14:05:09 <aimeeu> #startmeeting Acumos Security Subcommittee Meeting 14:05:09 <collabot> Meeting started Tue Sep 4 14:05:09 2018 UTC. The chair is aimeeu. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:05:09 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic. 14:05:09 <collabot> The meeting name has been set to 'acumos_security_subcommittee_meeting' 14:05:20 <aimeeu> chair bryan_att 14:05:50 <aimeeu> #info attendees Aimee Ukasick, Bryan Sullivan, Guy Jacobson, Manoop Talasila 14:06:22 <aimeeu> #info there was no meeting last week because Bryan was at the Open Source Summit 14:07:31 <aimeeu> #info attendees Daniel Sela (Amdocs), Reuben Klein (ATT) 14:07:54 <aimeeu> #info Bryan recaps Acumos-related activity at the Open Source Summit 14:08:56 <aimeeu> #topic Nexus-IQ Scans 14:09:11 <aimeeu> #info Manoop reached out to PTLs and asked them to join the Security call 14:10:52 <aimeeu> #topic Agenda Bashing 14:11:05 <aimeeu> #info Nexus-IQ scans, Jira items #link https://jira.acumos.org/browse/ACUMOS-1044 14:11:17 <aimeeu> #topic Nexus-IQ Scans 14:11:42 <aimeeu> #info Bryan sent request to LF to give Daniel access to NexusIQ results 14:12:02 <aimeeu> #info Daniel has not received credentials; in the meantime, Bryan will upload results to the wiki 14:12:50 <aimeeu> #info Bryan shares screen #link https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/dashboard/violations (login required) 14:13:02 <aimeeu> #info info is on Reporting tab 14:15:10 <aimeeu> #info Bryan will post reports to #link https://wiki.acumos.org/display/SEC/NexusIQ (restricted access) 14:15:58 <aimeeu> #info Bryan reviews the #link https://wiki.acumos.org/display/SEC/NexusIQ page 14:18:25 <aimeeu> #info Bryan shares the spreadsheet that's attached to the page 14:18:51 <aimeeu> #info Currently, NexusIQ only scans the Java projects 14:19:17 <aimeeu> #info Bryan looked into the NexusIQ suite and it does support Python 14:21:34 <aimeeu> #info all files should be scanned - need support for yaml, dockerfile, bash, etc 14:22:05 <aimeeu> #info Bryan explains his spreadsheet 14:23:47 <aimeeu> #info components use different versions of the same library; Manoop suggests Common Services spearhead initiative to provide guidelines to upgrade libraries 14:27:34 <aimeeu> #info Manoop suggests categorizing the vulnerabilities: 1) if there is a recent library version, recommend upgrading; 2) if vulnerability specifies specific class/method, classify as high priority and must be fixed asap 14:27:53 <aimeeu> #info must have triage process (Manoop started this) 14:28:34 <aimeeu> #info Manoop created Jira items 14:30:27 <talasila> #link https://wiki.acumos.org/display/REL/Security+Vulnerability+Threat+Template 14:31:08 <aimeeu> #link https://jira.acumos.org/browse/ACUMOS-1094 epic for resolving vulnerabilities in code 14:32:27 <aimeeu> #info Manoop will follow up with teams on progress 14:34:31 <aimeeu> #info Portal and Design Studio have a larger list; might be a big impact 14:39:42 <aimeeu> #topic License Scanning 14:39:46 <aimeeu> #link https://jira.acumos.org/browse/ACUMOS-1044 14:40:51 <aimeeu> #info "platform code contribution" is mostly being addressed by NexusIQ 14:41:30 <aimeeu> #info the LF team does periodic FOSSology scans of repos 14:42:23 <aimeeu> #info Manoop: can the LF set up jobs using FOSSology to scan our repos on a regular basis 14:42:48 <aimeeu> #info Manoop asks about license issues 14:43:51 <aimeeu> #info checks for no license; unapproved licenses (ie BSD3) - need explicit TSC approval for any non-Apache licensed code 14:44:38 <aimeeu> #info the repo's top license covers any file not explicitly licensed (included media, etc) 14:44:58 <aimeeu> #action Bryan will upload FOSSology results to Security wiki 14:45:18 <aimeeu> #action Bryan will compile list of items for TSC approval 14:46:35 <aimeeu> #info need to find solution for finding security vulnerabilities in contributed code 14:50:43 <aimeeu> #topic Platform Testing 14:50:55 <aimeeu> #info as deployed, is the platform secure? 14:52:02 <aimeeu> #info significant comments from Huawei discussed but not minuted for security reasons 14:53:27 <aimeeu> #info need to create Jira items to address significant concerns 15:03:40 <aimeeu> #topic API Security 15:04:03 <aimeeu> #info need list of exposed APIs and which ones require authentication 15:04:36 <aimeeu> #info need to test - Aimee is working on automated API testing for Test team and will work with Bryan on this 15:04:39 <aimeeu> #endmeeting