2022-04-05 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 5th of April 2022.

Jira No	Summary	Description	Status	Solution

Summary	Description	Status	Solution
Issue raised with SECCOM by Kohei - About Critical Information Leak	Ticket to be open to SDNC – last message to SECCOM on token and logins/passwords.	started	Ticket to be opened to SDNC: https://jira.onap.org/browse/SDNC-1691 - done Confirmation e-mail to be sent to Kohei - done
CPS gold badge	2 tickets created at LFN IT: IT-23828 2FA (2 Factor Authentication) needed for merging to Gerrit in ONAP IT-23829 Hardening LFN hosted ONAP project web sites	started
Istanbul Maintenance Release Notes	https://jira.onap.org/browse/CCSDK-3602: malformed table, needs to be fixed! https://jira.onap.org/browse/SDNC-1670: AAF transitive dependency	ongoing
PTLs meeting on April 4th	Istanbul Maintenance Release (log 4j mitigation) - All documented Jira issues resolved. Release is completed. Unmaintained project discussion New GUI project as Portal alternative	ongoing	We shall provide SECCOM proposal/ recommendation for unmaintained projects to TSC, synch up with Architecture Subcommittee is needed, Byung will check with Chaker. Amy to draft proposal by end of this week and send to SECCOM distribution list.
TSC meeting on March 31st:	Jakarta M4 conditionally approved Kohn Release schedule: TSC approved the schedule last week	ongoing
SBOM status update	Vijay turned flag on. To be followed up with Jess. SBOM for Python? Fabin is using Trivy with CycloneDX format. No option for SPDX.	ongoing	Tony to re-share the e-mail.
Updates to Secure Design Questionnaire - Maggie	No additional comments. https://lf-onap.atlassian.net/wiki/display/DW/ONAP+Security+Review+Questionnaire+Template PTL meeting presentation and asking for volunteer (CPS, DCAE, CCSDK?) to run – book slot for next meeting in 2 weeks time. Wiki per project, asessment by project and dedicated meeting…score	ongoing	Action from one of the last meetings: Muddasar will prepare grade rate assessment proposal.
Security logging update – Bob	PoC phase, communication with Toine. Synch with Byung needed.	ongoing	Bob to contact Byung.
Linux Security Summit - CFP	Linux Security Summit, happening June 23-24 in Austin, Texas + Virtual! Don't delay - submissions are due Wednesday, March 30. View suggested topics, learn more and submit here https://events.linuxfoundation.org/linux-security-summit-north-america/program/cfp/ We plan to submit with Amy presentation proposal for Global Security Vulnerability Summit - submitted Tony’s proposal for Security principles in the implementation - submitted	ongoing	SBOM visibility to be created in the deck - consultancy with Muddasar is planned.
Next ONAP F2F	https://events.linuxfoundation.org/lfn-developer-testing-forum/ - registration open	started	Please consider your personal particiapation, so SECCOM team could meet again.
SECCOM MEETING CALL WILL BE HELD ON 12th OF April'22.	Quality gates for code quality improvements - Fabian's presentation. SonarCloud fixing with new code focus.

Recording:

SECCOM presentation: