Re: EXT: Re: [lfn-TAC] LFN TAC Meeting Minutes, Feb. 10, 2021
|
Martin Jackson
This, I think, is The Way...
Enterprises are looking at the whole pipeline, and tools that are specific to only the piece of the final artifact are not going to be sufficient. (Necessary, but not sufficient might be a better way to put it.). We've had enough issues in recent years with
glibc, shellshock, and other really low level components of userspace that the infra (base container etc) that the artifact sits in should be accounted for as well.
Thanks,
--
Martin Jackson
// Distinguished Software Engineer
From: lfn-tac@... <lfn-tac@...> on behalf of Krzysztof Opasiak via lists.lfnetworking.org <k.opasiak=samsung.com@...>
Sent: Friday, February 12, 2021 1:25 PM To: Ranny Haiby <ranny.haiby@...>; lfn-tac@... <lfn-tac@...>; FREEMAN, BRIAN D <bf1936@...> Cc: morgan.richomme@... <morgan.richomme@...>; Alexander Mazuruk <a.mazuruk@...> Subject: EXT: Re: [lfn-TAC] LFN TAC Meeting Minutes, Feb. 10, 2021 Hi,
That's true. Main issue with using only NexusIQ is that it performs the scan based on pom.xml so we can catch vulnerabilities that exist in the final "java bundle" but that's not enough. ONAP is delivering to the community not only Java bundles but full docker images that contains this bundle and dozen of other system tools for example tomcat server. That's why we are looking at tools like tern and scancode which can analyze not only java project but a full docker image that we are shipping. Based on this scan a full SBOM is generated and it can be used for both license and vulnerability analysis. On 12.02.2021 20:15, Ranny Haiby wrote: > Hi, > > My colleague @Krzysztof Opasiak <mailto:k.opasiak@...> correctly > commented that scanning Java dependencies is a good start, but there are > vulnerabilities that come through Docker image dependencies. Our > colleague @Alexander Mazuruk <mailto:a.mazuruk@...> recently did > some excellent image dependency scanning work for ONAP together with > @morgan.richomme@... <mailto:morgan.richomme@...>. They > presented their work in the DDF: > > https://wiki.lfnetworking.org/display/LN/2021-02-01+-+Plenary%3A+Dynamic+License+Scanning > > Some of the tools used such as TERN and ScanCode may be used for image > vulnerability scanning. > > Ranny. > > *From: *<lfn-tac@...> on behalf of Amy Zwarico > <amy.zwarico@...> > *Reply-To: *"lfn-tac@..." > <lfn-tac@...> > *Date: *Friday, February 12, 2021 at 6:40 AM > *To: *"FREEMAN, BRIAN D" <bf1936@...>, > "lfn-tac@..." <lfn-tac@...> > *Subject: *Re: [lfn-TAC] LFN TAC Meeting Minutes, Feb. 10, 2021 > *Resent-From: *<ranny.haiby@...> > > Brian, thank you for trying it out and getting some real metrics! > > Today ONAP is running NexusIQ weekly and it generates an SBOM. There is > an API that to get the SBOM in JSON or XML (I believe that NexusIQ uses > the SPDX standard for SBOM encoding). I will get details from one of my > co-workers when he’s back in the office (Nadeem Anwar). ONAP is using > this information to provide PTLs a list of the vulnerable direct > dependencies in their project that require updating. Note that the Linux > Foundation makes NexusIQ available to all LF projects. > > An SBOM in and of itself does not prevent an attack, but it provides > information about the code, can be used in conjunction with the National > Vulnerability Database (NVD) to understand the know vulns associated > with each package. NexusIQ provides both SBOM and the vulns in each > package. Based on this information an organization can decide how much > risk is associated with using unsupported/vulnerable package versions, > develop tests for exploitability, or put other compensating controls in > place. > > *From:* FREEMAN, BRIAN D <bf1936@...> > *Sent:* Friday, February 12, 2021 8:16 AM > *To:* lfn-tac@... > *Cc:* ZWARICO, AMY <az9121@...