Just following up on this conversation again - I have discussed this ad-hoc with a few PMC members recently and wanted to bring it up on the list. Veracode has provided us with a 100% free portal to scan the Metron code with, but in order to integrate, the safest option is probably to use the ASF's jenkins server (as I'm not aware of a safe way to automatically pass API creds to Veracode from GitHub). My long-term interest here would be to scan and clean up the code base generally, and then to try and scan PRs for concerns (non-blocking). Perhaps at some point, if we identify that these scans are actually useful and not false-positive prone/onerous, we could turn this into a blocking requirement for contributions. Being a security project, I feel that we should be doing as much as we can to ensure that what we're providing is safe.
I looked briefly at the Veracode Jenkins integrations, and the ASF Jenkins setup. It looks like Veracode has a Jenkins plugin <https://help.veracode.com/reader/PgbNZUD7j8aY7iG~hQZWxQ/_4G8gT1rhWMgVVtCI1C57A>, Jenkins has a plugin for Veracode in its plugin repo <https://plugins.jenkins.io/veracode-scanner> (not supported by Veracode), the ASF supports adding plugins <https://wiki.apache.org/general/Jenkins#How_do_I_install_a_new_Jenkins_plugin.3F> to their Jenkins servers (although I think <http://What_do_Administrators_do.3F> the admins are supposed to do this), and Metron is not yet set up <https://builds.apache.org/view/M-R/> on the ASF Jenkins server. The ASF seems to support giving non-PMC committers access <https://wiki.apache.org/general/Jenkins#How_do_I_get_an_account> to Jenkins, but it requires that the PMC chair do some work, and generally it looks like they want admins <https://wiki.apache.org/general/Jenkins#FAQ_For_Administrators>/PMC <https://wiki.apache.org/general/Jenkins#FAQ_For_PMCs> members to be involved (I also don't have access to the builds JIRA project <https://issues.apache.org/jira/projects/BUILDS>, if it really exists). I'm happy to play around with this and see how it could be useful, but in order to do so I need to get some additional authorization. Does anybody have any concerns with delegating this access to me, or with this general approach? Jon On Fri, Dec 16, 2016 at 11:39 AM James Sirota <jsir...@apache.org> wrote: > That would be great. I can work with them > > 15.12.2016, 18:38, "zeo...@gmail.com" <zeo...@gmail.com>: > > I recently discussed this topic with Veracode regarding the metron > project > > and they mentioned there may be interest in providing free services, > > however they would need to work with an official project rep. If there's > > interest in pursuing this please let me know. > > > > On Thu, Jun 2, 2016, 21:17 zeo...@gmail.com <zeo...@gmail.com> wrote: > > > >> Per the other discussion it is possible that this conflicts with the > >> Apache stance for vulnerability disclosure/management. I'm going to > hold > >> off on any additional effort until I know more. > >> > >> Jon > >> > >> On Tue, May 31, 2016, 16:07 James Sirota <jsir...@apache.org> wrote: > >> > >> Jon, would it be possible for you to scan Metron from your own branch? > >> I'd like to know if this is useful at all. If we get value out of it > I'll > >> run this down and see how we can get it hooked up. > >> > >> 31.05.2016, 10:08, "Nick Allen" <n...@nickallen.org>: > >> > I connect Travis to my own personal fork of Metron so that the CI > builds > >> > run on my own branches before I submit PRs. Thinking you could do the > >> same > >> > with this. Maybe I'm wrong. > >> > > >> > On Tue, May 31, 2016 at 1:06 PM, zeo...@gmail.com <zeo...@gmail.com> > >> wrote: > >> > > >> >> To register project on Coverity Scan, you must be contributor or > >> maintainer > >> >> of the project. > >> >> > >> >> It may also be worth mentioning that there are a ton of Apache > projects > >> >> already registered, including Ambari, Drill, Flume, Hadoop, HBase, > >> NiFi, > >> >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See > >> >> https://scan.coverity.com/projects?page=2 > >> >> > >> >> Jon > >> >> > >> >> On Tue, May 31, 2016 at 12:52 PM Nick Allen <n...@nickallen.org> > >> wrote: > >> >> > >> >> > You could set it up on your own fork of Metron in Github. Then you > >> can > >> >> > tell us if it is useful at all. > >> >> > > >> >> > On Sat, May 28, 2016 at 2:36 PM, zeo...@gmail.com < > zeo...@gmail.com> > >> >> > wrote: > >> >> > > >> >> > > So I did a bit of digging today and I found a few op > >> >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so > far my > >> >> > > favourite is Coverity Scan <https://scan.coverity.com/travis_ci > >. > >> >> I've > >> >> > > never used this product before, so I'm not exactly sure what to > >> expect, > >> >> > but > >> >> > > I guess anyone can kick off a scan of an open source project and > >> get > >> >> > > results within 48 hours. I was in the process of registering > >> Metron to > >> >> > be > >> >> > > scanned but I found some things in their scan user agreement > which > >> I > >> >> > wasn't > >> >> > > sure everybody would be in line with (see below for the > excerpts - > >> >> note I > >> >> > > did NOT read the entire document and IANAL). > >> >> > > > >> >> > > Here's the