2022-06-28 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 21st of June 2022.

Jira No	Summary	Description	Status	Solution

Summary	Description	Status	Solution
Open items from 6/21	Consolidate ONAP ServiceMesh wiki pages Present container signing to PTLs - 6/27 PTL call was used to evaluate the Jakarta release status. Present 7/1	ongoing	Lots of different wiki pages about ONAP Service Mesh - can we consolidate i.e. Service Mesh POC, ONAP on Service Mesh - Developer Wiki - Confluence, Service Mesh Risk, Analysis - Developer Wiki - Confluence (onap.org), Service Mesh - Developer Wiki - Confluence (onap.org), Service Mesh PoC plan - Developer Wiki - Confluence (onap.org) Any ONAP project to participate to "Container Signing"- Amy will present the concept to the next PTL call - June 27th, 2022.
Jakarta status	Release approval waiting for input from CLI about the failed nodeport test: port 30271 refusing a connection (https://logs.onap.org/onap-integration/daily/onap_daily_pod4_master/2022-06/24_05-56/infrastructure-healthcheck/k8s/nodeport_check_certs/certificates.html)	ongoing
Kohn status	Package upgrade tickets created for each project and set to block REQ-1211 Infrastructure recommendations at Database, Java, Python, Docker, Kubernetes, and Image Versions	ongoing
MITRE FiGHT	Muddasar presented MITRE FiGHT framework	complete
SBOM	Ongoing issue with SBOM - Muddasar Muddasar contacted CPS, A&AI and SDNC to as them to try adding SBOM creation to their Jenkins jobs. Issue with the repo structure - LFIT/LFDEV has not yet delivered a solution.	ongoing	Governance board to be escalated to for SBOM and LF IT proper focus. Ranny was contatced by e-mail as a follow-up of DTF discussion.
Last TSC June 23rd	Sign-off pushed to 27th of June PTL call. CLI nodeport failure. Conditional approval of Kohn M1 Ongoing SBOM creation issue - Muddasar to follow up with PTLs, LFIT and Ranny Haiby Nominations for new LFNGB committer delegate underway. Candidate cannot be from ONAP this year.
Logging Global Requirement	Promoting Logging Best Practice to Global Requirement - Bob		Bob will follow process: present GR proposal to PTLs for feedback, then request approval to make it a CR for London.
Tata Communications production logging implementation	Overview of Tata Communications DTF presentation on their production logging implementation – Bob [move to 7/12] https://wiki.lfnetworking.org/display/LN/2022-06-DD+-+ONAP%3A+The+Path+to+a+Production-Grade+ONAP		Bob to present on 7/12
Waivers review between releases	Work started. Results for root_pods and unlimitted_pods from Guilin to Jakarta.	started	To be completed for remaining categories by Pawel - done Review on 7/1
Synch with OOM:	Security dashboard at 60%: https://logs.onap.org/onap-integration/daily/onap-daily-dt-oom-master/2022-06/20_05-53/ and Versions reporting at 57%: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2022-05/20_21-56/ latest run by Michal for the weekend
Overview of Tata communication Logging solution	Older ONAP version used. https://wiki.lfnetworking.org/display/LN/2022-06-DD+-+ONAP%3A+The+Path+to+a+Production-Grade+ONAP		To be shared what we are doing with them.
Whitesource (mend.io) container scans	New ticket submitted to LFN IT: IT-24112 - Jess was asked for an update.	ongoing
Technical debt	PTLs to be consulted. to know how PTL thinks when looking at Jira tickets. Vijay will be on PTO for next 2 weeks, so it will not be DCAE, AAI under consideration.	ongoing	Ask at the next PTLs meeting for volunteering PTLs. Amy and Muddasar to synch each other on that.
Automation for dependency management	https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/
SECCOM MEETING CALL WILL BE HELD ON 5th OF July'22.	15 minutes for Muddasar to present 5G security.

Recording:

audio1758116385.m4a

video1758116385.mp4

SECCOM presentation:

2022-06-28 ONAP Security Meeting - AgendaAndMinutes.pptx