2022-10-25 Security Subcommittee Meeting Notes

Unmaintained meeting update

-Connecting images to repos is nested within the JJBs

-Options: (1) use tagging to connect images to repos, (2) POM files have container names, (3) multi-image repos have info in JJB, (4) use logs of jenkins build jobs

-Repo Tagging: https://help.sonatype.com/repomanager3/nexus-repository-administration/tagging

Jessica will attend the 31 October Unmaintained Repo meeting

Where SBOMs are not produced, troubleshooting needs to be done by LF IT and SECCOM.

Jiras per projects to be issued by Muddasar. IF PTL exists, it would be assigned to him/her, otherwise to LF IT (Jess?).

-Python PoC, PTL to be targeted, internal resource available, library to be prepared

-Update on presentation to PTLs

-Recommendation from Vijay – work with Integration team

-GR for Java – pushback from PTLs

• Projects using Logging or EELF have the mandatory fields: normalize naming, can ingest log format within fluentbit parser and normalize names
• CPS logback pattern can normalize field names
• Link for logging fields: https://wiki.onap.org/display/DW/Jakarta+Best+Practice+Proposal+for+Standardized+Logging+Fields

-Decision: proceed with java GR for London

-DCAE - ONAP Security Review Questionnaire Template

-SECCOM next steps: define a scoring methodology

• Registration Open
• Nov. 17 & 18 2022 Seattle, WA, USA, In Person
• Proposed submissions
  • [Plenary/ONAP] Productization of Assured Opensource Software
  • [Day 1 – Plenary] SBOM implementation and challenges in ONAP
  • [Day 2 – ONAP] London security requirements, ONAP architecture update, ONAP ServiceMesh

SECCOM MEETING CALL WILL BE HELD ON 1st OF November'22.