You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 21st of September 2021.

Jira No
SummaryDescriptionStatusSolution

REQ-801

REQ-800

REQ-863

REQ-443

M4 update
  • Waivers tracing for SECCOM global requirements:
    • vfc-huawei-vnfm-driver -pending question
    • Wildcard not supported in waiver management (message-router-* was replaced by message-router-kafka and message-router-zookeeper
    • other yellow line
      • framework-artifactbroker remaining in java (dual version)
      • modeling-etsicatalog
      • uui/uui-server
    • pnf-macro-test-simulator shall be very soon run in a different namespace and shoudl disapeear, it is a simulator it coudl also be under waiver (not released with ONAP)
  • Security scans: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2021-09/14_13-40/
ongoing




Software BOMs
  • Nexus upgraded to latest version, LFN decision to use SPDX format and not cyclone or DX
  • Research on how the missing information can be collected (plugin to be used?), info.yaml, POM file for Maven and Jira on who submitted the code
  • We are not tracking 1to1 contribution tracing in the repository, so the information is upstream when commiter merges the code
ongoingMuddasar to research on how the missing information can be collected (plugin to be used?).

Last TSC
  • The official policy of the TSC on including unmaintained components in a release: Continue to use the latest version of the component (latest docker) if there is a dependency in other components.
  • 3 unmaintained components: portal, portal SDK and VID
  • Global Requirements are not tracked well, apart from the SECCOM ones (wink), but Release Manager does not track them ;-(, should be tracked by proper integration tests but it would be problematic for vulnerabilities management (packages upgrades).
ongoingTo further investigate  

Logging requirements

Final set of metadata fields, which ones would be provided by logging service and which by developers. PTLs invited for Friday’s meetings.

Welcome Sean who is helping in prototyping for SW BOMs.

ongoing

Dependency confusion attacks vs. ONAP SW build processWe put this item into backlog - we have no resources to lead it.on hold

Security Risk Assessment and Acceptance 

Guide for threat modeling for developers:

https://martinfowler.com/articles/agile-threat-modelling.html

We would like to get some help from the guys who are doing the actual development.

Excel file shared with Brian, Amy shared also framework info on two references for threat modeling.

1.ISO 27005 : https://www.iso.org/standard/75281.html

2.NIST Special Publication 800-154 2 Guide to Data-Centric System Threat Modeling

https://csrc.nist.gov/CSRC/media/Publications/sp/800-154/draft/documents/sp800_154_draft.pdf

ongoingDo we have a data map to show elements moving through the system?

Last PTLs meeting

Good progress on fulfilling global requirements from SECCOM.

Fabian presented the status of code quality

  • we need to create a page in confluence to describe the way to improve quality (page directly under SECCOM)
  • we need to open an another ticket of services hosting
  • jiras for python and java were updated
ongoing

Pawel to create the page. ONAP code quality improvement

Fabian to create a Jira ticket to LFN IT:

https://jira.linuxfoundation.org/plugins/servlet/theme/portals


Feature intake template

Muddasar was introduced to Alla who is leading ONAP Requirements Subcommittee to be contacted to provide details.

We need to have a standard template for the feature to be accepted (visibility, security and usability sections should be there).

ongoing

To create a Jira ticket template.

To be checked if the feature specific information is further tracked.


Last TSC meeting
  • TSC elections, nominations close on September 21st
  • Nominations for Honolulu awards extended to September 17th
  • Spark in New Zeland going with ONAP in the production
ongoing

Jakarta SECCOM requirements

Apart from current global requirements we might want to follow any other requirements:

  • Security logging as best practice for Jakarta, it is not exactly REQ-441
started

New requirement to be created for security logging but PoC with CPS or best practice for Jakarta.

This item to be discussed with Byung on Friday's meeting. 



How info.yaml is generated? ongoingThis item to be discussed with PTLs on Friday's meeting. 

CADI and AAF replacementDCAE and DMaaP communication - new proposal to be presented today at the Architecture Subcommittee.ongoingByung  to present update for the next SECCOM


OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 28th OF SEPTEMBER'21. 





Recording: 

SECCOM presentation:

  • No labels