoC

no update

Waiting for a feedback from Seshu.

 

SECCOM MEETING CALL WILL BE HELD ON 15th OF FEBRUARY'22. 

Quality gates for code quality improvements - continuation of the discussion.

SBOM next steps - status update with DCAE.

 

 

 

Recording: 

 

SECCOM presentation: