14:01:29 <lhinds> #startmeeting OPNFV Security Meeting 20/07/2016 14:01:29 <collabot> Meeting started Wed Jul 20 14:01:29 2016 UTC. The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:01:29 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic. 14:01:29 <collabot> The meeting name has been set to 'opnfv_security_meeting_20_07_2016' 14:01:30 <Sona> Hi * 14:01:37 <lhinds> ok.. 14:02:00 <lhinds> #agenda https://etherpad.opnfv.org/p/opnfv-sec-meetings 14:02:20 <lhinds> will give 2-3 mins for additions / amendments 14:03:48 <lhinds> k, should be short and sweet again 14:04:00 <lhinds> #topic security scanning 14:04:20 <lhinds> So TSC approved as a full project, as informed last week 14:04:32 <lhinds> We now have a dedicated jira: 14:04:55 <Sona> good 14:05:16 <lhinds> #link https://jira.opnfv.org/projects/SECSCAN 14:05:30 <lhinds> git repo: 14:05:47 <lhinds> #link https://gerrit.opnfv.org/gerrit/#/q/project:securityscanning 14:06:05 <lhinds> wiki, we will continue to use the main security group wiki. 14:06:16 <lhinds> so I am building the wiki out on and off this week 14:06:42 <lhinds> in Jira I have built out the main epics / stories in general and towards D-release 14:07:07 <Sona> I hope we will have ore people working with security scan 14:07:25 <lhinds> seems like we should, serverascode is getting involved. 14:07:35 <lhinds> and with it being a main project now, it will get more attention 14:07:38 <Sona> good, 14:07:39 <serverascode> yup I am here, and will start to take a look today :) 14:07:58 <Sona> thanks, very good 14:08:02 <lhinds> serverascode: cool! 14:08:12 <Sona> I guess you can cover Luke when he is on vacation :) 14:08:36 <lhinds> I will be off for two weeks from Friday, so we won't do much, so its a good time to get famialir with it serverascode 14:08:56 <serverascode> sounds good 14:09:30 <lhinds> so we can get really stuck in after the summer break, as things will get busy around Colorado release 14:10:45 <lhinds> other then that there was a race condition that was causing some issues 14:10:51 <lhinds> but that is now fixed; 14:10:57 <lhinds> #link https://build.opnfv.org/ci/job/functest-apex-apex-daily-master-daily-master/66/console 14:11:13 <lhinds> <ctrl-f> 'security_scan' 14:11:20 <lhinds> and you will see it running in the build 14:12:03 <lhinds> - - 2016-07-10 07:44:20,455 - run_tests - INFO - Running test case 'security_scan'... 14:12:29 <lhinds> serverascode: if you get stuck with anything, just drop me an email 14:12:48 <serverascode> ok 14:13:00 <lhinds> although all you need to do, is just run openscap manually from the CI 14:13:10 <lhinds> and check the result 14:13:43 <lhinds> so a health / sanity check to see what sort of state its in on Debian. I had a quick look and it seemed quite good 14:14:13 <lhinds> oh, when I say Debian, I mean the downstream..so Ubuntu 14:14:30 <lhinds> ok, that's it for now, unless any more questions.. 14:14:39 <serverascode> no questions right now 14:14:50 <lhinds> k, over to you Sona 14:14:57 <lhinds> #topic ci badge 14:15:23 <Sona> As I mentioned in the meeting openstach had the badge now :) 14:15:45 <Sona> which is good news 14:15:51 <Sona> we are almost there 14:16:45 <Sona> my issues are static and dynamic code analysis 14:16:53 <lhinds> be good to have that done, did you like the idea of doing it for overall opnfv, and then have the projects look at it? 14:17:11 <Sona> I thought we can say "met" for static analysis 14:17:40 <Sona> PEP8 & PyLint are run as gerrit gate jobs 14:17:45 <Sona> right? 14:18:03 <lhinds> kind of, they are not security lints though 14:18:24 <lhinds> and techincally we don't run those gates on all code...so its not used for Java or C 14:18:37 <Sona> Ok, we do the OPNFV project need to do in order to met this criteria? 14:18:49 <lhinds> If we try to do static analysis for all projects, it will be a nightmare logistically 14:19:02 <Sona> haha 14:19:05 <lhinds> Sona: we put in a caveat 14:19:21 <lhinds> explain how we are upstream contributers with around 40 projects 14:19:30 <Sona> what do yo mean by all projects? 14:20:01 <Sona> we are just responsible for code which is generated by OPNFV project itself 14:20:48 <lhinds> well, each project will be responisble for their owm, with guidance from us and the badge program. 14:20:55 <Sona> yes 14:21:17 <lhinds> so when we go forward, we do it for the overall OPNFV org, the website, the release ISO, developer guidelines etc. 14:21:39 <lhinds> when it come to the security of the code in every project, its going to be to tough to do that. 14:21:41 <Sona> ok what should I say now? 14:21:50 <Sona> unmet and some explanation 14:21:56 <Sona> ? 14:22:05 <lhinds> yes, unmet (or N/A) if its available. 14:22:14 <Sona> ok 14:22:21 <lhinds> and just pop the question into etherpad, and send it out. 14:22:26 <Sona> and the same for dynamic analysis? 14:22:37 <lhinds> yes, both static and dynamic 14:23:16 <Sona> perhaps we (security team) could doa threat analysis in the future instead? 14:23:34 <Sona> instead of running dynamic analysis tool 14:24:27 <lhinds> if anyone wants to nominate for doing it we could, sure 14:24:36 <Sona> ok :) 14:24:47 <lhinds> would be good to do it before Colorado 14:26:09 <lhinds> its just its quite a large undertaking without a few bodies on it 14:26:24 <lhinds> ok, so its good we are getting close now 14:26:29 <lhinds> top stuff 14:26:35 <lhinds> anything more Sona ? 14:26:43 <Sona> when I chose unmet for dynamic analysis I get the question we we think it is ok that it is umnet, could you please help me to write something there 14:27:03 <Sona> we we ="why" 14:28:24 <lhinds> sure! 14:28:26 <lhinds> np 14:28:34 <lhinds> but please use etherpad, rather then email 14:28:41 <lhinds> makes it easier to manage 14:28:46 <Sona> ok, I will do 14:28:59 <Sona> thanks 14:30:49 <lhinds> ok, np 14:30:59 <lhinds> #topic Any other business? 14:31:00 <Sona> I don't have anything more about badge program 14:31:11 <serverascode> nope 14:33:03 <lhinds> ok, last of all. 14:33:12 <lhinds> Sona: are you ok too cover the next two weeks? 14:34:17 <lhinds> ping Sona 14:34:42 <lhinds> ok, I will drop her an email, if there is any change I will let all know 14:34:48 <lhinds> ok thanks everyone! 14:34:56 <serverascode> ok thanks :) 14:35:00 <lhinds> I will be back on the 8th August 14:35:04 <lhinds> #endmeeting