Versions Compared

Old Version 3

changes.mady.by.user Pawel Pawlak

Saved on

compared with

New Version 4

changes.mady.by.user Pawel Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SECCOM contribution to ONAP qualityincreaseappreciated!!!
  • THANK YOU for all the contributions.
    • Jira No
    		SummaryDescriptionStatusSolution

    		TSC meeting update



    		PTL meeting update



    		Angular experience on dependencies

    Jarred presented his development results on app dependency cluster graph.

    Slides presented :- please refer to thebottom of this page for a link.
     

    		startedTSC updateongoing

    Jira
    serverONAP Jira
    serverId425b2b0a-557c-3c0c-b515-579789cceedb
    keyOOM-2734

    DCAE update

    • Requirement to support by DCAE registry for HELM charts. Chartmuseum is maintained by Chart team.
    • 3 types of authentication supported.
    • Proposal is to restrict the client's list, once they have user names and passwords only ones who have to update/delete charts limits writing and access considerable just for those particular clients. → separate sidecar that can do client authentication
    • FW to be used to limit the access for reading to strictly ONAP applications.
    • mTLS could be a solution for read - Tony passed this idea to right people, mTLS would have to be supported on both sides (DCAE subproject and Chartmuseum). 
    • Would service Mesh simplify authentication?
    • More readers expected in the future for things in the repository
    		ongoingmTLS to be further elaborated


    ONAP release notes and dependencies

    Thomas was contacted. He is retrieving info via script about all the components. Output:

    View file
    nameonap_tables_210601.xlsx
    height150

    Dependencies between components or with external projects are not tracked here.

    		ongoingTo review the context of this request.

    		Feature template follow-upMuddasar had a meeting with Alla. Muddasar is preparing a slide deck to be presented at the TSC.ongoingSlides with the proposal to be presented at the TSC.

    		SonarCloud coverage for Jakarta releaseFocus on security vulnerabilities that have blocker or critical rank. In Sonar it is called hotspot.started

    [REQ-441]


    New Global Requirement [REQ-441] LOGS MANAGEMENT - PHASE 1: COMMON PLACE FOR DATA – PROPOSAL FOR JAKARTA

    		ongoingNext PTLs meeting on 18th of October - agenda

    		Kubernetes hardening

    Shared by Brian: https://deploy-preview-29791--kubernetes-io-main-staging.netlify.app/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/

    CubeCon next week, slack channel exists for Kubernetes security.

    		started

    Jakarta proposed dates

    Global Requirements/Best Practice deadline for submission: 2nd of December by SECCOM:

    • [REQ-xxx] SECURITY LOGS MANAGEMENT
    • [REQ-xxx] Feature intake template
    • [REQ-xxx] Using basic image from OOM
    • [REQ-xxx] Software BOMs
    		ongoingLast PTL meeting

    Portal and VID dependencies (i.e., portal, portal-sdk & vid repos):

    Portal -> SDC UI (user authentication) -> Other projects are dependent on SDC (e.g., CLAMP GUI)

    VID to be removed , portal SDK as well.

    Projects unmaintained shall have their repos excluded from scans.

    EoL/EoS nomenclature could be used, open source communities do not maintain older versions, but encouraging to use latest greatest.

    		ongoing

    SCA automation efforts

    		We are xploring automation capabilities for moving data from Nexus-IQ to Wiki.strated

    New Best practice for Jakarta release – new req to be open for Security logging

    Set of questions prepared by Bob, to be addressed.

    Sidecar for logging - to be further decided by TSC who is going to maintain it.

    		ongoingPTLs meeting to be used for collecting info on logging capabilities per project.Feature intake template

    Muddasar did not find prove of tracking the feature after its approval.

    		ongoing

    To reach out PTLs on what could be the best way to tackle Jira template.

    Muddasar will propose some initial template, contributions are welcome.

    Muddasar will also reach out Alla as a follow up, feedback from testers might be also valuable.


    		OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 12th OF OCTOBER'21. 




    ...