Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 1st of February 2022.

Jira No
SummaryDescriptionStatusSolution

TSC update Conditional approval of Jakarta M2

Documented process: ONAP Vulnerability Management




Process for Security review question for the period of last 5 years
 

Scope to be proposed by Tony and Muddasar (with wider E2E coverage). 

Tony provided OpenSSF Badge security review topics (see meeting deck) and email with list of secure design principles from Saltzer and Schroeder

NIST proposal that needs to be reviewed: 

https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final

started

Next discussion in 2 weeks time frame.

Pawel to recheck with Catherine for her feedback.








https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23423

Log4j upgrade

Target version 2.17.1: https://logging.apache.org/log4j/2.x/changes-report.html#a2.17.1

Following tickets opened:

  • AAI-3431 - AAI status (4 components with log4j) COMPLETE
    • aai-graph-admin, aai-resources, aai-traversal, aai-common : log4j <2.17.1 Direct dependencies updated
  • DMAAP-1704 - DMAAP status (1 component with log4j) COMPLETE
    • dmaap-messagerouter-messageservice: log4j <2.17.1 Direct dependencies updated
  • SDNC-1655 - SDNC status (1 component with log4j)
    • sdnc-oam: log4j 1.2.17 Direct dependency -> Dan created a ticket for an upgrade in Istanbul with low priority (https://jira.onap.org/browse/SDNC-1591) – “data-migrator needs to be migrated from log4j to log4j2 - which mostly entails just updating properties file and command line arguments in run script. Note: data-migrator is not currently used”. I have increased priority to high and added fixed version: Istanbul Maintenance release + comment under the ticket on the need to migrate to log4j-core 2.17.1.
  • VNFSDK-827 - VNFSDK status (1 component with log4j)
    • vnfsdk-ves-agent: no scans for Istanbul branch -> as per Kanagaraj’s email sent on 24th of August, he mention that vnfsdk-ves-agent is not an active VNFSDK repo, so I have sent him an e-mail today to configure his jjb file accordingly.
  • Restricted Wiki for Istanbul Maintenance release created
  • CVE creation: no need to do it, simply we will document in the Release Notes repos that were impacted and fixed (direct) and document transitive dependencies. CVE is raised for vulnerability discovered in the code.
  • ONAP CVEs opened so far: https://docs.onap.org/projects/onap-osa/en/latest/osalist.html
  • Meeting deck includes vulnerable log4j findings from Trivy, Kubescape and NexusIQ scans
ongoing

To check with Jess statuses of the tickets that were recently closed.

CLM scans per each project to be done by 4th of February.


SBOM creation Jess created a ticket which is in progress but now occupied with Nexus3 issue.ongoing

Security logging next steps

Bob presented phased approach for security logging which was consulted with SECCOM team.

ONAP Security Event Management

Meeting time blocked for recurring logging calls on Fridays at 3PM UTC. Email Amy Zwarico or the SECCOM mailing list to be added to the invitation

ongoingMeeting on Friday at 3 PM UTC to be organized  by Amy to have a working group session with Fiachra, Toine, Sylvain.

ONAP quality gates 

Quality asessment mainly for the submitted code (=delta)

  • Integrate tests with CPS
  • SO PoC
no update

Waiting for a feedback from Seshu.


SECCOM MEETING CALL WILL BE HELD ON 15th OF FEBRUARY'22. 

Quality gates for code quality improvements - continuation of the discussion.

SBOM next steps - status update with DCAE.




Recording: 

audio1897499737.m4avideo1897499737.mp4


SECCOM presentation: