========================================== #acumos-meeting: Acumos Security Committee ========================================== Meeting started by aimeeu at 14:07:08 UTC. The full logs are available at http://ircbot.wl.linuxfoundation.org/meetings/acumos-meeting/2018/acumos-meeting.2018-08-07-14.07.log.html . Meeting summary --------------- * attendeees: Bryan AT&T, Aimee AT&T, Nat TechM (aimeeu, 14:10:14) * Athena Release (aimeeu, 14:10:22) * s-v component will not be integrated into the platform in the Athena release (aimeeu, 14:10:53) * more requirements gathering, community involvement with how contributed models should be scanned/verified (aimeeu, 14:11:49) * gather community input on what matters to them (aimeeu, 14:12:25) * continue to research tools that could be integrated (aimeeu, 14:13:13) * gather what operators would expect regarding uploaded model license and vulnerability scanning (aimeeu, 14:14:32) * LINK: https://wiki.acumos.org/display/SEC/Release+Planning (aimeeu, 14:15:15) * Manoop has joined the meeting (aimeeu, 14:17:20) * Nat will summarize and take to TSC (aimeeu, 14:18:17) * much discussion (Bryan is taking notes on the wiki) (aimeeu, 14:26:48) * Manoop: really need source code to scan but on-boarding doesn't support it (aimeeu, 14:32:53) * Manoop explains why uploading model source code was not part of the original plan (aimeeu, 14:33:55) * Bryan: need source code, need training data in order to trust model (aimeeu, 14:34:18) * Manoop: add agenda item to Architecture Committee to include source code (aimeeu, 14:36:12) * Bryan: wants further discussions with AT&T security team about procedures/policies (aimeeu, 14:38:59) * Platform and Platform Code (aimeeu, 14:39:28) * Bryan: license scanning of platform code (aimeeu, 14:39:48) * need more explicit conformation - hopefully NexusIQ will help (aimeeu, 14:40:39) * NexusIQ scans what the our source code references (aimeeu, 14:41:46) * tools for scanning our code (aimeeu, 14:42:52) * Manoop: ONAP uses Fossology (aimeeu, 14:43:27) * LINK: https://github.com/nexB/scancode-toolkit ScanCode scans code and detects licenses, copyrights, package manifests & dependencies and more ... to discover and inventory open source and third-party packages used in your code (aimeeu, 14:44:08) * LF helped set up Fossology for ONAP (aimeeu, 14:45:07) * what tools can scan platform code for vulerabilities? (aimeeu, 14:47:23) * LINK: https://scan.coverity.com/ (aimeeu, 14:47:27) * Coverity Scan is being looked at for ONAP (aimeeu, 14:48:08) * Fortify on Demand is used inside AT&T #link https://software.microfocus.com/en-us/products/application-security-testing/overview (aimeeu, 14:49:31) * Sonar is used to scan Java source code but not yet configured for vulnerabilities (aimeeu, 14:51:48) * Acumos Jenkins and Sonar need to be configured to scan Acumos python projects (aimeeu, 14:52:10) * Manoop shows how Sonar vulnerability scanning has been configured for ONAP (aimeeu, 14:52:50) * on code review, sonar/jenkins job can be configured to fail on "blockers" (aimeeu, 14:55:33) * need to look into Quality Profiles for the ability to define a rule based on a regular expression (aimeeu, 14:56:30) * Platform Hardening (aimeeu, 14:57:14) * Bryan shows examples he listed in meeting minutes (aimeeu, 14:57:33) * Manoop: https://sonar.acumos.org/coding_rules#qprofile=AWBIIBgVTnjX3jsStw6k|activation=true|types=VULNERABILITY . This is the link to look at the current vulenrability rules defined by default. We can customize and create our own. (aimeeu, 14:59:14) Meeting ended at 15:01:48 UTC. People present (lines said) --------------------------- * aimeeu (40) * collabot (5) * talasila (1) * bryan_att (0) Generated by `MeetBot`_ 0.1.4