Please see the Minutes of Meetings and recording for the SECCOM meeting that was held on 10th of December 2019.
| Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| Oparent.pom update | To ensure that Oparent.pom file has the latest references to available versions of components. | Amy updated Oparent.pom file with the latest and greatest versions available in the last week. | Warning: Jackson-mapper-asl - functionality moved to Jackson-databind with the latest version 2.10.0. For Guilin release Jackson-mapper-asl will be fully removed. | |
| VNF security requirements | Leftovers from El Alto to be collected. Special focus on ensuring that the language is clear and definition allows for an automatic tests - fitting OVP process. | 2 tickets were created from last week's call. Dealine before early spring. | We focus on testable requirements. | |
| OOM password generation update | Passwords in ONAP should be randomly generated but it generates issues related to update of components. That is an alternative idea is considered - person deploying ONAP must provide master password- based on HMAC. If we provide the same password for deployments, the passwords generated inside ONAP will gonna be the same. For upgrade with Master passrod, ONAP passwords will not change. | Change of password done with a reliable way. | Consequences of using m,aster password - if it is compromised . See Master Password attached file. | |
CII Badging update – Tony | To discuss with David McBride his role in supporting CII Badging | David to be invited for the next SECCOM meeting | E-mail was sent to David. David confirm his availability on 17th of December. | |
| ONAP access management - Natacha | User has an access to all services which is not ok | All ONAP components should implement fine grained authorization. Service Mesh POC could be a solution to further investigate, amount of work with AAF could be high as an alternative. Common session during DDF in Prague should be organized to address what do we want from service mesh to be solved and what are our short term plans.. | ||
remediating known vulnerabilities in third party packages - Amy | Upgrading direct dependencies to the latest greatest versions | We need to have Jira tickets opened for direct dependencies. at M2 and to be completed by M4. If not exception asked to TSC. | ||
| Topics identified for next week's SECCOM agenda |
|