...
| Jira No | Summary | Description | Status | Solution | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Last TSC meeting | Test criteria for Istanbul Release – deck prepared by Eric and Andreas | ongoing | Seccom criteria for the integration tests to pass a release |
| ongoing | To be presented at the TSC meeting | ||||
| Last PTLs meeting | https://logs.onap.org/onap-integration/ dailydaily150227/ For the security testing we score at 40% as of today - our target is to add java and python version testing ar reach 100% to release. | ongoing | Waiting for a list of project not participating in Istanbul release. | ONAP Security Exception Process Security related integration issues will be collected under an Epic filed in the INT Jira project. For Istanbul, the Tern results in integration test will be informational and not gating. Need to consult with TSC to make results blocking for future releases. Must complete exception filing by M3, using the protocol described in the link above. | ongoing | AWX and CDS to be identified as part of ONAP project - done it is part of CCSDK. | ||||
| ESR Waiver | Most probably ESR will be exluded from ONAP | ESR Waiver | Currently 3 use cases are using ESR:
| ongoing | CCVPN Final check to be check done by Byung if they will use AAI. note: Henry Yu from CCVPN confirmed they can use the direct AAI APIs for Istanbul. Also, I am checking with Kamel Idir for the Network Slicing case. Last time, he said they could use the direct AAI, but I am waiting for his confirmation for Istanbul. ETSI alignment already uses the direct AAI APIs | |||||
Updated Seccom criteria for the integration tests to pass a release |
| ongoing | To be presented at the TSC meeting | |||||||
Software BOMs, Hardware BOMs - Muddasar Presentation: | ongoing | Feedback for Muddasar's presentation is welcome. Muddasar is thinking of how the date can be collected, where should be stored and how could be shared. Next week presentation might be provided by Muddasar. | ongoing | What is the query mechanism? (during onboarding process presentation of manifesto BOM file or during query of EM or VIM from ONAP and get that information from VIMs. | ||||||
| Dependency confusion attacks vs. ONAP SW build process | Packages are downloaded from Internet for ONAP. To be further elaborated with Bob and Samuli. | ongoing | Samuli sent an e-mail to SECCOM distribution list but as no specific feedback received so far, he will send it ot ONAP discuss. Interesting framework by Google: SLSA: Supply-chain Levels for Software Artifacts https://slsa.dev/ https://wiki.onap.org/display/DW/Developing+ONAP Bob created a dependency security wiki snip for Samuli's and his investigation on this topic. Dependency Security | ongoing | Jess to be contacted for CI chain and Nexus for Bob's question. Services term to be modified into Services (xNF, xApps) Plans to be presented to Architecture Subcommittee E-mail to be sent to SECCOM distribution list/ONAP distribute. | |||||
Update from LFN | (IT-22333by Pawel, and IT-22334by Thierry)
| ongoing | ||||||||
| Code quality and SonarCloud | Achievements to be presented to TSC:
Risk Acceptance statement by TSC. We have a resource shortage to address security concerns for % value of code coverage (as a minimum 55% in the past). | ongoing | Pawel and Fabian to present progress and achievements to TSC on August 12th in this domain. | |||||||
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 10th OF AUGUST'21. | SBOM/HBOM continuation. |
August 12thRecordingRecording:
| View file | ||||
|---|---|---|---|---|
|
...