I am adding the Security Subcommittee to this thread who is currently reviewing these requests.
Envoyé de mon iPad 😄 Le 22 nov. 2018 à 22:35, OBRIEN, FRANK MICHAEL <frank.obr...@amdocs.com<mailto:frank.obr...@amdocs.com>> a écrit : Gildas, Yes, I knew about the Sonatype nexus-iq licensing terms – that single commercial tool is dictating how we work in public. There is a couple TSC issues we need to move forward on these I raised in the past – I’ll repost and get opinions from the other PTLs – in the case we proceed or keep the status quo Discuss open source alternatives to NIST CVE search/identification – avoiding Sonatype https://jira.onap.org/browse/TSC-32<https://urldefense.proofpoint.com/v2/url?u=https-3A__jira.onap.org_browse_TSC-2D32&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=ZglJ8LOeAfevY7wWaSximhFMAzXaMdza5QYCg-DW6SU&m=kbObmTGUCwVYtuMC7fqRzprIWblABntDfTbjrouNP9s&s=wi_exZ9PWx4V3MTOSPJjLkk8ZK_hfvCvJFeJb3h1Nlc&e=> Expand access to private CLM pages https://jira.onap.org/browse/TSC-59<https://urldefense.proofpoint.com/v2/url?u=https-3A__jira.onap.org_browse_TSC-2D59&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=ZglJ8LOeAfevY7wWaSximhFMAzXaMdza5QYCg-DW6SU&m=kbObmTGUCwVYtuMC7fqRzprIWblABntDfTbjrouNP9s&s=ShmS98UHJxYfKDRD4ktKhuZXv4GB13b2iddT8KJX8Rs&e=> Expand access to nexus-iq https://jira.onap.org/browse/TSC-49<https://urldefense.proofpoint.com/v2/url?u=https-3A__jira.onap.org_browse_TSC-2D49&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=ZglJ8LOeAfevY7wWaSximhFMAzXaMdza5QYCg-DW6SU&m=kbObmTGUCwVYtuMC7fqRzprIWblABntDfTbjrouNP9s&s=bbnxE62yAJqADccFY5zpCNAMxjCODC9JwK-PbZePXSU&e=> Just an fyi – there are discrepancies between the private and public spaces – just checking in case this is for some criteria and this 6/8 diff means something. 6 projects that have no public scrubbed versions including mine – hence the possible confusion below 8 have a public scrubbed version but no private detailed version Exists privately but not publicly AAI Logging MSB POMBA SDC SDNC Exists publicly but not privately DMaaP CLAMP DCAE MultiVIM MUSIC OOF VNFSDK VVP I’ll create Logging and POMBA on the public side and leave the rest to the other PTL’s Thank you /michael From: Gildas Lanilis <gildas.lani...@huawei.com<mailto:gildas.lani...@huawei.com>> Sent: Wednesday, November 21, 2018 4:53 PM To: Michael O'Brien <frank.obr...@amdocs.com<mailto:frank.obr...@amdocs.com>>; ZWARICO, AMY <az9...@att.com<mailto:az9...@att.com>>; onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org> Cc: Stephen Terrill <stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com>>; pawel.pawl...@orange.com<mailto:pawel.pawl...@orange.com>; Kenny Paul <kp...@linuxfoundation.org<mailto:kp...@linuxfoundation.org>> Subject: RE: Update S3P for TSC Hi Michael, We has some licensing compliance with the tool we are using for the scan. To circumvent the issue, we had to create a restricted to committers wiki space that embeds the “Artifact”, “Version”, and “Problem Code”. This helps committer to track exactly their issue. For general audience, SECCOM team created an open to everyone, curated wiki page without the labeled “Artifact”, “Version”, and “Problem Code”. RN is ReadTheDocs will point toward the curated wiki page. Hope this help. Thanks, Gildas ONAP Release Manager 1 415 238 6287 From: Michael O'Brien [mailto:frank.obr...@amdocs.com] Sent: Wednesday, November 21, 2018 4:48 AM To: ZWARICO, AMY <az9...@att.com<mailto:az9...@att.com>>; Gildas Lanilis <gildas.lani...@huawei.com<mailto:gildas.lani...@huawei.com>>; onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org> Cc: Stephen Terrill <stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com>>; pawel.pawl...@orange.com<mailto:pawel.pawl...@orange.com>; Kenny Paul <kp...@linuxfoundation.org<mailto:kp...@linuxfoundation.org>> Subject: RE: Update S3P for TSC Still a wip in my queue along with other work – I have almost finished details on the last couple ones for sdnc-context-builder – I find copying from the nexus-iq sections to this security page extremely tedious – figuring out each exploit and recommending a compensating control not in (upgrade to the latest, use an alternate) is going to take some time – especially with the pomba code and with re-integration testing - in hind sight I should have just labeled everything with an ignore action like some of the other teams. I don’t understand what this issue is with the columns and links – the security page is not accessible to the public – hence why no one except committers can access the page. 1. Remove the columns labeled “Artifact”, “Version”, and “Problem Code”. This are fields that cannot be publicly accessible per the license. I followed the existing template – there are other pages like a random pick below that contain these columns and links. Are you saying that the logging page needs to be different from the rest of onap https://wiki.onap.org/pages/viewpage.action?pageId=43387665<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D43387665&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=ZglJ8LOeAfevY7wWaSximhFMAzXaMdza5QYCg-DW6SU&m=kbObmTGUCwVYtuMC7fqRzprIWblABntDfTbjrouNP9s&s=8uS0wD7mbehCxyLXlmFLj8IVelj6R62RisWM50tHINw&e=> Repository Group Artifact Version Problem Code Impact Analysis Action modeling/toscaparsers org.apache.tomcat.embed tomcat-embed-core 8.5.28 CVE-2018-8014 No action, use previous release code msb-apigateway com.fasterxml.jackson.core jackson-databind 2.9.4 Link<https://urldefense.proofpoint.com/v2/url?u=https-3A__nexus-2Diq.wl.linuxfoundation.org_assets_index.html-23_reports_msb-2Dapigateway_8e7c981bf15e44369bb6ca29d7895ea4&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=ZglJ8LOeAfevY7wWaSximhFMAzXaMdza5QYCg-DW6SU&m=kbObmTGUCwVYtuMC7fqRzprIWblABntDfTbjrouNP9s&s=5npAq7xURsKqfD92mVDNU2AspUAoz55fpNxUdXP_K7Y&e=> SONATYPE-2017-0312 False Positive From: ZWARICO, AMY <az9...@att.com<mailto:az9...@att.com>> Sent: Tuesday, November 20, 2018 9:43 PM To: Michael O'Brien <frank.obr...@amdocs.com<mailto:frank.obr...@amdocs.com>>; Gildas Lanilis <gildas.lani...@huawei.com<mailto:gildas.lani...@huawei.com>> Cc: Stephen Terrill <stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com>>; pawel.pawl...@orange.com<mailto:pawel.pawl...@orange.com>; ZWARICO, AMY <az9...@att.com<mailto:az9...@att.com>> Subject: RE: Update S3P for TSC Thank you for your work on the vulnerability reviews. I need you to update the table at https://wiki.onap.org/pages/viewpage.action?pageId=43385152<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D43385152&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=U_OW-VJfgAvLT04a1ENvqQcfntVemN2nd5UKcGRa5KM&s=yf8mn8ChTJJUXpqp8CPUkYl8baXKI2NIu56j1JUrhp4&e=>. 1. Remove the links to NexusIQ reports. 2. Remove the columns labeled “Artifact”, “Version”, and “Problem Code”. This are fields that cannot be publicly accessible per the license. 3. Remove all entries about licenses. 4. Indicate if the vulnerability is a false positive (not exploitable from the logging code) or exploitable. 5. For all exploitable vulnerabilities, describe any compensating controls that a user of ONAP can put in place to reduce the risk of the vulnerability being exploited. 6. Make sure that all security vulnerabilities in the NexusIQ reports are accounted for in the Vulnerability review table. Thank you for your attention to this. Amy From: OBRIEN, FRANK MICHAEL Sent: Wednesday, November 14, 2018 11:29 PM To: Gildas Lanilis <gildas.lani...@huawei.com<mailto:gildas.lani...@huawei.com>>; FORSYTH, JAMES <jf2...@att.com<mailto:jf2...@att.com>>; LANDO, MICHAEL <michael.la...@intl.att.com<mailto:michael.la...@intl.att.com>>; zhao.huab...@zte.com.cn<mailto:zhao.huab...@zte.com.cn>; TIMONEY, DAN <dt5...@att.com<mailto:dt5...@att.com>>; shen...@chinamobile.com<mailto:shen...@chinamobile.com> Cc: ZWARICO, AMY <az9...@att.com<mailto:az9...@att.com>>; Stephen Terrill <stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com>>; pawel.pawl...@orange.com<mailto:pawel.pawl...@orange.com>; 'Yunxia Chen' <helen.c...@huawei.com<mailto:helen.c...@huawei.com>>; BARSKY, GEORA <geo...@amdocs.com<mailto:geo...@amdocs.com>>; MACNIDER, JAMES <james.macni...@amdocs.com<mailto:james.macni...@amdocs.com>>; AU, PRUDENCE <prudence...@amdocs.com<mailto:prudence...@amdocs.com>>; STANGL, DAVID <david.sta...@amdocs.com<mailto:david.sta...@amdocs.com>>; CHEN, YONG <yong.c...@amdocs.com<mailto:yong.c...@amdocs.com>>; CHISHOLM, SHARON <sharon.chish...@amdocs.com<mailto:sharon.chish...@amdocs.com>> Subject: RE: Update S3P for TSC Gildas, Amy, I updated the page for our 3rd pass through the CLM issues – there are some changes post the new CLM reports and the oparent change and the recent SDNC ssl changes. Based on the updates where I went through the 7 repo CLM reports in tedious detail – I think we should be switched to pass like the other teams – as most of our issues are common to onap. https://wiki.onap.org/pages/viewpage.action?pageId=43385152<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D43385152&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=U_OW-VJfgAvLT04a1ENvqQcfntVemN2nd5UKcGRa5KM&s=yf8mn8ChTJJUXpqp8CPUkYl8baXKI2NIu56j1JUrhp4&e=> The table has 2 parts – the old baseline – which I would still like to go over and the new section at the top which is the current CLM state. There are 3 main areas – spring boot 2.x upgrade related (this is big and is the same issue the rest of ONAP has around using 1.5.17 of the library – we are 1 of N for this * Jackson databind – all of ONAP has an issue with this library – there is no good version – revisit an alternate in the near future * Various jaxb, json, jms issues – half license related – most of these are in the sdnc pomba repo – this one needs to be fixed – James and I will work on this when we get time – along with the developers that put the most recent changes in. We also need some action on a couple of the TSC issues (nexus-iq alternatives, clm access to nexus-iq and the wiki for contributors) that I raised jiras on. /michael From: Michael O'Brien Sent: Wednesday, November 14, 2018 11:51 PM To: 'Gildas Lanilis' <gildas.lani...@huawei.com<mailto:gildas.lani...@huawei.com>>; FORSYTH, JAMES <jf2...@att.com<mailto:jf2...@att.com>>; Lando,Michael <ml6...@intl.att.com<mailto:ml6...@intl.att.com>>; zhao.huab...@zte.com.cn<mailto:zhao.huab...@zte.com.cn>; TIMONEY, DAN <dt5...@att.com<mailto:dt5...@att.com>>; shen...@chinamobile.com<mailto:shen...@chinamobile.com> Cc: ZWARICO, AMY <az9...@att.com<mailto:az9...@att.com>>; Stephen Terrill <stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com>>; pawel.pawl...@orange.com<mailto:pawel.pawl...@orange.com>; 'Yunxia Chen' <helen.c...@huawei.com<mailto:helen.c...@huawei.com>> Subject: RE: Update S3P for TSC Updating my page right now to redo all the false positive comments so they are more clear and also up to date with the new CLM results. Also a pass on other projects is also required – as per our discussion on the moving target of CLM For example the oparent project states that their CLM issues are the responsibility of the downstream projects. I think either oparent keeps their versions current to fix CLM issues at the root so downstream can pick up the fix – or oparent stops assigning versions and leaves the CLM fix flexibility with the downstream projects. – the spring version is fixed for example /michael From: Gildas Lanilis <gildas.lani...@huawei.com<mailto:gildas.lani...@huawei.com>> Sent: Wednesday, November 14, 2018 6:40 PM To: FORSYTH, JAMES <jf2...@att.com<mailto:jf2...@att.com>>; Michael O'Brien <frank.obr...@amdocs.com<mailto:frank.obr...@amdocs.com>>; Lando,Michael <ml6...@intl.att.com<mailto:ml6...@intl.att.com>>; zhao.huab...@zte.com.cn<mailto:zhao.huab...@zte.com.cn>; TIMONEY, DAN <dt5...@att.com<mailto:dt5...@att.com>>; shen...@chinamobile.com<mailto:shen...@chinamobile.com> Cc: ZWARICO, AMY <az9...@att.com<mailto:az9...@att.com>>; Stephen Terrill <stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com>>; pawel.pawl...@orange.com<mailto:pawel.pawl...@orange.com> Subject: FW: Update S3P for TSC Importance: High Hi Jimmy, Michael O, Michael L, Huabing, Dan, Tao, Following up on Vulnerabilities for Casablanca. At this point in the release, I tend to think these vulnerabilities are not going to be fixed by code. However, I think what Amy, Pawel and Stephen would like to hear is about the usage of these vulnerable functions by ONAP code. Please let us know and update accordingly your wiki page. *Amy, Pawel, Stephen, let me know if I have missed interpreted your thoughts process. Thanks, Gildas ONAP Release Manager 1 415 238 6287 From: ZWARICO, AMY [mailto:az9...@att.com] Sent: Wednesday, November 14, 2018 12:06 PM To: Gildas Lanilis <gildas.lani...@huawei.com<mailto:gildas.lani...@huawei.com>>; LEFEVRE, CATHERINE <catherine.lefe...@intl.att.com<mailto:catherine.lefe...@intl.att.com>> Subject: FW: Update S3P for TSC From: ZWARICO, AMY Sent: Wednesday, November 14, 2018 1:58 PM To: Stephen Terrill <stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com>>; 'Pawlak Paweł 3 - Korpo' <pawel.pawl...@orange.com<mailto:pawel.pawl...@orange.com>> Cc: ZWARICO, AMY <az9...@att.com<mailto:az9...@att.com>> Subject: RE: Update S3P for TSC I’m re-sending the two updated docs just in case. From: ZWARICO, AMY Sent: Wednesday, November 14, 2018 1:55 PM To: 'Stephen Terrill' <stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com>>; 'Pawlak Paweł 3 - Korpo' <pawel.pawl...@orange.com<mailto:pawel.pawl...@orange.com>> Subject: RE: Update S3P for TSC As of 11/14 we do not have the completed vulnerability reports for the following projects 1. AAI (Pawel) 2. Logging (Amy) 3. MSB (Amy) 4. SDC (Stephen) 5. SDNC (Stephen) We do not have answers about secure communication from the following projects 1. UsecaseUI (Amy) My updates are in the attached documents. From: Stephen Terrill [mailto:stephen.terr...@ericsson.com] Sent: Wednesday, November 14, 2018 6:20 AM To: 'Pawlak Paweł 3 - Korpo' <pawel.pawl...@orange.com<mailto:pawel.pawl...@orange.com>>; ZWARICO, AMY <az9...@att.com<mailto:az9...@att.com>> Subject: Update S3P for TSC Hi, We should have an update of the security S3P. If you have updates, please provide. BR, Steve [http://www.ericsson.com]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_&d=DwMFBA&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=nemCAD95UhT9vjvfkkVLEGp-FpqrdMGCS0-4SaTLD3M&s=tiZZRBm_l3-uCkV1iJX83il-dGzvi-pTNqbrj4DPUDI&e=> Stephen Terrill Senior Expert, Automation and Management TECHNOLOGY SPECIALIST BDGS RDP Architecture & Technology Phone: +34913393005 Mobile: +34609168515 stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com> Ericsson C/ Via de los Poblados 13. B 28033,Madrid, Madrid Spain ericsson.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_&d=DwMFBA&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=nemCAD95UhT9vjvfkkVLEGp-FpqrdMGCS0-4SaTLD3M&s=tiZZRBm_l3-uCkV1iJX83il-dGzvi-pTNqbrj4DPUDI&e=> [http://www.ericsson.com/current_campaign]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_current-5Fcampaign&d=DwMFBA&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=nemCAD95UhT9vjvfkkVLEGp-FpqrdMGCS0-4SaTLD3M&s=P89s_Blp9oEss7GPzsx7sFSIZ2KQ8uWQ59y1joYyU98&e=> Our commitment to Technology for Good<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_thecompany_sustainability-2Dcorporateresponsibility&d=DwMFBA&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=nemCAD95UhT9vjvfkkVLEGp-FpqrdMGCS0-4SaTLD3M&s=3OjT1FPCv4CY75jJNlxwHlkKDCxMAdc18Bt6shJjitg&e=> and Diversity and Inclusion<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_thecompany_diversity-2Dinclusion&d=DwMFBA&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=nemCAD95UhT9vjvfkkVLEGp-FpqrdMGCS0-4SaTLD3M&s=epJIhJ-QW0v5JWQz8p8BOJKnVQcDpzmqrKoN746RJS4&e=> contributes to positive change. Follow us on: Facebook<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_ericsson&d=DwMFBA&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=nemCAD95UhT9vjvfkkVLEGp-FpqrdMGCS0-4SaTLD3M&s=qmkdDfOBP5MNTCYI6AMEXGcT945PZilV_OiW4DwHxFQ&e=> LinkedIn<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_ericsson&d=DwMFBA&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=nemCAD95UhT9vjvfkkVLEGp-FpqrdMGCS0-4SaTLD3M&s=t99h7AELromsGXdFikAd96usA6rUUsGVNfdh8Dp8fE0&e=> Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_Ericsson&d=DwMFBA&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=nemCAD95UhT9vjvfkkVLEGp-FpqrdMGCS0-4SaTLD3M&s=mkZeGwUHasLzToCNrE6b3rWVaoOLzj7l7ym0OY09LDM&e=> Legal entity:ERICSSON AB registration number 556056-6258, registered office in Stockholm. This communication is confidential. Our email terms: www.ericsson.com/en/legal/privacy/email-disclaimer<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ericsson.com_en_legal_privacy_email-2Ddisclaimer&d=DwMFBA&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=nemCAD95UhT9vjvfkkVLEGp-FpqrdMGCS0-4SaTLD3M&s=L_HnCXWQcwDgMHbYJvqWPgLwmrkSGPSfMm2-byCzpb4&e=> “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”. “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”. “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14006): https://lists.onap.org/g/onap-discuss/message/14006 Mute This Topic: https://lists.onap.org/mt/28276517/21656 Group Owner: onap-discuss+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-