Re: LFN TAC Meeting Minutes, Feb. 10, 2021
Haiby, Ranny (Samsung) <ranny.haiby@...>
My colleague @Krzysztof Opasiak correctly commented that scanning Java dependencies is a good start, but there are vulnerabilities that come through Docker image dependencies. Our colleague @Alexander Mazuruk recently did some excellent image dependency scanning work for ONAP together with @morgan.richomme@.... They presented their work in the DDF:
Some of the tools used such as TERN and ScanCode may be used for image vulnerability scanning.
From: <lfn-tac@...> on behalf of Amy Zwarico <amy.zwarico@...>
Brian, thank you for trying it out and getting some real metrics!
Today ONAP is running NexusIQ weekly and it generates an SBOM. There is an API that to get the SBOM in JSON or XML (I believe that NexusIQ uses the SPDX standard for SBOM encoding). I will get details from one of my co-workers when he’s back in the office (Nadeem Anwar). ONAP is using this information to provide PTLs a list of the vulnerable direct dependencies in their project that require updating. Note that the Linux Foundation makes NexusIQ available to all LF projects.
An SBOM in and of itself does not prevent an attack, but it provides information about the code, can be used in conjunction with the National Vulnerability Database (NVD) to understand the know vulns associated with each package. NexusIQ provides both SBOM and the vulns in each package. Based on this information an organization can decide how much risk is associated with using unsupported/vulnerable package versions, develop tests for exploitability, or put other compensating controls in place.
From: FREEMAN, BRIAN D <bf1936@...>
Sent: Friday, February 12, 2021 8:16 AM
Cc: ZWARICO, AMY <az9121@...>
Subject: RE: [lfn-TAC] LFN TAC Meeting Minutes, Feb. 10, 2021
I added it to the parent pom.xml for one of the ONAP repo’s and did a test run
quite intensive (saturated 1 cpu core for 5 minutes or so – single threaded ? )
Not sure if there are other tools being used in Opensource for SBOM generation but the xml and json format of the data seems like it would be the kind of electronic format that could be provided with packaged software for those organizations that require SBOM tracking.
We also have python code in a lot of projects so not sure how an SBOM would be created for that.
I think this allows us to publish our dependencies so someone could quickly determine if we were affected by an attack on someone else.
I don’t think this would prevent an attack on our code would it ?
On Behalf Of Jason Hunt
Thanks Robert for the input. What do other TAC members (and, in particular, project leads) think?