Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 7th of December 2021.

Jira No
SummaryDescriptionStatusSolution

SECCOM presentations for incoming DDF (January).

SECCOM topics backlog for DDF (4 bullets we merge into one Topic):

  • Logging requirements clarification – Bob/Byung - https://wiki.lfnetworking.org/display/LN/2022-01-DD+-+ONAP%3A+Security+and+Logging
    • New requirements for Jakarta – Amy/Pawel – all in one – GR review with David
    • Recommended versions (SECCOM and OOM) – Amy/Pawel/Sylvain
    • Packages upgrades - Jakarta update - Amy/Pawel
  • Unmaintained code handling and its impact on documentation (SECCOM + Documentation) - main session stream Amy/Pawel/Thomas/Eric - Topic
  • Code quality demo - main session stream – Fabian/Kevin/Toine - Topic

Interproject proposals:

  • SBOMs ONAP story – Muddasar/Pawel Topic
ongoing



Jakarta proposed versions update: 

https://wiki.onap.org/display/DW/Database%2C+Java%2C+Python%2C+Docker%2C+Kubernetes%2C+and+Image+Versions

  • for CentoS there is a discrepency between SECCOM proposal and version submitted by Morgan, 
  • SBOMS would help
  • Elasticsearch - probably we are not going to use it? If not, we will remove it from the list.
  • Filebeat (based on Go) in the context of java and python versions - filebeat uses an optional python script for data migration
ongoing

CentOS versionits usage by ONAP community to be elaborated with Fabian.

Column to be added on what applies to container run time and what applies to node


Jakarta basic images

Michal is working for both Java and PythonongoingRecommended versions to be shared with Amy.

SCA analysis

Ongoing - direct dependencies transferred to excel.

Failing Jenkins jobs for AAI.

Jira tickets created per project.

ongoing

PTL meeting update
  • Reminder about SECCOM requirements (slide 11) for Jakarta release :
    • Requirements were created accordingly in Jira,
    • REQ-1070 LOGS MANAGEMENT - PHASE 1: COMMON PLACE FOR DATA – description to be elaborated - done
  • Jakarta M1 date change – December 9th
ongoing

TSC meeting update

SECCOM requirements were approved by TSC.

done

Meeting yesterday on unmaintained projects/repos

We need an audit on project dependencies – current projects that are unmaintained (and repos).

ongoingDavid to lead this audit and bring it to TSC.

Quality gates for code quality improvements 

3 levels under consideration: bronze, silver and gold. Basic level could be reacjing 55% of code coverage.

https://docs.sonarqube.org/latest/user-guide/metric-definitions/

Tables about project maturity (self reported) while we are doing measured approach.

startedTo review levels from sonarqube and tables for project maturity.

SECCOM MEETING CALL WILL BE HELD ON 14th OF DECEMBER'21. 

Quality gates for code quality improvements - continuation of the discussion.

SBOM next steps - which repos/projects to take into account?




Recording: 


SECCOM presentation: