#acumos-meeting log

14:05:09 <aimeeu> #startmeeting Acumos Security Subcommittee Meeting
14:05:09 <collabot> Meeting started Tue Sep  4 14:05:09 2018 UTC.  The chair is aimeeu. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:05:09 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:05:09 <collabot> The meeting name has been set to 'acumos_security_subcommittee_meeting'
14:05:20 <aimeeu> chair bryan_att
14:05:50 <aimeeu> #info attendees Aimee Ukasick, Bryan Sullivan, Guy Jacobson, Manoop Talasila
14:06:22 <aimeeu> #info there was no meeting last week because Bryan was at the Open Source Summit
14:07:31 <aimeeu> #info attendees Daniel Sela (Amdocs), Reuben Klein (ATT)
14:07:54 <aimeeu> #info Bryan recaps Acumos-related activity at the Open Source Summit
14:08:56 <aimeeu> #topic Nexus-IQ Scans
14:09:11 <aimeeu> #info Manoop reached out to PTLs and asked them to join the Security call
14:10:52 <aimeeu> #topic Agenda Bashing
14:11:05 <aimeeu> #info Nexus-IQ scans, Jira items #link https://jira.acumos.org/browse/ACUMOS-1044
14:11:17 <aimeeu> #topic Nexus-IQ Scans
14:11:42 <aimeeu> #info Bryan sent request to LF to give Daniel access to NexusIQ results
14:12:02 <aimeeu> #info Daniel has not received credentials; in the meantime, Bryan will upload results to the wiki
14:12:50 <aimeeu> #info Bryan shares screen #link https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/dashboard/violations (login required)
14:13:02 <aimeeu> #info info is on Reporting tab
14:15:10 <aimeeu> #info Bryan will post reports to #link https://wiki.acumos.org/display/SEC/NexusIQ  (restricted access)
14:15:58 <aimeeu> #info Bryan reviews the #link https://wiki.acumos.org/display/SEC/NexusIQ  page
14:18:25 <aimeeu> #info Bryan shares the spreadsheet that's attached to the page
14:18:51 <aimeeu> #info Currently, NexusIQ only scans the Java projects
14:19:17 <aimeeu> #info Bryan looked into the NexusIQ suite and it does support Python
14:21:34 <aimeeu> #info all files should be scanned - need support for yaml, dockerfile, bash, etc
14:22:05 <aimeeu> #info Bryan explains his spreadsheet
14:23:47 <aimeeu> #info components use different versions of the same library; Manoop suggests Common Services spearhead initiative to provide guidelines to upgrade libraries
14:27:34 <aimeeu> #info Manoop suggests categorizing the vulnerabilities:  1) if there is a recent library version, recommend upgrading;  2) if vulnerability specifies specific class/method, classify as high priority and must be fixed asap
14:27:53 <aimeeu> #info must have triage process (Manoop started this)
14:28:34 <aimeeu> #info Manoop created Jira items
14:30:27 <talasila> #link https://wiki.acumos.org/display/REL/Security+Vulnerability+Threat+Template
14:31:08 <aimeeu> #link https://jira.acumos.org/browse/ACUMOS-1094 epic for resolving vulnerabilities in code
14:32:27 <aimeeu> #info Manoop will follow up with teams on progress
14:34:31 <aimeeu> #info Portal and Design Studio have a larger list; might be a big impact
14:39:42 <aimeeu> #topic License Scanning
14:39:46 <aimeeu> #link https://jira.acumos.org/browse/ACUMOS-1044
14:40:51 <aimeeu> #info "platform code contribution" is mostly being addressed by NexusIQ
14:41:30 <aimeeu> #info the LF team does periodic FOSSology scans of repos
14:42:23 <aimeeu> #info Manoop: can the LF set up jobs using FOSSology to scan our repos on a regular basis
14:42:48 <aimeeu> #info Manoop asks about license issues
14:43:51 <aimeeu> #info checks for no license; unapproved licenses (ie BSD3) - need explicit TSC approval for any non-Apache licensed code
14:44:38 <aimeeu> #info the repo's top license covers any file not explicitly licensed (included media, etc)
14:44:58 <aimeeu> #action Bryan will upload FOSSology results to Security wiki
14:45:18 <aimeeu> #action Bryan will compile list of items for TSC approval
14:46:35 <aimeeu> #info need to find solution for finding security vulnerabilities in contributed code
14:50:43 <aimeeu> #topic Platform Testing
14:50:55 <aimeeu> #info as deployed, is the platform secure?
14:52:02 <aimeeu> #info significant comments from Huawei discussed but not minuted for security reasons
14:53:27 <aimeeu> #info need to create Jira items to address significant concerns
15:03:40 <aimeeu> #topic API Security
15:04:03 <aimeeu> #info need list of exposed APIs and which ones require authentication
15:04:36 <aimeeu> #info need to test - Aimee is working on automated API testing for Test team and will work with Bryan on this
15:04:39 <aimeeu> #endmeeting