Versions Compared

Old Version 2

changes.mady.by.user Pawel Pawlak

Saved on

compared with

New Version Current

changes.mady.by.user Pawel Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

Synch with ONAP documentation - Thomas

Release Notes organization:

Log4j vulnerabilities in direct dependencies were removed from A&AI, DMAAP, SDNC and VNFSDK. Log4j vulnerabilities introduced by transitive dependencies are still in A&AI, CCSDK, DCAE, DMAAP, MULTICLOUD, SDNC, SO, VNFSDK.

ONAP Security logging PoC requirements - Byung

https://listsdocs.onap.org/en/latest/g/onap-requirements-sub/viewevent?eventid=1437425&calstart=2022-02-28

Presentation available at the bottom of this page. Security Logging Requirements were presented to Use Case Subcommittee.

Toine agreed to be a project for a PoC.

release/index.html#istanbul-maintenance-release-9-0-1

  • Where to place info about transitive dependencies (composite/project/repo release notes) – both composite and per project/functional element
  • The level of detail for this info – just an information about remaining transitive dependency and under bug fixes info on fixing log4j by upgrading relevant repo component.
  • The author for this info - Amy
  • How to communicate it to the projects – with jira’s ticket created per transitive dependency for log4j

Projects/functional repos with transitive dependencies for log4j:

  • onap-aai-aai-common
  • onap-aai-babel
  • onap-aai-resources
  • onap-aai-schema-service
  • onap-aai-traversal
  • onap-ccsdk-apps
  • onap-ccsdk-cds
  • onap-ccsdk-distribution
  • onap-ccsdk-features
  • onap-ccsdk-parent
  • onap-ccsdk-sli
  • onap-dcaegen2-services-mapper
  • onap-dmaap-messagerouter-messageservice
  • onap-multicloud-framework-artifactbroker
  • onap-sdnc-apps
  • onap-so
  • onap-vnfsdk-refrepo
  • onap-vnfsdk-validation
ongoing

Tickets to be open by Pawel for remaining transitive dependencies on per relevant project basis:



Security Logging Presentation to Akraino TSC - Bob

Logging today at 1500 UTC.  Here is the meeting info if you would like to join.

https://wiki.akraino.org/display/AK/TSC+2022-03-08+%28Tuesday%29+7%3A00+am+Pacific

ongoing

ONAP Security Review Questionnaire template first cut – Tony

startedPresentation on proposed logging fields to be provided to PTLs community on 14th of March. To be folloed by architecture information as a separate presentation/topic.IT-23650Unmaintained projects – ticket creation for failing Jenkins jobs 

Issue seems to be finally resolved.

homas asked to propose a patch for the composite release notes that includes info from slide 6.

doneLFN preparing document on ONAP security

https://wiki.lfnetworking.org/display/LN/2022+LFN+Security+whitepaper

Contribution needed for SBOM part – Sean/Bob done

-NTIA paper could be a good reference.

doneUnmaintained projects Discussion on how to represent unmainained project, yaml vs. Json file, type of information.ongoingIT-23622IT-23622 API documentation for SonarCloud (continuation of IT-23519)

Tony and Amy will try to use AT&T leverage as SonarCloud customer to get info on API documentation.

ongoingUnmaintained projects - Istanbul Maintenance Release NotesTicket creation for failing Jenkins jobs. Thomas asked to propose a patch for the composite release notes that includes info from slide 6 but we first need to solve failing Jenkins jobs.doneFailing Jenkins jobs issue to be escalated.Security logging update 

https://wiki.onap.org/display/DW/JakartaONAP+Best+Practice+Proposal+for+Standardized+Logging+Fields

Some more clarifications planned, naming causing some confusion.

Security+Reviews
https://wiki.onap.org/display/DW/ONAP+Security+Review+Questionnaire+Template

We want to start simple and small.

Time it takes to document vulnerabilities and time it takes to resolve it. Assurance section might be expanded.

ongoingSECCOM members to review proposed draft and further discuss next week.

Packages upgrades for JakartaAs of today the project teams have upgraded 103 of 299 identified vulnerable direct dependencies for the release (~34%).
Ask TSC to have focus on security by sending an e-mail to TSC and discuss this issue on Thursday.

Time shift in US on 13th March and in EU on 27th March.Please check if the meeting invitations are displayed accordinglyongoing

One more session (on 25th of February) to complete fields review.

Next to be reviewed with PTLs.

SonarCloud findingsTony will open direct tickets to projects.startedTickets to be open by Tony.Badging - no update

Tony working with David and Dave on getting projects moved from having owner from project and replacing with David for Badging. Some owners gone away... Additional editors do not have rights to remove somebody from the project (can only add additional people).

No movement. Waiting for an answer from David Wheeler.

Tony to reach out David.Final SCA scan for Istanbul Maintenance release.List of projects with transitive dependencies to be provided by Amy.


Quality gatesNo update so far from Seshu.ongoing

To join SO meeting.

To drop an e-mail to Toine. Meeting with Seshu to be done.


Issue with Wiki creation by TonyTicket to be created to solve the issue
Ticket to be created to solve the issue






SECCOM MEETING CALL WILL BE HELD ON 15th OF MARCH'22. 

Quality gates for code quality improvements - continuation of the discussion.

5Y review criteria.




...

View file
name2022-03-08_SECCOM_week.mp4
height250150


SECCOM presentation:

View file
name2022-03-08 ONAP Security Meeting - AgendaAndMinutes.pptx
height150