Page History

Orange team is allowed to participate in the zoom meetings but not to lead them (it woud require installation of zoom client.

Amy made w Wiki with Morgan shared following feedback:. 

Some the part of docker tests need to be part of Jenkins jobs. It might be thta we will be responsible for the scripts and OOM team to get it into the place (intehrated into the Jenkins build). 

Sylvain is acting PTL in OOM.

For the only HTTP port exposed - action Amy – to contact PTL Bharath. - no OJSI ticket assigned as it should have appeared after our scans or component was not responding at the scanning moment. No value to open an additional tickets. MUSIC team should either: remove http, switch to https or ask for a waiver with justification.

• SECCOM Guilin security requirements update - Paweł
• Holistic view of ONAP security – Krzysztof/Amy
  • Access control
  • Storing permission
  • Hardening
  • Logging 
  • Gaps identified
• Akraino reference for security documentation - Amy
• CNTT alignment meeting – to be consulted with Samuli
• Service Mesh – analysis and then with Architecture Subcommittee - Krzysztof
• Logs management evolution in ONAP - Pawel
• VNF security requirements - Amy
• Package upgrade strategy – Amy/Pawel
• Communication matrix - Natacha
• Password removal continued and no hardcoded passwords for a new code - Krzysztof
• NEW: CMPv2 in Guilin release – Pawel B

We should come back to Architecture Subcommittee with a proposal for Service Mesh and once approved we should apprach TSC for a recommendation.

PTLs meeting (held on April 13th) update:

-CLI closed 3 http ports and one of the CVEs and running as root

-A&AI should Close 15 issues

-AAF – still one issue open

-Optimization – 1 running as root – under fix - submitted

-MUSIC – https port exposed – delivered 

-Code coverage – 5 exceptions not reaching 55% (all with waiver granted: AAF no resouces for side car, Policy engine will be excluded next release, OOF – no resources)

-API documentation presentation by Andy Mayer

Proposal for upgrading vulnerable outdated packages in Guilin:

-Guilin Package Updates – each project has its restricted access Wiki where ppt was uploaded with all recommended upgrades, importance of tracking progress, some new PTLs must have an access granted! (action on Kenny?)

-SECCOM-265 – each project will have a jira ticket created with link to the Wiki – when is the deadline for Guilin requriements?

-JIRA report for PTLs regarding OJSIs outstanding SECCOM issues - shall emulator be whitelisted? Exceptional waiver to be granted. In long term all simulators must be fixed. If ports are not closed or moved to https, in Guilin release project will not get SECCOM waiver (as it can be granted only for 1 release!). 

To approach David to check who would open Jira tickets per project for package upgrades.Communication of this policy should be done to ONAP community.

David proposed to descope this requirement.

Progress is minor but SECCOM porposes to keep this requirement as in scope.

Amy will present relevant tests to next Integration team meeting on Wednesday.

Proposed tests: Integration and Built Tests For Releases

To check with OOM team whether Integration or SECCOM should do adding new Jenkins jobs for CIS tests - it should be a part of OOM verify job - those tests should be ran if container changes or even all the time.

Service Mesh risk analysis – meeting summary available here

Service mesh requirements from security perspective followed by risk analysis. Review with Chaker