#opnfv-sec log

14:01:29 <lhinds> #startmeeting OPNFV Security Meeting 20/07/2016
14:01:29 <collabot> Meeting started Wed Jul 20 14:01:29 2016 UTC.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:01:29 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:01:29 <collabot> The meeting name has been set to 'opnfv_security_meeting_20_07_2016'
14:01:30 <Sona> Hi *
14:01:37 <lhinds> ok..
14:02:00 <lhinds> #agenda https://etherpad.opnfv.org/p/opnfv-sec-meetings
14:02:20 <lhinds> will give 2-3 mins for additions / amendments
14:03:48 <lhinds> k, should be short and sweet again
14:04:00 <lhinds> #topic security scanning
14:04:20 <lhinds> So TSC approved as a full project, as informed last week
14:04:32 <lhinds> We now have a dedicated jira:
14:04:55 <Sona> good
14:05:16 <lhinds> #link https://jira.opnfv.org/projects/SECSCAN
14:05:30 <lhinds> git repo:
14:05:47 <lhinds> #link https://gerrit.opnfv.org/gerrit/#/q/project:securityscanning
14:06:05 <lhinds> wiki, we will continue to use the main security group wiki.
14:06:16 <lhinds> so I am building the wiki out on and off this week
14:06:42 <lhinds> in Jira I have built out the main epics / stories in general and towards D-release
14:07:07 <Sona> I hope we will have ore people working with  security scan
14:07:25 <lhinds> seems like we should, serverascode is getting involved.
14:07:35 <lhinds> and with it being a main project now, it will get more attention
14:07:38 <Sona> good,
14:07:39 <serverascode> yup I am here, and will start to take a look today :)
14:07:58 <Sona> thanks, very good
14:08:02 <lhinds> serverascode: cool!
14:08:12 <Sona> I guess you can cover Luke when he is on vacation :)
14:08:36 <lhinds> I will be off for two weeks from Friday, so we won't do much, so its a good time to get famialir with it serverascode
14:08:56 <serverascode> sounds good
14:09:30 <lhinds> so we can get really stuck in after the summer break, as things will get busy around Colorado release
14:10:45 <lhinds> other then that there was a race condition that was causing some issues
14:10:51 <lhinds> but that is now fixed;
14:10:57 <lhinds> #link https://build.opnfv.org/ci/job/functest-apex-apex-daily-master-daily-master/66/console
14:11:13 <lhinds> <ctrl-f> 'security_scan'
14:11:20 <lhinds> and you will see it running in the build
14:12:03 <lhinds> - -  2016-07-10 07:44:20,455 - run_tests - INFO - Running test case 'security_scan'...
14:12:29 <lhinds> serverascode: if you get stuck with anything, just drop me an email
14:12:48 <serverascode> ok
14:13:00 <lhinds> although all you need to do, is just run openscap manually from the CI
14:13:10 <lhinds> and check the result
14:13:43 <lhinds> so a health / sanity check to see what sort of state its in on Debian. I had a quick look and it seemed quite good
14:14:13 <lhinds> oh, when I say Debian, I mean the downstream..so Ubuntu
14:14:30 <lhinds> ok, that's it for now, unless any more questions..
14:14:39 <serverascode> no questions right now
14:14:50 <lhinds> k, over to you Sona
14:14:57 <lhinds> #topic ci badge
14:15:23 <Sona> As I mentioned in the meeting openstach had the badge now :)
14:15:45 <Sona> which is good news
14:15:51 <Sona> we are almost there
14:16:45 <Sona> my issues are static and dynamic code analysis
14:16:53 <lhinds> be good to have that done, did you like the idea of doing it for overall opnfv, and then have the projects look at it?
14:17:11 <Sona> I thought we can say "met" for static analysis
14:17:40 <Sona> PEP8 & PyLint are run as gerrit gate jobs
14:17:45 <Sona> right?
14:18:03 <lhinds> kind of, they are not security lints though
14:18:24 <lhinds> and techincally we don't run those gates on all code...so its not used for Java or C
14:18:37 <Sona> Ok, we do the OPNFV project need to do in order to met this criteria?
14:18:49 <lhinds> If we try to do static analysis for all projects, it will be a nightmare logistically
14:19:02 <Sona> haha
14:19:05 <lhinds> Sona: we put in a caveat
14:19:21 <lhinds> explain how we are upstream contributers with around 40 projects
14:19:30 <Sona> what do yo mean by all projects?
14:20:01 <Sona> we are just responsible for code which is generated by OPNFV project itself
14:20:48 <lhinds> well, each project will be responisble for their owm, with guidance from us and the badge program.
14:20:55 <Sona> yes
14:21:17 <lhinds> so when we go forward, we do it for the overall OPNFV org, the website, the release ISO, developer guidelines etc.
14:21:39 <lhinds> when it come to the security of the code in every project, its going to be to tough to do that.
14:21:41 <Sona> ok what should I say now?
14:21:50 <Sona> unmet and some explanation
14:21:56 <Sona> ?
14:22:05 <lhinds> yes, unmet (or N/A) if its available.
14:22:14 <Sona> ok
14:22:21 <lhinds> and just pop the question into etherpad, and send it out.
14:22:26 <Sona> and the same for dynamic analysis?
14:22:37 <lhinds> yes, both static and dynamic
14:23:16 <Sona> perhaps we (security team) could doa threat analysis in the future instead?
14:23:34 <Sona> instead of running dynamic analysis tool
14:24:27 <lhinds> if anyone wants to nominate for doing it we could, sure
14:24:36 <Sona> ok :)
14:24:47 <lhinds> would be good to do it before Colorado
14:26:09 <lhinds> its just its quite a large undertaking without a few bodies on it
14:26:24 <lhinds> ok, so its good we are getting close now
14:26:29 <lhinds> top stuff
14:26:35 <lhinds> anything more Sona ?
14:26:43 <Sona> when I chose unmet for dynamic analysis I get the question  we we think it is ok that it is umnet, could you please help me to  write something there
14:27:03 <Sona> we we ="why"
14:28:24 <lhinds> sure!
14:28:26 <lhinds> np
14:28:34 <lhinds> but please use etherpad, rather then email
14:28:41 <lhinds> makes it easier to manage
14:28:46 <Sona> ok, I will do
14:28:59 <Sona> thanks
14:30:49 <lhinds> ok, np
14:30:59 <lhinds> #topic Any other business?
14:31:00 <Sona> I don't have anything more about badge program
14:31:11 <serverascode> nope
14:33:03 <lhinds> ok, last of all.
14:33:12 <lhinds> Sona: are you ok too cover the next two weeks?
14:34:17 <lhinds> ping Sona
14:34:42 <lhinds> ok, I will drop her an email, if there is any change I will let all know
14:34:48 <lhinds> ok thanks everyone!
14:34:56 <serverascode> ok thanks :)
14:35:00 <lhinds> I will be back on the 8th August
14:35:04 <lhinds> #endmeeting