2022-03-08 Security Subcommittee Meeting Notes

Owned by Paweł Pawlak
Last updated: Mar 15, 2022
2 min read

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 8th of March 2022.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

Synch with ONAP documentation - Thomas

Release Notes organization:

Log4j vulnerabilities in direct dependencies were removed from A&AI, DMAAP, SDNC and VNFSDK. Log4j vulnerabilities introduced by transitive dependencies are still in A&AI, CCSDK, DCAE, DMAAP, MULTICLOUD, SDNC, SO, VNFSDK.

https://docs.onap.org/en/latest/release/index.html#istanbul-maintenance-release-9-0-1

  • Where to place info about transitive dependencies (composite/project/repo release notes) – both composite and per project/functional element

  • The level of detail for this info – just an information about remaining transitive dependency and under bug fixes info on fixing log4j by upgrading relevant repo component.

  • The author for this info - Amy

  • How to communicate it to the projects – with jira’s ticket created per transitive dependency for log4j

Projects/functional repos with transitive dependencies for log4j:

  • onap-aai-aai-common

  • onap-aai-babel

  • onap-aai-resources

  • onap-aai-schema-service

  • onap-aai-traversal

  • onap-ccsdk-apps

  • onap-ccsdk-cds

  • onap-ccsdk-distribution

  • onap-ccsdk-features

  • onap-ccsdk-parent

  • onap-ccsdk-sli

  • onap-dcaegen2-services-mapper

  • onap-dmaap-messagerouter-messageservice

  • onap-multicloud-framework-artifactbroker

  • onap-sdnc-apps

  • onap-so

  • onap-vnfsdk-refrepo

  • onap-vnfsdk-validation

ongoing

Tickets to be open by Pawel for remaining transitive dependencies on per relevant project basis:

 

 

Security Logging Presentation to Akraino TSC - Bob

Logging today at 1500 UTC.  Here is the meeting info if you would like to join.

https://wiki.akraino.org/display/AK/TSC+2022-03-08+%28Tuesday%29+7%3A00+am+Pacific

ongoing

 

 

ONAP Security Review Questionnaire template first cut – Tony

https://lf-onap.atlassian.net/wiki/display/DW/ONAP+Security+Reviews
https://wiki.onap.org/display/DW/ONAP+Security+Review+Questionnaire+Template

We want to start simple and small.

Time it takes to document vulnerabilities and time it takes to resolve it. Assurance section might be expanded.

ongoing

SECCOM members to review proposed draft and further discuss next week.

 

Packages upgrades for Jakarta

As of today the project teams have upgraded 103 of 299 identified vulnerable direct dependencies for the release (~34%).

 

Ask TSC to have focus on security by sending an e-mail to TSC and discuss this issue on Thursday.

 

Time shift in US on 13th March and in EU on 27th March.

Please check if the meeting invitations are displayed accordingly.

 

 

 

Quality gates

No update. Meeting with Seshu to be done.

 

 

 

Issue with Wiki creation by Tony

Ticket to be created to solve the issue

 

Ticket to be created to solve the issue

 

 

 

 

 

 

SECCOM MEETING CALL WILL BE HELD ON 15th OF MARCH'22. 

Quality gates for code quality improvements - continuation of the discussion.

5Y review criteria.

 

 

 

 

Recording: 

 

SECCOM presentation: