Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 8th of March 2022.

Jira No
SummaryDescriptionStatusSolution

Synch with ONAP documentation - Thomas

Release Notes organization:

Log4j vulnerabilities in direct dependencies were removed from A&AI, DMAAP, SDNC and VNFSDK. Log4j vulnerabilities introduced by transitive dependencies are still in A&AI, CCSDK, DCAE, DMAAP, MULTICLOUD, SDNC, SO, VNFSDK.

https://docs.onap.org/en/latest/release/index.html#istanbul-maintenance-release-9-0-1

  • Where to place info about transitive dependencies (composite/project/repo release notes) – both composite and per project/functional element
  • The level of detail for this info – just an information about remaining transitive dependency and under bug fixes info on fixing log4j by upgrading relevant repo component.
  • The author for this info - Amy
  • How to communicate it to the projects – with jira’s ticket created per transitive dependency for log4j

Projects/functional repos with transitive dependencies for log4j:

  • onap-aai-aai-common
  • onap-aai-babel
  • onap-aai-resources
  • onap-aai-schema-service
  • onap-aai-traversal
  • onap-ccsdk-apps
  • onap-ccsdk-cds
  • onap-ccsdk-distribution
  • onap-ccsdk-features
  • onap-ccsdk-parent
  • onap-ccsdk-sli
  • onap-dcaegen2-services-mapper
  • onap-dmaap-messagerouter-messageservice
  • onap-multicloud-framework-artifactbroker
  • onap-sdnc-apps
  • onap-so
  • onap-vnfsdk-refrepo
  • onap-vnfsdk-validation
ongoing

Tickets to be open by Pawel for remaining transitive dependencies on per relevant project basis:



Security Logging Presentation to Akraino TSC - Bob

Logging today at 1500 UTC.  Here is the meeting info if you would like to join.

https://wiki.akraino.org/display/AK/TSC+2022-03-08+%28Tuesday%29+7%3A00+am+Pacific

ongoing

ONAP Security Review Questionnaire template first cut – Tony

https://wiki.onap.org/display/DW/ONAP+Security+Reviews
https://wiki.onap.org/display/DW/ONAP+Security+Review+Questionnaire+Template

We want to start simple and small.

Time it takes to document vulnerabilities and time it takes to resolve it. Assurance section might be expanded.

ongoingSECCOM members to review proposed draft and further discuss next week.

Packages upgrades for JakartaAs of today the project teams have upgraded 103 of 299 identified vulnerable direct dependencies for the release (~34%).
Ask TSC to have focus on security by sending an e-mail to TSC and discuss this issue on Thursday.

Time shift in US on 13th March and in EU on 27th March.Please check if the meeting invitations are displayed accordingly.


Quality gatesNo update. Meeting with Seshu to be done.


Issue with Wiki creation by TonyTicket to be created to solve the issue
Ticket to be created to solve the issue






SECCOM MEETING CALL WILL BE HELD ON 15th OF MARCH'22. 

Quality gates for code quality improvements - continuation of the discussion.

5Y review criteria.





Recording: 


SECCOM presentation: