Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 18th of January 2022.
| Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23423 | Log4j upgrade | Log4j 2.17.1 was released. It provides a fix for a vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832.
Muddasar shared https://github.com/lfscanning by Gary O'Neall (lfScanningAgent) <garylegal@sourceauditor.com> Following the exchanges with Jess under the LFN IT ticket, there is a need to create new branches by each PTL for Istanbul maintenance release and then configure jjb with Nexus-IQ scans for it. | ongoing | For tracking purpose dedicated Jira tickets to be opened per project and per both releases. |
| Update of https://lists.onap.org/g/onap-security/members - updated list | List of the participants was reviewed and updated inline with contributions. | done | Added people to this distribution list. | |
| SECCOM presentations for incoming DTF (January). | Thank you SECCOM team for great presentations and all exchanges during the event!
| done | ||
| Sonarcloud API documentation | As discussed SonarCloud has changed their API and available documentation is insufficient. Need to open a ticket to Jess to help in exchanges with SonarCloud and obtain better API documentation. | done | Ticket to LFN IT was opened: | |
| https://jira.onap.org/browse/INT-2039 | Limit number of images | Images lifecycle management - need to limit number of images. Need to keep Istanbul scanning (different from what is in Master). | ongoing | |
| Centos usage | Used by Postgres with version 8 - we are targetting version 8 stream. | |||
| Unmainained projects | Meeting done last Monday - to be continued on Thursday (DOC) meeting. | |||
| Jakarta SCA analysis | New Wiki created for log4j recommended upgrade: Log4j upgrade recommendation Ticket was opened by Amy on Sonatype API documentation: https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23426 | Update recommendations for log4j into 2.17 Post log4j info on ONAP security Wiki. | ||
| TSC meeting update |
| Steve move ement Impact on Tony for CII Badging? | ||
| PTL meeting update | log4j update | |||
| SBOMs | Muddasar sent e-mail to Vijay and Toine. | ongoing | ||
| Quality gates | Fabian will have a meeting with Seshu for SO. Next update in January. | ongoing | ||
Kubescape and Trivi scans | https://hub.armo.cloud/docs/c-0009 , limitation is on the pod and not cron job. Issue with containerD - not possible to have information on CVEs. Compatibility only with DockerD and Postman. Fabian opened the ticket at Trivi. Threadfix removes duplication of findings from different sources. | ongoing | Fabian will have a meeting with Kubescape. Brian to share info on their Jfrog for Image scanning. | |
| SECCOM presentations for incoming DDF (January). | SECCOM topics and overall agenda proposal:
Interproject proposals:
| ongoing | ||
SECCOM MEETING CALL WILL BE HELD ON 25th OF JANUARY'22. | Review - SECCOM presentations for DDF events. Quality gates for code quality improvements - continuation of the discussion. SBOM next steps - which repos/projects to take into account? |
Recording:
SECCOM presentation: