2019-11-19 Security Subcommittee Meeting Notes

Java release strategy

https://en.wikipedia.org/wiki/Java_version_history

Use only Long Term Support versions: v11 (and v17 in the future)

-SECCOM requires that Java projects upgrade to Java 11 (Java SE 11.0.5) and Alpine 3.10.3 in Frankfurt

• REQ-219

-PTL latest feedback (call on 18th of November)

• Martial shared his container with Java 11.0.5 and Alpine 3.10.3
• Pam proposed to synch with Integration Team - we will join their weekly call on Wednesday 2PM UTC and address:
• Container management
• OJSIs context (but Krzysztof will be not available), including scripts for http vs. https
• Moving to later version than Java 11 may cause problem for oparent, which specifies Java 11
• Frankfurt version of oparent is 3.x (is it available on Nexus already?) and specifies Java 11
• All projects in El Alto use oparent 2.x
• Distinction between the Java runtime and the Java source code versions
• Java runtime is backward compatible
• Source code can be Java 8 or higher
• Runtime can be Java 11
• Java 11: Java SE 11.0.5

-SECCOM recommendation (modified)

• Prebuilt images
• CLAMP has a created a Java 11 Docker image that can be used by other projects -
  https://gerrit.onap.org/r/c/clamp/+/91241/4/src/main/docker/backend/Dockerfile
• Java 12 or 13 ( both not recommended due to its short LCM)
• SECCOM updated REQ-219 with the following
• Required version of Java 11 JDK: Java SE 11.0.5
• Requirement that shared libraries must run in JDK 11
• Due to end of support for Java 8, SECCOM recommends all ONAP projects to analyze for their specific case the impact of migration from Java 8 to Java 11, the next long term support (LTS) version. In order to provide feasible requirements to the teams, we propose:
• All projects SHOULD be migrated to Java 11 (Java SE 11.0.5) for the Frankfurt release

Passwords encrypted before putting passwords in OOM - efforts to make more secrets – not to put private key in the same place

• Certificate, private key are on a shared volume
• There should be no passwords in OOM, should use init config
• Password and encryption key are both on the shared volume

ONAP SECCOM and MSB synch call (15/11/19)

-OJSI review and explaination (Krzysztof)

• #tags to be provided by Huabing

-CII Badging review (Tony) – feedback was already provided

SECCOM and CLI synch call proposed to Kanagaraj

Update 22/11/2019:

Meeting to be scheduled on Monday 25th of November.

Nexus-IQ vs. Whitesource

-Renan was reasked for the status update – feedback received that some effort is planned in current week (W47), Jess confirmed her availability

-Dan completed his analysis for known vulns in CCSDK

Update 22/11/2019:

Meeting scheduled between Jess and Renan on Friday 22nd of November at noon.

initial PoC for OOM call for OOM common secrets (Krzysztof)

ONAP F2F in Prague – topics proposals (https://wiki.lfnetworking.org/display/LN/Call+for+ONAP+DDF+Topics+-+Prague+2020 ):

• SECCOM F2F
• Working session – testable VNF security requirements
• Joint discussion with CNTT on security like security requirements,
• Status update OOM password removal
• Status update ingress controller introduction
• ISTIO common discussion
• Communication matrix update – diagram and interactions from it

Remediating direct and transitive third party dependencies (topic for 19/11/19)

-PTL feedback

• Determining effective and ineffective status of vulnerabilities is extremely time consuming
• Analysis direct and transitive is time consuming
• Determining remediation action difficult
• NexusIQ does not provide this analysis directly

-Proposal for dependency remediation in Frankfurt

• Require projects to upgrade their direct dependencies to latest version of package at M1
• Considered industry best practice
• Will not eliminate all vulnerabilities, but will reduce the number
• KPI – number of packages upgraded
• Edge cases
• Projects with ODL dependencies