#acumos-meeting: Acumos Security Committee

Meeting started by aimeeu at 14:07:08 UTC (full logs).

Meeting summary

    1. attendeees: Bryan AT&T, Aimee AT&T, Nat TechM (aimeeu, 14:10:14)

  2. Athena Release (aimeeu, 14:10:22)
    1. s-v component will not be integrated into the platform in the Athena release (aimeeu, 14:10:53)
    2. more requirements gathering, community involvement with how contributed models should be scanned/verified (aimeeu, 14:11:49)
    3. gather community input on what matters to them (aimeeu, 14:12:25)
    4. continue to research tools that could be integrated (aimeeu, 14:13:13)
    5. gather what operators would expect regarding uploaded model license and vulnerability scanning (aimeeu, 14:14:32)
    6. https://wiki.acumos.org/display/SEC/Release+Planning (aimeeu, 14:15:15)
    7. Manoop has joined the meeting (aimeeu, 14:17:20)
    8. Nat will summarize and take to TSC (aimeeu, 14:18:17)
    9. much discussion (Bryan is taking notes on the wiki) (aimeeu, 14:26:48)
    10. Manoop: really need source code to scan but on-boarding doesn't support it (aimeeu, 14:32:53)
    11. Manoop explains why uploading model source code was not part of the original plan (aimeeu, 14:33:55)
    12. Bryan: need source code, need training data in order to trust model (aimeeu, 14:34:18)
    13. Manoop: add agenda item to Architecture Committee to include source code (aimeeu, 14:36:12)
    14. Bryan: wants further discussions with AT&T security team about procedures/policies (aimeeu, 14:38:59)

  3. Platform and Platform Code (aimeeu, 14:39:28)
    1. Bryan: license scanning of platform code (aimeeu, 14:39:48)
    2. need more explicit conformation - hopefully NexusIQ will help (aimeeu, 14:40:39)
    3. NexusIQ scans what the our source code references (aimeeu, 14:41:46)
    4. tools for scanning our code (aimeeu, 14:42:52)
    5. Manoop: ONAP uses Fossology (aimeeu, 14:43:27)
    6. https://github.com/nexB/scancode-toolkit ScanCode scans code and detects licenses, copyrights, package manifests & dependencies and more ... to discover and inventory open source and third-party packages used in your code (aimeeu, 14:44:08)
    7. LF helped set up Fossology for ONAP (aimeeu, 14:45:07)
    8. what tools can scan platform code for vulerabilities? (aimeeu, 14:47:23)
    9. https://scan.coverity.com/ (aimeeu, 14:47:27)
    10. Coverity Scan is being looked at for ONAP (aimeeu, 14:48:08)
    11. Fortify on Demand is used inside AT&T #link https://software.microfocus.com/en-us/products/application-security-testing/overview (aimeeu, 14:49:31)
    12. Sonar is used to scan Java source code but not yet configured for vulnerabilities (aimeeu, 14:51:48)
    13. Acumos Jenkins and Sonar need to be configured to scan Acumos python projects (aimeeu, 14:52:10)
    14. Manoop shows how Sonar vulnerability scanning has been configured for ONAP (aimeeu, 14:52:50)
    15. on code review, sonar/jenkins job can be configured to fail on "blockers" (aimeeu, 14:55:33)
    16. need to look into Quality Profiles for the ability to define a rule based on a regular expression (aimeeu, 14:56:30)

  4. Platform Hardening (aimeeu, 14:57:14)
    1. Bryan shows examples he listed in meeting minutes (aimeeu, 14:57:33)
    2. Manoop: https://sonar.acumos.org/coding_rules#qprofile=AWBIIBgVTnjX3jsStw6k|activation=true|types=VULNERABILITY . This is the link to look at the current vulenrability rules defined by default. We can customize and create our own. (aimeeu, 14:59:14)


Meeting ended at 15:01:48 UTC (full logs).

Action items

  1. (none)


People present (lines said)

  1. aimeeu (40)
  2. collabot (5)
  3. talasila (1)
  4. bryan_att (0)


Generated by MeetBot 0.1.4.