Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 29th of June 2021.

Jira No
SummaryDescriptionStatusSolution

DCAE plans for Istanbul with regards to Security/global requirements – Vijay

Firstfeedback from SECCOM: 

org.apache.tomcat.embed : tomcat-embed-core : although the latest from 9.x train is 9.0.48, there might be some issue with licensing there, so please consider 9.0.46

Slide deck presented by Vijay:

Regular exception process will be used, Vijay provided detailed explaination on the scans findings for it.

For: dcaegen2-platform-inventory-api and dcaegen2-platform-servicechange-handler with architecture change with deployment via HELM,  those components from Honolulu version will be used in Istanbul to be finally retired in Jakarta. 

We are not scanning containers but repos in the SCA.

For Java and Python we run container scans.

In Orange labs (but not for other labs like Windriver) one component is failing with resource limit - exception might be required. https://gerrit.onap.org/r/c/oom/+/122079/9/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml

Internal ONAP HELM registry with fine grained authorization supported by Chartmuseum. It will be explored for next release based on other projects integration scope:

https://gerrit.onap.org/r/c/oom/+/121693

ongoing

Vijay to update Jira tickets with comments on exception request justifications.

SECCOM:  to include 2 additional repos with microservices in the SCA analysis output- done. 












To be further discussed:


Software BOMs - Muddasar

Atomic level to be explored for ONAP  - major ONAP modules, OSes, DBs etc. And how to move on with the upgrade. What should be the smalled unit of tracking for software upgrade. Track it to the level where operator may take actions.

Source of details:

https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2021-06/28_21-34/security/tern/index.html

We should be able to look into the individual software components which form the package.

Tony will search for a reference from CI Badging for SBOM format.

ongoingTo be further discussed.

Jenkins, Gerrit and Sonar

Following the meeting held last week 2 tickets were opened to LFN IT support:

  • IT-22333 for using Confluence as a web server.
  • IT-22334 to describe sonar Jenkins template improvement.
ongoing

Last TSC meeting update

Critical Jira issue - explained to TSC by Tony

ongoing

PTLs meting updateongoing



OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 6th OF JULY'21. 
  • Feedback on Byung's AAF Service Mesh proposal - Al Laing
  • Next steps for Infrastructure Logging Requirements – Bob
  • Software BOMs - Muddasar


Recording:

SECCOM presentation:

  • No labels

1 Comment

  1. Byung-Woo Jun

    Muddasar Ahmed, Pawel Pawlak, Chaker Al-Hakim , considering software package version checking, I think docker image version could be a candidate for the atomic level version. Information from POM.xml could be too much details for the operators. I will give more thoughts on this, and let's discuss more next week or so. If I misunderstood your request, could you please elaborate it? Thanks.