2023-08-22 Security Subcommittee Meeting Notes
- Amy Zwarico
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 22nd of August 2023.
Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| 5 Years security questionnaire for Policy project | Review of Policy questionnaire with Policy representative meetings PF - ONAP Security Review Questionnaire - Developer Wiki - Confluence |
| Policy framework began the review of 5yr questionnaire and will complete the review at the 22 August meeting. @Adheli Tavares will attend 2023/08/29 meeting to complete review. |
| Oparent | 2023/08/22: Not Covered Update from 2023-08-21 PTL meeting -CPS (@Toine Siebelink): will test building CPS without oparent/pom.xml (results 2023-10-01) -Integration (@Marek Szwałkiewicz): will perform a test build with the profiles commented out 2023-08-15 SECCOM notes -Only 2 PTLs responded to Amy’s e-mail -No objections on Oparent retirement, we have no volunteer to maintain it up to date -pom.xml contains more than cross project common package dependencies |
| Recommendation: -retain oparent/pom.xml -Make Andreas Geissler a committer and ask the integration or OOM team to update the file per release -Proposal:
-Byung will discuss with Andreas and OOM team and report at 8/22 SECCOM -Amy will contact @Liam Fallon and Pam for history |
| No PTL for AAI, DCAE, OOF | 2023/08/22: Not Covered -Andreas Geissler and Thomas Kulik made committers -They will do the work necessary for the projects to participate in the release Will AAI, DCAE, OOF have security vulnerabilities fixed? |
| -Byung will discuss with Andreas and Thomas to coordinate release tasks such as backlog prioritization -Muddasar: someone needs to take backlog management role -Muddasar: no mandated best practice to manage technical debt; call for a statement about code quality – all code will be secure -Muddasar & Amy: bring mandate for code quality to LFN TAC 2023/8/16 |
| ONAP Streamlining | 2023/08/22: Not Covered -Role of SECCOM -Prioritization of vulnerability fixes -Prioritization of security enhancements -Proposal: ONAP projects work with latest version of common components such as Istio, KeyCloak, Kafka ONAP Streamlining - The Process (Link) Deck shared with TSC: ONAP - Streamlining the process Report-2023-8-3-v2.pptx (live.com) |
|
|
| TSC meeting (August 17th) | 2023/08/22: Not Covered |
|
|
| LFN-TAC (August 16th) | 2023/08/22: Not Covered Review of security best practice recommendations for LFN projects: Security Best Practices |
|
|
| NEXT SECCOM MEETING CALL WILL BE HELD ON 29th of August 2023. |
|
|
|
Recordings:
SECCOM presentation:
2023-08-22 ONAP Security Meeting - AgendaAndMinutes.pptx