#acumos-meeting: Acumos Security Subcommittee Meeting

Meeting started by aimeeu at 14:05:09 UTC (full logs).

Meeting summary

    1. attendees Aimee Ukasick, Bryan Sullivan, Guy Jacobson, Manoop Talasila (aimeeu, 14:05:50)
    2. there was no meeting last week because Bryan was at the Open Source Summit (aimeeu, 14:06:22)
    3. attendees Daniel Sela (Amdocs), Reuben Klein (ATT) (aimeeu, 14:07:31)
    4. Bryan recaps Acumos-related activity at the Open Source Summit (aimeeu, 14:07:54)

  2. Nexus-IQ Scans (aimeeu, 14:08:56)
    1. Manoop reached out to PTLs and asked them to join the Security call (aimeeu, 14:09:11)

  3. Agenda Bashing (aimeeu, 14:10:52)
    1. Nexus-IQ scans, Jira items #link https://jira.acumos.org/browse/ACUMOS-1044 (aimeeu, 14:11:05)

  4. Nexus-IQ Scans (aimeeu, 14:11:17)
    1. Bryan sent request to LF to give Daniel access to NexusIQ results (aimeeu, 14:11:42)
    2. Daniel has not received credentials; in the meantime, Bryan will upload results to the wiki (aimeeu, 14:12:02)
    3. Bryan shares screen #link https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/dashboard/violations (login required) (aimeeu, 14:12:50)
    4. info is on Reporting tab (aimeeu, 14:13:02)
    5. Bryan will post reports to #link https://wiki.acumos.org/display/SEC/NexusIQ (restricted access) (aimeeu, 14:15:10)
    6. Bryan reviews the #link https://wiki.acumos.org/display/SEC/NexusIQ page (aimeeu, 14:15:58)
    7. Bryan shares the spreadsheet that's attached to the page (aimeeu, 14:18:25)
    8. Currently, NexusIQ only scans the Java projects (aimeeu, 14:18:51)
    9. Bryan looked into the NexusIQ suite and it does support Python (aimeeu, 14:19:17)
    10. all files should be scanned - need support for yaml, dockerfile, bash, etc (aimeeu, 14:21:34)
    11. Bryan explains his spreadsheet (aimeeu, 14:22:05)
    12. components use different versions of the same library; Manoop suggests Common Services spearhead initiative to provide guidelines to upgrade libraries (aimeeu, 14:23:47)
    13. Manoop suggests categorizing the vulnerabilities: 1) if there is a recent library version, recommend upgrading; 2) if vulnerability specifies specific class/method, classify as high priority and must be fixed asap (aimeeu, 14:27:34)
    14. must have triage process (Manoop started this) (aimeeu, 14:27:53)
    15. Manoop created Jira items (aimeeu, 14:28:34)
    16. https://wiki.acumos.org/display/REL/Security+Vulnerability+Threat+Template (talasila, 14:30:27)
    17. https://jira.acumos.org/browse/ACUMOS-1094 epic for resolving vulnerabilities in code (aimeeu, 14:31:08)
    18. Manoop will follow up with teams on progress (aimeeu, 14:32:27)
    19. Portal and Design Studio have a larger list; might be a big impact (aimeeu, 14:34:31)

  5. License Scanning (aimeeu, 14:39:42)
    1. https://jira.acumos.org/browse/ACUMOS-1044 (aimeeu, 14:39:46)
    2. "platform code contribution" is mostly being addressed by NexusIQ (aimeeu, 14:40:51)
    3. the LF team does periodic FOSSology scans of repos (aimeeu, 14:41:30)
    4. Manoop: can the LF set up jobs using FOSSology to scan our repos on a regular basis (aimeeu, 14:42:23)
    5. Manoop asks about license issues (aimeeu, 14:42:48)
    6. checks for no license; unapproved licenses (ie BSD3) - need explicit TSC approval for any non-Apache licensed code (aimeeu, 14:43:51)
    7. the repo's top license covers any file not explicitly licensed (included media, etc) (aimeeu, 14:44:38)
    8. ACTION: Bryan will upload FOSSology results to Security wiki (aimeeu, 14:44:58)
    9. ACTION: Bryan will compile list of items for TSC approval (aimeeu, 14:45:18)
    10. need to find solution for finding security vulnerabilities in contributed code (aimeeu, 14:46:35)

  6. Platform Testing (aimeeu, 14:50:43)
    1. as deployed, is the platform secure? (aimeeu, 14:50:55)
    2. significant comments from Huawei discussed but not minuted for security reasons (aimeeu, 14:52:02)
    3. need to create Jira items to address significant concerns (aimeeu, 14:53:27)

  7. API Security (aimeeu, 15:03:40)
    1. need list of exposed APIs and which ones require authentication (aimeeu, 15:04:03)
    2. need to test - Aimee is working on automated API testing for Test team and will work with Bryan on this (aimeeu, 15:04:36)


Meeting ended at 15:04:39 UTC (full logs).

Action items

  1. Bryan will upload FOSSology results to Security wiki
  2. Bryan will compile list of items for TSC approval


People present (lines said)

  1. aimeeu (48)
  2. collabot (3)
  3. talasila (1)


Generated by MeetBot 0.1.4.