#acumos-meeting log

14:07:08 <aimeeu> #startmeeting Acumos Security Committee
14:07:08 <collabot> Meeting started Tue Aug  7 14:07:08 2018 UTC.  The chair is aimeeu. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:07:08 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:07:08 <collabot> The meeting name has been set to 'acumos_security_committee'
14:07:16 <aimeeu> #chair bryan_att
14:07:16 <collabot> Current chairs: aimeeu bryan_att
14:10:14 <aimeeu> #info attendeees: Bryan AT&T, Aimee AT&T, Nat TechM
14:10:22 <aimeeu> #topic Athena Release
14:10:53 <aimeeu> #info s-v component will not be integrated into the platform in the Athena release
14:11:49 <aimeeu> #info more requirements gathering, community involvement with how contributed models should be scanned/verified
14:12:25 <aimeeu> #info gather community input on what matters to them
14:13:13 <aimeeu> #info continue to research tools that could be integrated
14:14:32 <aimeeu> #info gather what operators would expect regarding uploaded model license and vulnerability scanning
14:15:15 <aimeeu> #link https://wiki.acumos.org/display/SEC/Release+Planning
14:17:20 <aimeeu> #info Manoop has joined the meeting
14:18:17 <aimeeu> #info Nat will summarize and take to TSC
14:26:48 <aimeeu> #info much discussion (Bryan is taking notes on the wiki)
14:32:53 <aimeeu> #info Manoop: really need source code to scan but on-boarding doesn't support it
14:33:55 <aimeeu> #info Manoop explains why uploading model source code was not part of the original plan
14:34:18 <aimeeu> #info Bryan: need source code, need training data in order to trust model
14:36:12 <aimeeu> #info Manoop: add agenda item to Architecture Committee to  include source code
14:38:59 <aimeeu> #info Bryan: wants further discussions with AT&T security  team about procedures/policies
14:39:28 <aimeeu> #topic Platform and Platform Code
14:39:48 <aimeeu> #info Bryan: license scanning of platform code
14:40:39 <aimeeu> #info need more explicit conformation - hopefully NexusIQ will help
14:41:46 <aimeeu> #info NexusIQ scans what the our source code references
14:42:52 <aimeeu> #info tools for scanning our code
14:43:27 <aimeeu> #info Manoop: ONAP uses Fossology
14:44:08 <aimeeu> #link https://github.com/nexB/scancode-toolkit   ScanCode scans code and detects licenses, copyrights, package manifests & dependencies and more ... to discover and inventory open source and third-party packages used in your code
14:45:07 <aimeeu> #info LF helped set up Fossology for ONAP
14:47:23 <aimeeu> #info what tools can scan platform code for vulerabilities?
14:47:27 <aimeeu> #link https://scan.coverity.com/
14:48:08 <aimeeu> #info Coverity Scan is being looked at for ONAP
14:49:31 <aimeeu> #info Fortify on Demand is used inside AT&T #link https://software.microfocus.com/en-us/products/application-security-testing/overview
14:51:48 <aimeeu> #info Sonar is used to scan Java source code but not yet configured for vulnerabilities
14:52:10 <aimeeu> #info Acumos Jenkins and Sonar need to be configured to scan Acumos python projects
14:52:50 <aimeeu> #info Manoop shows how Sonar vulnerability scanning has been configured for ONAP
14:55:33 <aimeeu> #info on code review, sonar/jenkins job can be configured to fail on "blockers"
14:56:30 <aimeeu> #info need to look into Quality Profiles for the ability to define a rule based on a regular expression
14:57:14 <aimeeu> #topic Platform Hardening
14:57:33 <aimeeu> #info Bryan shows examples he listed in meeting minutes
14:58:53 <talasila> @aimeeu - https://sonar.acumos.org/coding_rules#qprofile=AWBIIBgVTnjX3jsStw6k|activation=true|types=VULNERABILITY . This is the link to look at the current vulenrability rules defined by default. We can customize and create our own.
14:58:53 <collabot> talasila: Error: "aimeeu" is not a valid command.
14:59:14 <aimeeu> #info Manoop:  https://sonar.acumos.org/coding_rules#qprofile=AWBIIBgVTnjX3jsStw6k|activation=true|types=VULNERABILITY . This is the link to look at the current vulenrability rules defined by default. We can customize and create our own.
14:59:29 <aimeeu> talasila: thanks!
15:01:48 <aimeeu> #endmeeting