...
| Jira No | Summary | Description | Status | Solution | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Last TSC meeting | Test criteria for Istanbul Release – deck prepared by Eric and Andreas | ongoing | ||||||||
| Last PTLs meeting | https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2021-07/12_13-15/ ONAP Security Exception Process Security related integration issues will be collected under an Epic filed in the INT Jira project. For Istanbul, the Tern results in integration test will be informational and not gating. Need to consult with TSC to make results blocking for future releases. Must complete exception filing by M3, using the protocol described in the link above. | ongoing | AWX and CDS to be identified as part of ONAP project - done it is part of CCSDK. | |||||||
| ESR Waiver | Most probably ESR will be exluded from ONAP Istanbul release. | ongoing | Final check to be done by Byung. | |||||||
Updated Seccom criteria for the integration tests to pass a release |
| ongoing | To be presented at the TSC meeting | |||||||
Software BOMs, Hardware BOMs - Muddasar | Feedback for Muddasar's presentation is welcome. Muddasar is thinking of how the date can be collected, where should be stored and how could be shared. Next week presentation might be provided by Muddasar. | ongoing | What is the query mechanism? (during onboarding process presentation of manifesto BOM file or during query of EM or VIM from ONAP and get that information from VIMs. | |||||||
| Dependency confusion attacks vs. ONAP SW build process | Samuli sent an e-mail to SECCOM distribution list but as no specific feedback received so far, he will send it ot ONAP discuss. Interesting framework by Google: SLSA: Supply-chain Levels for Software Artifacts https://slsa.dev/ https://wiki.onap.org/display/DW/Developing+ONAP Bob created a dependency security wiki snip for Samuli's and his investigation on this topic. Dependency Security | ongoing | Jess to be contacted for CI chain and Nexus for Bob's question. Services term to be modified into Services (xNF, xApps) Plans to be presented to Architecture Subcommittee. | |||||||
Update from LFN | (IT-22333by Pawel, and IT-22334by Thierry)
| ongoing | ||||||||
| Code quality and SonarCloud | Achievements to be presented to TSC:
Risk Acceptance statement by TSC. We have a resource shortage to address security concerns for % value of code coverage (as a minimum 55% in the past). | ongoing | Pawel and Fabian to present progress and achievements to TSC on August 12th in this domain. | |||||||
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 10th OF AUGUST'21. | SBOM/HBOM continuation. Revisit Brian's topic on Security Risk Assessment and Acceptance. |
Recording:
| View file | ||||
|---|---|---|---|---|
|
...