14:05:09 #startmeeting Acumos Security Subcommittee Meeting 14:05:09 Meeting started Tue Sep 4 14:05:09 2018 UTC. The chair is aimeeu. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:05:09 Useful Commands: #action #agreed #help #info #idea #link #topic. 14:05:09 The meeting name has been set to 'acumos_security_subcommittee_meeting' 14:05:20 chair bryan_att 14:05:50 #info attendees Aimee Ukasick, Bryan Sullivan, Guy Jacobson, Manoop Talasila 14:06:22 #info there was no meeting last week because Bryan was at the Open Source Summit 14:07:31 #info attendees Daniel Sela (Amdocs), Reuben Klein (ATT) 14:07:54 #info Bryan recaps Acumos-related activity at the Open Source Summit 14:08:56 #topic Nexus-IQ Scans 14:09:11 #info Manoop reached out to PTLs and asked them to join the Security call 14:10:52 #topic Agenda Bashing 14:11:05 #info Nexus-IQ scans, Jira items #link https://jira.acumos.org/browse/ACUMOS-1044 14:11:17 #topic Nexus-IQ Scans 14:11:42 #info Bryan sent request to LF to give Daniel access to NexusIQ results 14:12:02 #info Daniel has not received credentials; in the meantime, Bryan will upload results to the wiki 14:12:50 #info Bryan shares screen #link https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/dashboard/violations (login required) 14:13:02 #info info is on Reporting tab 14:15:10 #info Bryan will post reports to #link https://wiki.acumos.org/display/SEC/NexusIQ (restricted access) 14:15:58 #info Bryan reviews the #link https://wiki.acumos.org/display/SEC/NexusIQ page 14:18:25 #info Bryan shares the spreadsheet that's attached to the page 14:18:51 #info Currently, NexusIQ only scans the Java projects 14:19:17 #info Bryan looked into the NexusIQ suite and it does support Python 14:21:34 #info all files should be scanned - need support for yaml, dockerfile, bash, etc 14:22:05 #info Bryan explains his spreadsheet 14:23:47 #info components use different versions of the same library; Manoop suggests Common Services spearhead initiative to provide guidelines to upgrade libraries 14:27:34 #info Manoop suggests categorizing the vulnerabilities: 1) if there is a recent library version, recommend upgrading; 2) if vulnerability specifies specific class/method, classify as high priority and must be fixed asap 14:27:53 #info must have triage process (Manoop started this) 14:28:34 #info Manoop created Jira items 14:30:27 #link https://wiki.acumos.org/display/REL/Security+Vulnerability+Threat+Template 14:31:08 #link https://jira.acumos.org/browse/ACUMOS-1094 epic for resolving vulnerabilities in code 14:32:27 #info Manoop will follow up with teams on progress 14:34:31 #info Portal and Design Studio have a larger list; might be a big impact 14:39:42 #topic License Scanning 14:39:46 #link https://jira.acumos.org/browse/ACUMOS-1044 14:40:51 #info "platform code contribution" is mostly being addressed by NexusIQ 14:41:30 #info the LF team does periodic FOSSology scans of repos 14:42:23 #info Manoop: can the LF set up jobs using FOSSology to scan our repos on a regular basis 14:42:48 #info Manoop asks about license issues 14:43:51 #info checks for no license; unapproved licenses (ie BSD3) - need explicit TSC approval for any non-Apache licensed code 14:44:38 #info the repo's top license covers any file not explicitly licensed (included media, etc) 14:44:58 #action Bryan will upload FOSSology results to Security wiki 14:45:18 #action Bryan will compile list of items for TSC approval 14:46:35 #info need to find solution for finding security vulnerabilities in contributed code 14:50:43 #topic Platform Testing 14:50:55 #info as deployed, is the platform secure? 14:52:02 #info significant comments from Huawei discussed but not minuted for security reasons 14:53:27 #info need to create Jira items to address significant concerns 15:03:40 #topic API Security 15:04:03 #info need list of exposed APIs and which ones require authentication 15:04:36 #info need to test - Aimee is working on automated API testing for Test team and will work with Bryan on this 15:04:39 #endmeeting