Page History

SBOM Types & Minimum Requirements for VEX Documents - shared by Muddasar

Improvements in SBOMs and sharing info on vulnerabilities.

The Types of SBOM document summarizes common types of SBOMs that tools may create in the industry today, along with the data typically presented for each type of SBOM. As software goes from planning to source to build to deployed and used, tools may be able to detect subtle differences in the underlying components. These types will allow for better differentiation of tools and in the broader marketplace.

The Minimum Requirements for VEX document specifies the minimum elements to create a VEX document. This will allow interoperability between different implementations and data formats of VEX. It will also help promote integration of VEX into novel and existing security tools. This document also specifies some optional VEX elements.

Today ONAP supports pull method for SBOM.

Idea of submitting presentation proposal for DTF virtual event on CPS road to gold with Tony’s contribution (few additional slides on why CPS could not get to gold and what are the missing pieces in the infrastructure).

Main blocker: lack of second verification - 2FA is missing at the LF IT infra.

First priority to get it supported for committers (MFA at the gerrit level), other group with lower priority are code submitters (MFA at the git level).

2FA is missing at the LF IT infra – Amy to share with TAC.

To be checked if gerrit supports MFA.

Tony could present this issue to TSC (next week?)

Pawel to share with Lee Anjella the proposal for a joint presentation. 

LFX Security Dashboard

https://security.lfx.linuxfoundation.org/

Amy

link

We wait till M4 for TSC presentation.

PTL meeting (April 24th)

Liam will provide his feedback on Policy interest to participate in Security Questionnaire for next project

had a meeting with Jess. 

-LFX is a security framework - open for different pipelines, no dictated tools, and absolutely no integration with LF purchased/licensed products: Nexus-iq or Sonarcloud.

-VEX and SBOM under exchanges

Marek was able to initiate latest run of scans.

Results are progressing, cassandra and zk-tunnel-svc to be further elaborated.

PTL meeting (May 8th)

Liam confirmed interest in questionnaire review

Discussion on Java 17 recommendation impact and dependency with other upgrades (Spring 6 and Springboot 3). Database, Java, Python, Docker, Kubernetes, and Image Versions

TSC meeting (May 4th)

Final list of unmaintained by Amy presented to TSC.

If there is no PTL, tickets shall be assigned to Pawel as TSC Chair who could reassigned further.

Existing Global requirements

-Epic REQ-437: COMPLETION OF PYTHON LANGUAGE UPDATE (v2.7 → v3.8)

• Montreal Task: TBC
• OOM-2900 - Update or Remove Python 2

-Epic REQ-438: COMPLETION OF JAVA LANGUAGE UPDATE (v8 → v11)

• Montreal : TBC
• OOM-2554 - Common pods have java 8

-Epic REQ-439: CONTINUATION OF PACKAGES UPGRADES IN DIRECT DEPENDENCIES

• Montreal Task: TBC

-Epic REQ-443: CONTINUATION OF CII BADGING SCORE IMPROVEMENTS FOR SILVER LEVEL

• Montreal Task: TBC

-Logging for Java

• Montreal Task: TBC

• New Best Practice requirements

Bob to share Jira as a reference.

JIRA ticket for the security logging for Java containers.

https://jira.onap.org/browse/REQ-1072

TSC meeting (April 20th)

SECCOM MEETING CALL WILL BE HELD ON 16th May 2023. 

SBOM Types & Minimum Requirements for VEX Documents