PTL 2018-09-17
- Hui Deng
- Former user (Deleted)
- Gildas Lanilis Gmail
Duration 60 minutes
| Duration | Agenda Item | Requested by | Notes / Links |
|---|---|---|---|
| START RECORDING | |||
| Sonatype Nexus CLM update | |||
Agreement
- After further discussions during PTL meeting, in order to provide better tracking mechanism for developers, it was decided to proceed in a 2 steps approach (documented in slides #8):
- PTL Have a working wiki private page that contains all the info (cve, artifacts, version, modules). Private wiki page location under the Security space at /wiki/spaces/SV/overview. Accessible to PTLs, SECCOM,Committers. Optional page for the team to decide. Link /wiki/spaces/SV/pages/16089093.
Team (Amy, Steve, Pavel) to review and curate (create a new public page) for PUBLIC publishing.
Action items
- Gildas Lanilis Gmail Follow up with Seshu to discuss vulnerabilities impacting multiple projects.
Zoom Chat Log
06:10:45 From Kenny Paul (Linux Foundation) : https://lf-onap.atlassian.net/wiki/display/SV/Security+Vulnerabilities+Home
06:14:26 From Catherine Lefevre : Thank you Kenny !
06:19:14 From Michael O'Brien(Amdocs,LOG) : Question on visibility and priority: If a CVE affects an internal port - usually DB for example - it would be lower than a CVE on a rest endpoint exposed by a NodePort/LB - The larger question are we expecting hackers inside the network - or should we concentrate on directly exposed ports first
06:23:03 From Jimmy Forsyth : If we share the Nexus reports on a community zoom bridge, can we then post the recording of that zoom session on the wiki?
06:23:31 From Kenny Paul (Linux Foundation) : technically, no
06:23:53 From Jimmy Forsyth : +1 Dan
06:24:18 From Kenny Paul (Linux Foundation) : I need to drop for the modeling meeting.
06:25:46 From Amy Zwarico : https://cve.mitre.org/cve/
06:26:05 From Amy Zwarico : https://nvd.nist.gov/vuln/search
06:31:27 From Michael Lando (SDC) : +1 for having the secuirity wiki and all update ther .
06:31:37 From Michael O'Brien(Amdocs,LOG) : +1 sounds good
06:32:51 From Shankar Narayanan : +1
06:37:05 From Sai Seshu : +1
06:43:32 From Chris Donley : There is no non-vulnerable version of Jackson, but there are secure ways to use it. That's what we need to be aware of.
06:58:24 From Gildas Lanilis : https://lf-onap.atlassian.net/wiki/display/DW/Vulnerability+Threat+Template