Page History

For tracking purpose dedicated Jira tickets to be  opened per project and per both releases.

New Wiki created for log4j recommended upgrade: Log4j upgrade recommendation

Ticket was opened by Amy on Sonatype API documentation: https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23426

Update recommendations for log4j into 2.17

Post log4j info on ONAP security Wiki. 

• Log4j Istanbul maintenance release
• Steve Winslow left LFN

.

Kubescape and Trivi scans

https://hub.armo.cloud/docs/c-0009 , limitation is on the pod and not cron job.

Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman. Fabian opened the ticket at Trivi.

Threadfix removes duplication of findings from different sources.

Fabian will have a meeting with Kubescape.

Brian to share info on their Jfrog  for Image scanning.

SECCOM topics and overall agenda proposal:

• https://teamup.com/ksgw6qzqcmg9zbzsfq?view=MD&date=2022-1-10&calendars=8227292,8227785,8227782,8310707,8310614
• ONAP Security: Jakarta Global Requirements and Best Practices
  • Tuesday, 11th of January, 4:30 UTC
• Unmaintained code handling and its impact on documentation (SECCOM + Documentation) - main session stream Amy/Pawel/Thomas/Eric – Topic
  • Wednesday, 12th of January, 2:30 UTC
• Code quality demo - main session stream – Fabian/Pawel/Kevin/Toine – Topic
  • Tuesday, 11th of January, 3:30 UTC

Interproject proposals:

• • • SBOMs ONAP story – Muddasar/Pawel Topic
    • Monday, 10th of January, 2:30 UTC

SECCOM MEETING CALL WILL BE HELD ON 18th OF JANUARY'22. 

Review - SECCOM presentations for DDF events.

Quality gates for code quality improvements - continuation of the discussion.

SBOM next steps - which repos/projects to take into account?