=====================================================
#acumos-meeting: Acumos Security Subcommittee Meeting
=====================================================


Meeting started by aimeeu at 14:05:09 UTC.  The full logs are available
at
http://ircbot.wl.linuxfoundation.org/meetings/acumos-meeting/2018/acumos-meeting.2018-09-04-14.05.log.html
.



Meeting summary
---------------

* attendees Aimee Ukasick, Bryan Sullivan, Guy Jacobson, Manoop Talasila
  (aimeeu, 14:05:50)
* there was no meeting last week because Bryan was at the Open Source
  Summit  (aimeeu, 14:06:22)
* attendees Daniel Sela (Amdocs), Reuben Klein (ATT)  (aimeeu, 14:07:31)
* Bryan recaps Acumos-related activity at the Open Source Summit
  (aimeeu, 14:07:54)
* Nexus-IQ Scans  (aimeeu, 14:08:56)
  * Manoop reached out to PTLs and asked them to join the Security call
    (aimeeu, 14:09:11)

* Agenda Bashing  (aimeeu, 14:10:52)
  * Nexus-IQ scans, Jira items #link
    https://jira.acumos.org/browse/ACUMOS-1044  (aimeeu, 14:11:05)

* Nexus-IQ Scans  (aimeeu, 14:11:17)
  * Bryan sent request to LF to give Daniel access to NexusIQ results
    (aimeeu, 14:11:42)
  * Daniel has not received credentials; in the meantime, Bryan will
    upload results to the wiki  (aimeeu, 14:12:02)
  * Bryan shares screen #link
    https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/dashboard/violations
    (login required)  (aimeeu, 14:12:50)
  * info is on Reporting tab  (aimeeu, 14:13:02)
  * Bryan will post reports to #link
    https://wiki.acumos.org/display/SEC/NexusIQ  (restricted access)
    (aimeeu, 14:15:10)
  * Bryan reviews the #link https://wiki.acumos.org/display/SEC/NexusIQ
    page  (aimeeu, 14:15:58)
  * Bryan shares the spreadsheet that's attached to the page  (aimeeu,
    14:18:25)
  * Currently, NexusIQ only scans the Java projects  (aimeeu, 14:18:51)
  * Bryan looked into the NexusIQ suite and it does support Python
    (aimeeu, 14:19:17)
  * all files should be scanned - need support for yaml, dockerfile,
    bash, etc  (aimeeu, 14:21:34)
  * Bryan explains his spreadsheet  (aimeeu, 14:22:05)
  * components use different versions of the same library; Manoop
    suggests Common Services spearhead initiative to provide guidelines
    to upgrade libraries  (aimeeu, 14:23:47)
  * Manoop suggests categorizing the vulnerabilities:  1) if there is a
    recent library version, recommend upgrading;  2) if vulnerability
    specifies specific class/method, classify as high priority and must
    be fixed asap  (aimeeu, 14:27:34)
  * must have triage process (Manoop started this)  (aimeeu, 14:27:53)
  * Manoop created Jira items  (aimeeu, 14:28:34)
  * LINK:
    https://wiki.acumos.org/display/REL/Security+Vulnerability+Threat+Template
    (talasila, 14:30:27)
  * LINK: https://jira.acumos.org/browse/ACUMOS-1094 epic for resolving
    vulnerabilities in code  (aimeeu, 14:31:08)
  * Manoop will follow up with teams on progress  (aimeeu, 14:32:27)
  * Portal and Design Studio have a larger list; might be a big impact
    (aimeeu, 14:34:31)

* License Scanning  (aimeeu, 14:39:42)
  * LINK: https://jira.acumos.org/browse/ACUMOS-1044  (aimeeu, 14:39:46)
  * "platform code contribution" is mostly being addressed by NexusIQ
    (aimeeu, 14:40:51)
  * the LF team does periodic FOSSology scans of repos  (aimeeu,
    14:41:30)
  * Manoop: can the LF set up jobs using FOSSology to scan our repos on
    a regular basis  (aimeeu, 14:42:23)
  * Manoop asks about license issues  (aimeeu, 14:42:48)
  * checks for no license; unapproved licenses (ie BSD3) - need explicit
    TSC approval for any non-Apache licensed code  (aimeeu, 14:43:51)
  * the repo's top license covers any file not explicitly licensed
    (included media, etc)  (aimeeu, 14:44:38)
  * ACTION: Bryan will upload FOSSology results to Security wiki
    (aimeeu, 14:44:58)
  * ACTION: Bryan will compile list of items for TSC approval  (aimeeu,
    14:45:18)
  * need to find solution for finding security vulnerabilities in
    contributed code  (aimeeu, 14:46:35)

* Platform Testing  (aimeeu, 14:50:43)
  * as deployed, is the platform secure?  (aimeeu, 14:50:55)
  * significant comments from Huawei discussed but not minuted for
    security reasons  (aimeeu, 14:52:02)
  * need to create Jira items to address significant concerns  (aimeeu,
    14:53:27)

* API Security  (aimeeu, 15:03:40)
  * need list of exposed APIs and which ones require authentication
    (aimeeu, 15:04:03)
  * need to test - Aimee is working on automated API testing for Test
    team and will work with Bryan on this  (aimeeu, 15:04:36)



Meeting ended at 15:04:39 UTC.



People present (lines said)
---------------------------

* aimeeu (48)
* collabot (3)
* talasila (1)



Generated by `MeetBot`_ 0.1.4