Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 5th of April 2022.
| Jira No | Summary | Description | Status | Solution |
|---|
Maggie merged the changes on the Wiki. Tony's comment to keep naming convention from headings as it corresponds to Badging questionaire. Most of the changes are usefull. Thank you Maggie!
| Issue raised with SECCOM by Kohei - About Critical Information Leak | Ticket to be open to SDNC – last message to SECCOM on token and logins/passwords. | started | Ticket to be opened to SDNC: https://jira.onap.org/browse/SDNC-1691 - done Confirmation e-mail to be sent to Kohei - done | |
| CPS gold badge | 2 tickets created at LFN IT:
| started | ||
| Istanbul Maintenance Release Notes | https://jira.onap.org/browse/CCSDK-3602: malformed table, needs to be fixed! https://jira.onap.org/browse/SDNC-1670: AAF transitive dependency | ongoing | ||
| PTLs meeting on April 4th |
| ongoing | We shall provide SECCOM proposal/ recommendation for unmaintained projects to TSC, synch up with Architecture Subcommittee is needed, Byung will check with Chaker. Amy to draft proposal by end of this week and send to SECCOM distribution list. | |
TSC meeting on March 31st: |
| ongoing | ||
| SBOM status update | Vijay turned flag on. To be followed up with Jess. SBOM for Python? Fabin is using Trivy with CycloneDX format. No option for SPDX. | ongoing | Tony to re-share the e-mail. | |
| Updates to Secure Design Questionnaire - Maggie | No additional comments.
| ongoing | Action from one of the last meetings: Muddasar will prepare grade rate assessment proposal. | |
Security logging update – Bob | PoC phase, communication with Toine. Synch with Byung needed. | ongoing | Bob to contact Byung. |
Muddasar will prepare grade rate assessment proposal.
Ramesh (ONAP Policy) gave a presentation again on enabling cluster role in policy k8s-participant’s OOM chart since they have implemented the security requirements suggested by SECCOM.
REST endpoints disabled by default.
- In remote helm repository:
- Allows only secure repos with https enabled
- Allow the rewpo only if present in the permitted repo list
- Provision included in the config file of K8s-participant helm chart to provide a list of permitted repos to consume the charts.
- Verifies secure repository endpoints
For dynamic code analysis the answer from projects should be answered Unmet. We have static analysis buit not dynamic.
Jenkins jobs for SonarCloud configured on a weekly basis - licence level we are using.
| Linux Security Summit - CFP |
|
| ongoing | SBOM visibility to be created in the deck - consultancy with Muddasar is planned. | ||
| Next ONAP F2F | https://events.linuxfoundation.org/lfn-developer-testing-forum/ - registration open | started | Please consider your personal particiapation, so SECCOM team could meet again |
Amy and Pawel to submit proposal.
Tony and Maggie to provide proposal as well| . | ||
SECCOM MEETING CALL WILL BE HELD ON 12th OF April'22. | Quality gates for code quality improvements - Fabian's presentation. |
5Y review criteria - finalization of the proposal.
SonarCloud fixing with new code focus. |
Recording:
| View file | ||||
|---|---|---|---|---|
|
SECCOM presentation:
| View file | ||||
|---|---|---|---|---|
|