14:07:08 #startmeeting Acumos Security Committee 14:07:08 Meeting started Tue Aug 7 14:07:08 2018 UTC. The chair is aimeeu. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:07:08 Useful Commands: #action #agreed #help #info #idea #link #topic. 14:07:08 The meeting name has been set to 'acumos_security_committee' 14:07:16 #chair bryan_att 14:07:16 Current chairs: aimeeu bryan_att 14:10:14 #info attendeees: Bryan AT&T, Aimee AT&T, Nat TechM 14:10:22 #topic Athena Release 14:10:53 #info s-v component will not be integrated into the platform in the Athena release 14:11:49 #info more requirements gathering, community involvement with how contributed models should be scanned/verified 14:12:25 #info gather community input on what matters to them 14:13:13 #info continue to research tools that could be integrated 14:14:32 #info gather what operators would expect regarding uploaded model license and vulnerability scanning 14:15:15 #link https://wiki.acumos.org/display/SEC/Release+Planning 14:17:20 #info Manoop has joined the meeting 14:18:17 #info Nat will summarize and take to TSC 14:26:48 #info much discussion (Bryan is taking notes on the wiki) 14:32:53 #info Manoop: really need source code to scan but on-boarding doesn't support it 14:33:55 #info Manoop explains why uploading model source code was not part of the original plan 14:34:18 #info Bryan: need source code, need training data in order to trust model 14:36:12 #info Manoop: add agenda item to Architecture Committee to include source code 14:38:59 #info Bryan: wants further discussions with AT&T security team about procedures/policies 14:39:28 #topic Platform and Platform Code 14:39:48 #info Bryan: license scanning of platform code 14:40:39 #info need more explicit conformation - hopefully NexusIQ will help 14:41:46 #info NexusIQ scans what the our source code references 14:42:52 #info tools for scanning our code 14:43:27 #info Manoop: ONAP uses Fossology 14:44:08 #link https://github.com/nexB/scancode-toolkit ScanCode scans code and detects licenses, copyrights, package manifests & dependencies and more ... to discover and inventory open source and third-party packages used in your code 14:45:07 #info LF helped set up Fossology for ONAP 14:47:23 #info what tools can scan platform code for vulerabilities? 14:47:27 #link https://scan.coverity.com/ 14:48:08 #info Coverity Scan is being looked at for ONAP 14:49:31 #info Fortify on Demand is used inside AT&T #link https://software.microfocus.com/en-us/products/application-security-testing/overview 14:51:48 #info Sonar is used to scan Java source code but not yet configured for vulnerabilities 14:52:10 #info Acumos Jenkins and Sonar need to be configured to scan Acumos python projects 14:52:50 #info Manoop shows how Sonar vulnerability scanning has been configured for ONAP 14:55:33 #info on code review, sonar/jenkins job can be configured to fail on "blockers" 14:56:30 #info need to look into Quality Profiles for the ability to define a rule based on a regular expression 14:57:14 #topic Platform Hardening 14:57:33 #info Bryan shows examples he listed in meeting minutes 14:58:53 @aimeeu - https://sonar.acumos.org/coding_rules#qprofile=AWBIIBgVTnjX3jsStw6k|activation=true|types=VULNERABILITY . This is the link to look at the current vulenrability rules defined by default. We can customize and create our own. 14:58:53 talasila: Error: "aimeeu" is not a valid command. 14:59:14 #info Manoop: https://sonar.acumos.org/coding_rules#qprofile=AWBIIBgVTnjX3jsStw6k|activation=true|types=VULNERABILITY . This is the link to look at the current vulenrability rules defined by default. We can customize and create our own. 14:59:29 talasila: thanks! 15:01:48 #endmeeting