Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 4th of January 2022.
Jira No | Summary | Description | Status | Solution |
---|---|---|---|---|
Log4j upgrade | Log4j 2.17.1 was released. It provides a fix for a vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 | ongoing | For tracking purpose dedicated Jira tickets to be opened per project and per both releases. | |
https://jira.onap.org/browse/INT-2039 | Limit number of images | Images lifecycle management - need to limit number of images. Need to keep Istanbul scanning (different from what is in Master). | ongoing | |
Centos usage | Used by Postgres with version 8 - we are targetting version 8 stream. | |||
Unmainained projects | Meeting done last Monday - to be continued on Thursday (DOC) meeting. | |||
Jakarta SCA analysis | New Wiki created for log4j recommended upgrade: Log4j upgrade recommendation Ticket was opened by Amy on Sonatype API documentation: https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23426 | Update recommendations for log4j into 2.17 Post log4j info on ONAP security Wiki. | ||
TSC meeting update |
| Steve move ement Impact on Tony for CII Badging? | ||
PTL meeting update | log4j update | |||
SBOMs | Muddasar sent e-mail to Vijay and Toine. | ongoing | ||
Quality gates | Fabian will have a meeting with Seshu for SO. Next update in January. | ongoing | ||
Kubescape and Trivi scans | https://hub.armo.cloud/docs/c-0009 , limitation is on the pod and not cron job. Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman. Fabian opened the ticket at Trivi. Threadfix removes duplication of findings from different sources. | ongoing | Fabian will have a meeting with Kubescape. Brian to share info on their Jfrog for Image scanning. | |
SECCOM presentations for incoming DDF (January). | SECCOM topics and overall agenda proposal:
Interproject proposals:
| ongoing | ||
SECCOM MEETING CALL WILL BE HELD ON 18th OF JANUARY'22. | Review - SECCOM presentations for DDF events. Quality gates for code quality improvements - continuation of the discussion. SBOM next steps - which repos/projects to take into account? |
Recording:
SECCOM presentation: