Versions Compared

Old Version 1

changes.mady.by.user Pawel Pawlak

Saved on

compared with

New Version Current

changes.mady.by.user Pawel Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

Last PTL's meeting (24th of August) update

-Packageupgrade and Java 11

  • Base image excluding GPL3

    • #ACTION: SECCOM to provide guidelines about where to document 'bash' or any other package required for the application to be added on top of the base image?
    • #ACTION: SECCOM to share on 8/24 results of Java 8.0 Audit, also documented on REQ-351

    REQ-350 - #ACTION: SECCOM - provide the list of projects that did not reply yet to this requirement to the comment of REQ-350 or add the link of the dashboard.

  • Presentation from Amir Mohamad regarding implementation of REQ-323

View file
nameSDC_Vulnerable_Dependency_Upgrades.pdf
height250


ongoing




Subversions for Java 11 could be pushed for future release (Honolulu) for a common version (as of today 11.0.8).


Guilin priorities

Automated security testing - to be checked for status.

Some updates appreciated from Krzysztof.




Honolulu SECCOM SoW

Continue packages upgrades in direct dependencies

After Service Mesh PoC - new requirements might arrive.

Harbor requirement. In Harbor:

  • you can sign the image and you can share the key with an application that has an account to pull or to push the image
  • possibility to scan the image all the time and send warning
  • Harbor deployed in run time while Whitesource and Nexus-IQ during the development.

Logs management:

  • common place for data - all applications should generate logs that can be collected by Kubernetes (target for next release)
  • common format for data - format of minimum data that we want that is useful (target for next+1 release)

SIEM integration:

  • integration like for the other applications with SIEM, have the same protocol used
  • logs from ONAP to SIEM, falco tool to be considered (IDS for Kubernetes)
  • alarms when security issue

CII Badging - session planned on the PTLs call.

ongoing














E-mail was sent to Fabian to clarify whether logs from ONAP to SIEM be considered as ONAP only or xNFs logs only or maybe both. 

ongoing

Jira to be used to track requirements on top of base image. Grouping of requirements is preferred. Depencencies might be tackled in different ways.

Tony already uploaded

The latest version of Jcraf.jsch 0.1.55 has the same packages and class names as com.springsource.jcraft.jsch 0.1.41 (very old pacckage)

During next PTL meeting identify next projects.

Fabian will be off for the next 2 weeks - proxy to be identified.


TSC meeting outputs 

No actions for SECCOM.

Long discussion on a repo creation and add.




Open Networking & Edge Summit North America 2020
September 28 & 29, 2020 (Virtual Event)




LFN Fall Technical Meetings October 13 - 15, 2020Java v8 in ONAP - status update

We received output of the script prepared by Pawel W. from Samsung. List is pretty long:

view-file
nameonap_frankfurt_java_20200813.txt
height150
Migration process to be tracked.


OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 25th 1st OF AUGUSTSEPTEMBER'20. 

Topics proposed:

  • What is next for Honolulu in the context of Service Mesh PoC?
  • What is the impact of Service Mesh usage on runtime environment?



Recording

View file
name2020-08-25_SECCOM_week.mp4
height150

SECCOM presentation

View file
name2020-08-25 ONAP Security Meeting - AgendaAndMinutes.pptx
height150