> > *Subject:* RE: [lfn-TAC] LFN TAC Meeting Minutes, Feb. 10, 2021 > > Jason, Robert, > > Interesting tool. > > I added it to the parent pom.xml for one of the ONAP repo’s and did a > test run > > quite intensive (saturated 1 cpu core for 5 minutes or so – single > threaded ? ) > > Not sure if there are other tools being used in Opensource for SBOM > generation but the xml and json format of the data seems like it would > be the kind of electronic format that could be provided with packaged > software for those organizations that require SBOM tracking. > > We also have python code in a lot of projects so not sure how an SBOM > would be created for that. > > I think this allows us to publish our dependencies so someone could > quickly determine if we were affected by an attack on someone else. > > I don’t think this would prevent an attack on our code would it ? > > Brian > > *From:* lfn-tac@... > <mailto:lfn-tac@...> <lfn-tac@... > <mailto:lfn-tac@...>> *On Behalf Of *Jason Hunt > *Sent:* Thursday, February 11, 2021 4:20 PM > *To:* lfn-tac@... <mailto:lfn-tac@...> > *Subject:* Re: [lfn-TAC] LFN TAC Meeting Minutes, Feb. 10, 2021 > > Thanks Robert for the input. What do other TAC members (and, in > particular, project leads) think? > > > Regards, > Jason Hunt > Distinguished Engineer, IBM > > Phone: +1-314-749-7422 > Email: djhunt@... <mailto:djhunt@...> > Twitter: @DJHunt > > ----- Original message ----- > From: "Robert Varga" <nite@... <mailto:nite@...>> > Sent by: lfn-tac@... > <mailto:lfn-tac@...> > To: lfn-tac@... > <mailto:lfn-tac@...> > Cc: > Subject: [EXTERNAL] Re: [lfn-TAC] LFN TAC Meeting Minutes, Feb. 10, 2021 > Date: Thu, Feb 11, 2021 1:45 PM > > Hello everyone, > > On 10/02/2021 17:03, Kenny Paul wrote: > > 2021-02-10 TAC Minutes > > <https://wiki.lfnetworking.org/display/LN/2021-02-10+TAC+Minutes > <https://urldefense.com/v3/__https:/wiki.lfnetworking.org/display/LN/2021-02-10*TAC*Minutes__;Kys!!BhdT!1n9ezeg5EKckzJjen2KT2rp1JvZ9fEou8q6GVmSLWkMni6OFU4nH2QwrFEup77I$>> > > [snip] > > > * *Next version of LFN Technical Whitepaper Ranny Haiby > > <https://wiki.lfnetworking.org/display/~rannyh > <https://urldefense.com/v3/__https:/wiki.lfnetworking.org/display/*rannyh__;fg!!BhdT!1n9ezeg5EKckzJjen2KT2rp1JvZ9fEou8q6GVmSLWkMni6OFU4nH2Qwr_8toVps$>>* > > o 2021 Whitepaper Workgroup > > <https://wiki.lfnetworking.org/display/LN/2021+Whitepaper+Workgroup > <https://urldefense.com/v3/__https:/wiki.lfnetworking.org/display/LN/2021*Whitepaper*Workgroup__;Kys!!BhdT!1n9ezeg5EKckzJjen2KT2rp1JvZ9fEou8q6GVmSLWkMni6OFU4nH2QwrR9-fcbM$>> > > o Need volunteers to contribute - 1-2 hrs. per week for ~8 weeks > > o Contributors also include folks that need to review content > > o Project reps please mentioned at your next TSC meetings > > o Brian Freeman > > <https://wiki.lfnetworking.org/display/~bdfreeman1421 > <https://urldefense.com/v3/__https:/wiki.lfnetworking.org/display/*bdfreeman1421__;fg!!BhdT!1n9ezeg5EKckzJjen2KT2rp1JvZ9fEou8q6GVmSLWkMni6OFU4nH2QwrCThWNdg$>> - > eval > > of SolarWinds type of attack on supply chain > > o Martin Jackson > > <https://wiki.lfnetworking.org/display/~mhjacks > <https://urldefense.com/v3/__https:/wiki.lfnetworking.org/display/*mhjacks__;fg!!BhdT!1n9ezeg5EKckzJjen2KT2rp1JvZ9fEou8q6GVmSLWkMni6OFU4nH2Qwr1bzg3_8$>> - > Supply chain > > attacks is top of mind for enterprise - this was already FUD in > > the enterprise space. Should discuss it head on. > > Maven Central has provisions for SBOMs. > > Would it make sense to create some guidance as how to deploy > https://github.com/CycloneDX/cyclonedx-maven-plugin > <https://urldefense.com/v3/__https:/github.com/CycloneDX/cyclonedx-maven-plugin__;!!BhdT!1n9ezeg5EKckzJjen2KT2rp1JvZ9fEou8q6GVmSLWkMni6OFU4nH2Qwr6Os4k44$> in > Java projects > based on which https://cyclonedx.org/use-cases/ > <https://urldefense.com/v3/__https:/cyclonedx.org/use-cases/__;!!BhdT!1n9ezeg5EKckzJjen2KT2rp1JvZ9fEou8q6GVmSLWkMni6OFU4nH2QwrXAEV2cU$> are > deemed critical? > > Regards, > Robert > > > > > > > -- Krzysztof Opasiak Samsung R&D Institute Poland Samsung Electronics |
|
|