Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 7th of September 2021.
| Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| M3 update | Java upgrades - good progress. Python upgrades good progress as well. Packages upgrades - very good progress - 16 tickets closed already - vulnerabilities removed: 679/776 (based on tickets). Still some pprojects that did some upgrades but no update on the restricted Wiki. New Sonatype function to filter direct vs. transitive dependencies. Weak cryptography and injection items - excellent progress. There are still few there open (projects no longer maintained - e.g. Portal). For Jakarta, few other items that SonarCloud highlights - Jira tickets to be written for those (blocking and critical). | ongoing | To be checked if we have waivers for all remaining ticktets. PTLs meeting shall address the gaps on the restricted Wiki. Projects with open status on their Jira tickets to be elaborated. Will Portal be excluded from ONAP future releases? - Byung to investigate. | |
| Software BOMs | Documentation review - nexus account manager contacted. It is part of Nexus product lifecycle licence (cyclone DX format). APIs for info extraction to be checked. Access to Nexus-IQ server - what group shall be used for that - REST API calls are possible now - will be used for SW BOMs. | ongoing | ||
| Logging requirements | Almost 50% of the metadata fields defined - good progress. In some of the GitHub repos md (markdown) files with good description for logging - SO is a good example. | ongoing | ||
| Dependency confusion attacks vs. ONAP SW build process | Bob had exchanges with Jess on filtering rules and dependencies management software. | on hold | To be further elaborated with Samuli. | |
| Security Risk Assessment and Acceptance | Excel table that was initially prepared 3 years ago to be shared and reviewed at the next SECCOM, frameworks to be reviewed as well (MIST and ISO). | ongoing | ||
| Feature request template | Alla leading ONAP Requirements Subcommittee to be contacted to provide details. | ongoing | Muddasar to be introduced to Alla by Pawel. | |
| Last TSC meeting |
| ongoing | ||
| Code quality update | Status to be checked, there were some exchanges with Thierry and Jess. | ongoing | Slide to be presented to next PTLs meeting. | |
| Last PTLs meeting | Meeting was cancelled (Labor day in US) | ongoing | slot to be booked for the next PTLs meeting. | |
| CADI and AAF replacement | DCAE and DMaaP communication - new proposal to be presented today at the Architecture Subcommittee. | ongoing | Byung to present update for the next SECCOM | |
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 14th OF SEPTEMBER'21. | M3 update - waivers review Software BOMs Logging requirements update Security Risk Assessment and Acceptance – review frameworks and old excel file Dependency confusion attacks vs. ONAP SW build process - synch with Samuli Code quality update CADI and AAF replacement |
Recording:
SECCOM presentation: