Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 27th of April 2021.

Jira No
SummaryDescriptionStatusSolution

TSC meeting update
  • New Global Requirements – TSC approved

-CONTINUATION OF PACKAGES UPGRADES IN DIRECT DEPENDENCIES

-CONTINUATION OF CII BADGING SCORE IMPROVEMENTS FOR SILVER LEVEL

  • Promote to Best Practice - TSC approved

-LOGS MANAGEMENT - PHASE 1: COMMON PLACE FOR DATA

doneJira tickets per projecs to be created.

NSA proposal follow-up

Meeting scheduled on May 3rd.

ongoingAll interested contributors are wlecome to join this follow-up session.

Questions for SonarCloud (slides 4 and 5)

Already shared with SonarCloud - waiting for a feedback.ongoingTo check with SonarCloud representative (Sylvain) when feedback could be expected.

New Jira tasks for java and python upgrades in Istanbul release

Were already created - couple of project claimed that they already done.ongoingTo check next test results.

NEXUS-IQ container scanning

Scans of the containers show the same vulns as scans of the source code. On container scans there is no indication on transitive/direct dependencies, so PTLs lose infrmation - update of the transitive dependency might break the code!

We would like to surpress all the results that are not in the code base.

ongoingSonatype to be contacted via Jess to check if ability to do the correlation exists or is planned.

IT-21675 Jacoco integration with SonarCloud (info from Christophe)

As Sonar team and Jacoco team are still arguing on this topic on forums, target was reached using unit tests only (so this is not critical anymore)

ongoing

NEXUS-IQ – SCA analysis started for Istanbul release

DCAE made a good progress - some repos free of critical vulnerabilities. For some repos upgrade is not enough  as no remedy exists yet - to be docuemented properly.ongoingTo complete SCA analysis by end of next week.

Continuation of discussion on Fabian’s comment on logging management

Logs management to be taken up to Archiecture Subcommittee, so beyond security. We do have standard what to do with logs but it was not followed for a while. 

Container run time requirement and entire virtualized requirement (all event types collected)- we mix those 2. Logs transfer need to be secured.

Bob shared the link: ONAP Application Logging Specification v1.3 (Frankfurt)#MDC-InvocationIDMDC-InvocationID

ongoing

Fabian to present most recent logging management archiecture to Archiecture Subcommittee.

Bob to elaborate the link provided.


Additional 2 resources from Orange to improve ONAP security 

DMaaP PTL integrated changes and additional 8 new blocking points had to be fixed.

Next step started work on security for SO.

This will be rather for Istanbul.

Done for DMaaP

ongoing for SO



OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 4th OF MAY'21. 

Whe start pushing few other items in CII Badging or SonarCloud? To adrress it next week at the SECCOM.

Review of the document (link) provided by Bob.




Recording:


SECCOM presentation:




  • No labels