2023-01-17 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 17th of January 2023.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution



Logging security discussion 

Follow-up by Byung:

After meeting Justin shared his script and mentioned node level Fluentbit deployment (different name space with different privilege level). 

Adrien is working on node level logging.

ongoing

Andrew from Byung's team will check feasibility for pod level logging.

Next week conclusion expected.





Security issues raised by External researchers

  • IT-24999 Security Issue - Sensitive information leakage – Fiachra was contacted, waiting for his feedback

  • IT-25000 vulnerability detected (DMARC RECORD MISSING) – feedback shared with researcher

ongoing





Unmaintained projects

Repos without merge (for last 1 year) identified. Merges by Thomas and Cedric to be excluded.

ongoing

At the next PTL meeting Jan 23rd list to be reviewed



Security review questionaire 

CPS team has mostly completed their security review. Tony will be scheduling a meeting with them to answer a few questions

ongoing

Update to SECCOM to be provided by Tony next week



TSC meeting (12th January)

  • Summary from meeting held on January 11th with OSC (Martin Skorupski)

  • ODL feedback on projects without PTL and new idea of special squad team from Lukasz

  • China Mobile feedback for ONAP







PTL meeting (16th January)

Cancelled due to day off in US







London recommended versions

https://lf-onap.atlassian.net/wiki/display/DW/Database%2C+Java%2C+Python%2C+Docker%2C+Kubernetes%2C+and+Image+Versions







Latest weekly scans

https://logs.onap.org/onap-integration/weekly/onap-weekly-dt-oom-kohn/2022-11/28_09-30/security/versions/versions.html







Tickets for Global Requirements

-Epic REQ-437: COMPLETION OF PYTHON LANGUAGE UPDATE (v2.7 → v3.8)

-Epic REQ-438: COMPLETION OF JAVA LANGUAGE UPDATE (v8 → v11)

ongoing

Waiting for a feedback from Andreas.



SECCOM MEETING CALL WILL BE HELD ON January 24th 2023. 

Node vs. pod level logging update by Byung.

CPS Security review questionaire by Tony.









Recordings: 

2023-01-17_SECCOM_week.mp4



SECCOM presentation:

2023-01-17 ONAP Security Meeting - AgendaAndMinutes.pptx