Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

Log4j upgrade

Log4j 2.17.1 was released. It provides a fix for a vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 

View file
name2022-01-04 ONAP Security Subcommittee recommendation log4j issue v5.pptx
height150


ongoing

For tracking purpose dedicated Jira tickets to be  opened per project and per both releases.

https://jira.onap.org/browse/INT-2039Limit number of imagesImages lifecycle management - need to limit number of images. Need to keep Istanbul scanning (different from what is in Master).ongoingCentos usageUsed by Postgres with version 8 - we are targetting version 8 stream.Unmainained projectsMeeting done last Monday - to be continued on Thursday (DOC) meeting

.

Jakarta SCA analysis

New Wiki created for log4j recommended upgrade: Log4j upgrade recommendation

Ticket was opened by Amy on Sonatype API documentation: https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23426

Update recommendations for log4j into 2.17

Post log4j info on ONAP security Wiki. 

TSC meeting update
  • Log4j Istanbul maintenance release
  • Steve Winslow left LFN
Steve move ement Impact on Tony for CII Badging?PTL meeting updatelog4j updateSBOMsMuddasar sent e-mail to Vijay and Toine.ongoingQuality gatesFabian will have a meeting with Seshu for SO. Next update in January.ongoing

Kubescape and Trivi scans

https://hub.armo.cloud/docs/c-0009 , limitation is on the pod and not cron job.

Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman. Fabian opened the ticket at Trivi.

Threadfix removes duplication of findings from different sources.

ongoing

Fabian will have a meeting with Kubescape.

Brian to share info on their Jfrog  for Image scanning.

SECCOM presentations for incoming DDF DTF (January).

SECCOM topics and overall agenda proposal:

Interproject proposals:

      • SBOMs ONAP story – Muddasar/Pawel Topic
      • Monday, 10th of January, 2:30 UTC
ongoing



SECCOM MEETING CALL WILL BE HELD ON 18th OF JANUARY'22. 

Review - SECCOM presentations for DDF events.

Quality gates for code quality improvements - continuation of the discussion.

SBOM next steps - which repos/projects to take into account?




Recording: 

View file
name2022-01-04_SECCOM_week.mp4
height150


SECCOM presentation:

View file
name2022-01-04 ONAP Security Meeting - AgendaAndMinutes.pptx
height150