2021-02-23 Security Subcommittee Meeting Notes
- Paweł Pawlak
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 23rd of February 2021.
Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| SECCOM slides for Requirements Subcommittee | https://lf-onap.atlassian.net/wiki/display/DW/Template+to+be+fulfilled+per+each+requirement We booked next session on March 1st to present slide deck – confirmed with Alla | ongoing | Present slides on March 1st. |
| Whitesource scans of SPC vs. Nexus-IQ | Ticket was opened with Whitesource | ongoing | Whitesource will be contacted to follow-up the request on transitive dependency in their GUI. |
| UI from Morgan presentation | Repository with ONAP docker images: https://nexus3.onap.org
| ongoing | Info to be shared with Michal |
| Last PTL session update | -Exceptions for Python and Java upgrade 1 week by RC0 (March 5th) -Page for exceptions in Honolulu release :https://wiki.onap.org/x/8DyLBQ | ongoing |
|
| Logs management – follow up by Amy – container logging requirements review |  First discussion point based on VNF requirements for logging. Comment on container (OS layer) and container application (application layer) for logs collection. Comment on logging modifications in the container. | ongoing | Comments for logging requirements to be reviewed at the next SECCOM meeting. |
| ONAP MVP |  MVP (to support simple use cases):
| ongoing | To be presented with Fabian at the PTL's meeting on March 8th. |
| Trivy can results |  Not possible to compare results with Whitesource or Nexus-IQ. Trivy does not provide remedy version - to be elaborated by Fabian. To be elaborated on how to integrate Trivy with the CI and what to do with the findings. | ongoing | Remedy version to be elaborated by Fabian. |
| No use of base images | We need to review of who is using basic image and who is not. Once the list of projects not running basic image is known, we shall contact each concerned PTL to understand the rationale behind. | ongoing | We start with discovery phase and understanding rationale. List to be checked with Morgan and start with MVP and then exapnd to remaining projects. |
| How to create secure applications | Following last request from Chaker and discussion at the last PTLs meeting. Secure design should cover that. |
| Tony will start Wiki with the initial proposal and SECCOM will support by reviewing it and providing feedback. Toine from CPS to be addressed. |
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 2nd OF MARCH'21. |
|
|
|
Recording:
SECCOM presentation:
