2022-06-21 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 21st of June 2022.

Jira No	Summary	Description	Status	Solution

Summary	Description	Status	Solution
LFN Developer & Testing Forum June 13th-16th Porto, Portugal - summary	SECCOM retrospectives: Log4j fix implementation in Istanbul Maintenance Release Jakarta security status update Kohn security goals : Global Requirements and Best Practices Security PoCs: security log fields logging req code quality service mesh SBOM enablement and maintenance, and packaging Waiver policy update On the road to gold badging Reducing technical debt Container signing Container scanning 5Y project review Removing unmaintained code	ongoing	ODL (Robert Varga) is offering some experience about CycloneDX format and SBOM to be reviewed by the ONAP SECCOM - e-mail sent to Robert. To check with Robert Vargaand Muddasar Ahmed SBOM proxy - email sent to Robert. Lots of different wiki pages about ONAP Service Mesh - can we consolidate i.e. Service Mesh POC, ONAP on Service Mesh - Developer Wiki - Confluence, Service Mesh Risk, Analysis - Developer Wiki - Confluence (onap.org), Service Mesh - Developer Wiki - Confluence (onap.org), Service Mesh PoC plan - Developer Wiki - Confluence (onap.org) Any ONAP project to participate to "Container Signing"- Amy will present the concept to the next PTL call - June 27th, 2022. Path to remove 'Unmaintained Code' - Need to update the slide – Amy to check with Catherine Check Scancode.onap.eu for License dependency - SECCOM not responsible for licensing. Fossology is used for that?
Waivers review between releases	Work started. Results for root_pods and unlimitted_pods from Guilin to Jakarta.	started	To be completed for remaining cathegories by Pawel - done
ONAP Kohn recommended versions	https://lf-onap.atlassian.net/wiki/display/DW/Database%2C+Java%2C+Python%2C+Docker%2C+Kubernetes%2C+and+Image+Versions Amy's team is doing last check for data quality.
Last TSC June 9th	sign-off – pushed to 23rd of June. Cassandra stability issue. SECCOM will not block the release.
Synch with OOM:	Security dashboard at 60%: https://logs.onap.org/onap-integration/daily/onap-daily-dt-oom-master/2022-06/20_05-53/ and Versions reporting at 57%: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2022-05/20_21-56/ latest run by Michal for the weekend
DTF presentation from Tata communication	Older ONAP version used. https://wiki.lfnetworking.org/display/LN/2022-06-DD+-+ONAP%3A+The+Path+to+a+Production-Grade+ONAP		To be shared what we are doing with them.
SBOM	Still no update from Jess.		Governance board to be escalated to for SBOM and LF IT proper focus. Ranny was contatced by e-mail as a follow-up of DTF discussion.
Whitesource (mend.io) container scans	New ticket submitted to LFN IT: IT-24112 - Jess was asked for an update.
Technical debt	PTLs to be consulted. to know how PTL thinks when looking at Jira tickets. Vijay will be on PTO for next 2 weeks, so it will not be DCAE, AAI under consideration.		Ask at the next PTLs meeting for volunteering PTLs. Amy and Muddasar to synch each other on that.
Automation for dependency management	https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/
Muddasar is presenting at HardenStance (6/23) MITRE's FiGHT framework for 5G security.	In case anyone is interested here is the link: https://events.adaptivemobile.com/hardenstance-ttsi2022/agenda-day2
SECCOM MEETING CALL WILL BE HELD ON 28th OF June'22.	15 minutes for Muddasar to present 5G security.

Recording:

SECCOM presentation: