Date

Attendees

Discussion items

TimeItemWhoNotes

Anything Urgent? Review the Kanban board?Team

OKAPI-1172 - Getting issue details... STATUS / SECURITY-8 - Getting issue details... STATUS

Team

DevOps (Wayne S. John M.) had restricted access to the affected Jenkins jobs (you at least need to be logged in).  This was rolled back as it caused some confusion and some had trouble accessing the jobs even when logged in.

Julian has addressed this in OKAPI and has cut releases 5.x.x and 4.x.x

  • There was an issue with debian package for OKAPI 5, related to java 17, but not relevant to this conversation.
  • Docker images are available.
  • folio-snapshot has picked the changes up and is running the latest code from master branch.

What can we do about older logs?

  • From John Malconian:
    • The build-platform-complete-snapshot job only retains the last 30 builds and the Okapi log artifact is only included in failed builds.   Out of the last 30 runs,  only one build,  #20974 failed.    I manually went ahead and deleted the okapi log artifact from that build.

Other next steps?

  • Update/close JIRAs 
    • Change visibility of SECURITY-8?
      • Yes, once the announcement is made, open up visibility to everyone.
      • Craig McNally will do this.
  • Do we need to make an announcement?
    • Yes, let's make an announcement in #sys-ops.
    • Craig McNally will do this.

RSRVR-125 "Cross-site Scripting (XSS) in webroot/index.js"

Julian/Jakub

Has Jakub expedited this yet?

Craig McNally will ping Jakub Skoczen about this via slack.


Consortia Tenant Checks

How can the consortia token security issues been addressed?


NCT GroupAxel

We've asked the NCT group if someone could join us to discuss the pen testing they're doing,  how it overlaps with the ZAP testing, etc.

Let's aim for .  Axel Dörrer will coordinate with the NCT group to set this up, forward invites, etc.

Action items

  •