2021-04-27 Security Subcommittee Meeting Notes
- Paweł Pawlak
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 27th of April 2021.
Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| TSC meeting update |
-CONTINUATION OF PACKAGES UPGRADES IN DIRECT DEPENDENCIES -CONTINUATION OF CII BADGING SCORE IMPROVEMENTS FOR SILVER LEVEL
-LOGS MANAGEMENT - PHASE 1: COMMON PLACE FOR DATA | done | Jira tickets per projecs to be created. |
| NSA proposal follow-up | Meeting scheduled on May 3rd. | ongoing | All interested contributors are wlecome to join this follow-up session. |
| Questions for SonarCloud (slides 4 and 5) | Already shared with SonarCloud - waiting for a feedback. | ongoing | To check with SonarCloud representative (Sylvain) when feedback could be expected. |
| New Jira tasks for java and python upgrades in Istanbul release | Were already created - couple of project claimed that they already done. | ongoing | To check next test results. |
| NEXUS-IQ container scanning | Scans of the containers show the same vulns as scans of the source code. On container scans there is no indication on transitive/direct dependencies, so PTLs lose infrmation - update of the transitive dependency might break the code! We would like to surpress all the results that are not in the code base. | ongoing | Sonatype to be contacted via Jess to check if ability to do the correlation exists or is planned. |
| IT-21675 Jacoco integration with SonarCloud (info from Christophe) | As Sonar team and Jacoco team are still arguing on this topic on forums, target was reached using unit tests only (so this is not critical anymore) | ongoing |
|
| NEXUS-IQ – SCA analysis started for Istanbul release | DCAE made a good progress - some repos free of critical vulnerabilities. For some repos upgrade is not enough as no remedy exists yet - to be docuemented properly. | ongoing | To complete SCA analysis by end of next week. |
| Continuation of discussion on Fabian’s comment on logging management | Logs management to be taken up to Archiecture Subcommittee, so beyond security. We do have standard what to do with logs but it was not followed for a while. Container run time requirement and entire virtualized requirement (all event types collected)- we mix those 2. Logs transfer need to be secured. Bob shared the link: ONAP Application Logging Specification v1.3 (Frankfurt)#MDC-InvocationIDMDC-InvocationID | ongoing | Fabian to present most recent logging management archiecture to Archiecture Subcommittee. Bob to elaborate the link provided. |
| Additional 2 resources from Orange to improve ONAP security | DMaaP PTL integrated changes and additional 8 new blocking points had to be fixed. Next step started work on security for SO. This will be rather for Istanbul. | Done for DMaaP ongoing for SO |
|
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 4th OF MAY'21. | Whe start pushing few other items in CII Badging or SonarCloud? To adrress it next week at the SECCOM. Review of the document (link) provided by Bob.
|
|
|
Recording:
SECCOM presentation:
