Versions Compared

Old Version 1

changes.mady.by.user Pawel Pawlak

Saved on

compared with

New Version Current

changes.mady.by.user Pawel Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Action: to work on non functional use case requirement for logs collection - important for project maturity.

Jira No
SummaryDescriptionStatusSolution

Last PTL's meeting (17th of August) update

  • Base image excluding GPL3

    • #ACTION: SECCOM to provide guidelines about where to document 'bash' or any other package required for the application to be added on top of the base image?
    • #ACTION: SECCOM to share on 8/24 results of Java 8.0 Audit, also documented on REQ-351

    REQ-350 - #ACTION: SECCOM - provide the list of projects that did not reply yet to this requirement to the comment of REQ-350 or add the link of the dashboard.

  • Presentation from Amir Mohamad regarding implementation of REQ-323

View file
nameSDC_Vulnerable_Dependency_Upgrades.pdf
height250

M2/M3 status updateSECCOM non finctional requirements - all projectes passed M2/M3 gate.NEXUS-IQ SCA demo for FabianDemo with NEXUS-IQ executed. Waiting for Harbor feedback once established.Last PTL's meeting (10th of August) updateAction to join
  • only run time focus
      • SO weekly meeting was joined by Fabian and Pawel (Wednesday 1:30 UTC)
    https://zoom.us/j/794508490

    -REQ-350 CII Badging - Tony

    • Tony updated description part
    • List of the projects who have not responded yet 


    ongoing



    Jira to be used to track requirements on top of base image. Grouping of requirements is preferred. Depencencies might be tackled in different ways.

    Tony already uploaded






    The latest version of Jcraf.jsch 0.1.55 has the same packages and class names as com.springsource.jcraft.jsch 0.1.41 (very old pacckage)ongoing


    During next PTL meeting identify next projects.

    Fabian will be off for the next 2 weeks - proxy to be identified.



    		TSC meeting outputs 

    Most of the meeting was focussed on tracking M2/M3 status.

    Amy has an action item on how many projects are still dependent on Java 8.

    Removal of GPLv3 license - to be removed from all containers that contain ONAP code.

    SECCOM elections

    Waiting for Kenny to start election process 

    		ongoingHonolulu SECCOM requirements

    Reminder from the previous discussion:

    After Service Mesh PoC - new requirements might arrive.

    Harbor requirement. In Harbor:

    • you can sign the image and you can share the key with an application that has an account to pull or to push the image
    • possibility to scan the image all the time and send warning

    Harbor deployed in run time while Whitesource and Nexus-IQ during the development. 

    Logs management (SECCOM discussion on 17th of March)

    SIEM integration: 

    • integration like for the other applications with SIEM, have the same protocol used
    • logs from ONAP to SIEM, falco tool to be considered (IDS for Kubernetes)
    • alarms when security issue 

    CII Badging - session planned on the PTLs call.

    		Service Mesh updteFabian is working on authorization of how to deploy and manage connectivity between the apps.Java v8

    Data collection for projects currently using Java 8 - e-mail was sent by Amy to Morgan if possible to obtain results. 

    Dependency on Java to be tracked. 

    		waiting for a feedback.Package upgrade update to PTL meeting As Pierre will be not available, Amir could present to PTLs.

    No actions for SECCOM.

    Long discussion on a repo creation and add.




    Open Networking & Edge Summit North America 2020
    September 28 & 29, 2020 (Virtual Event)




    		LFN Fall Technical Meetings October 13 - 15, 2020


    		Java v8 in ONAP - status update

    We received output of the script prepared by Pawel W. from Samsung. List is pretty long:

    View file
    nameonap_frankfurt_java_20200813.txt
    height150


    		Migration process to be tracked.


    		OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 18th 25th OF AUGUST'20. 

    Topics proposed:

    • Certificates management update – Krzysztof
    • Security Documentation – Harald

    Recording

    • What is next for Honolulu in the context of Service Mesh PoC?
    • What is the impact of Service Mesh usage on runtime environment?



    Recording

    View file
    name2020-08-18_SECCOM_week.mp4
    height150

    SECCOM presentation

    View file
    name2020-08-18 ONAP Security Meeting - AgendaAndMinutes.pptx
    height150
    SECCOM presentation