TL;DR of what Coverity Scan is: > >> >> > > > >> >> > > Coverity Scan <http://scan.coverity.com/> is a free static code > >> >> analysis > >> >> > > tool for Java, C, C++, C# and JavaScript. > >> >> > > > >> >> > > This addon leverages the Travis-CI infrastructure to > automatically > >> run > >> >> > code > >> >> > > analysis on your GitHub projects. > >> >> > > > >> >> > > Coverity Scan is a service by which Coverity provides the > results > >> of > >> >> > > analysis on open source coding projects to open source code > >> developers > >> >> > that > >> >> > > have registered their products with Coverity Scan. > >> >> > > > >> >> > > Some examples of defects and vulnerabilities found by Coverity > >> Quality > >> >> > > Advisor include: > >> >> > > > >> >> > > - resources leaks > >> >> > > - dereferences of NULL pointers > >> >> > > - incorrect usage of APIs > >> >> > > - use of uninitialized data > >> >> > > - memory corruptions > >> >> > > - buffer overruns > >> >> > > - control flow issues > >> >> > > - error handling issues > >> >> > > - incorrect expressions > >> >> > > - concurrency issues > >> >> > > - insecure data handling > >> >> > > - unsafe use of signed values > >> >> > > - use of resources that have been freed > >> >> > > > >> >> > > Register your project with Coverity Scan by completing the > project > >> >> > > registration form found at scan.coverity.com. Upon your > >> completion of > >> >> > > project registration (including acceptance of the Scan User > >> Agreement) > >> >> > and > >> >> > > your receipt of confirmation of registration of your project, > you > >> will > >> >> be > >> >> > > able to download the Software required to submit a build of your > >> code > >> >> for > >> >> > > analysis by Coverity Scan. You may then download the Software, > >> >> complete a > >> >> > > build and submit your Registered Project build for analysis and > >> review > >> >> in > >> >> > > Coverity Scan. Coverity Scan is only available for use with open > >> source > >> >> > > projects that are registered with Coverity Scan. > >> >> > > Here are some interesting snippets from their scan user > agreement: > >> >> > > > >> >> > > Your use of our software is acceptance of our Terms > >> >> > > <https://scan.coverity.com/policy> > >> >> > > > >> >> > > You will not disassemble, decompile, reverse engineer, modify or > >> create > >> >> > > derivative works of Our Service, software products or > >> documentation nor > >> >> > > permit any third party to do so, except to the extent such > >> restrictions > >> >> > are > >> >> > > prohibited by applicable mandatory local law > >> >> > > > >> >> > > You will not disclose to any third party any comparison of the > >> results > >> >> of > >> >> > > operation of Our Service or software products with other > services > >> or > >> >> > > products, except as expressly permitted by this Agreement > >> >> > > > >> >> > > You will not publish any findings regarding or resulting from > use > >> of > >> >> the > >> >> > > Service or the Software > >> >> > > > >> >> > > You agree that We may use Your name and logo (in a form > approved by > >> >> You) > >> >> > > and Registered Product information to identify You and such > >> project as > >> >> a > >> >> > > participant of Our Scan Program on Our website or in Our > marketing > >> or > >> >> > > publicity materials or in any filings made in connection with > >> state or > >> >> > > federal securities laws. > >> >> > > > >> >> > > Additionally, upon execution of this Agreement, the parties will > >> use > >> >> > > commercially reasonable efforts to issue mutually agreed upon > joint > >> >> press > >> >> > > releases or other public communications announcing Your entry > into > >> this > >> >> > > Agreement. > >> >> > > > >> >> > > At Our written request, You will furnish Us with (a) a > >> certification > >> >> > signed > >> >> > > by an officer of Your company providing user or access > information > >> that > >> >> > > identifies whether the Service and the Software is being used in > >> >> > accordance > >> >> > > with the terms of this Agreement, and (b) log files from any > >> License > >> >> > > Manager. Upon at least thirty (30) days prior written notice, We > >> may > >> >> > > engage, at Our expense, an independent auditor to audit Your use > >> of the > >> >> > > Service and the Software to ensure that You are in compliance > with > >> the > >> >> > > terms of this Agreement. ... You will provide the auditor with > >> access > >> >> to > >> >> > > the relevant records and facilities. > >> >> > > > >> >> > > Jon > >> >> > > > >> >> > > On Fri, May 27, 2016 at 11:14 AM zeo...@gmail.com < > >> zeo...@gmail.com> > >> >> > > wrote: > >> >> > > > >> >> > > > There's nothing built-in with Travis, but we could install a > >> tool to > >> >> do > >> >> > > > this as part of the installation of tools on the build box. > I'm > >> >> gonna > >> >> > > > reach out to people in my local circle who specialize in > secure > >> code > >> >> > > > analysis and see what all of the options are. > >> >> > > > > >> >> > > > Jon > >> >> > > > > >> >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen < > n...@nickallen.org> > >> >> wrote: > >> >> > > > > >> >> > > >> I completely agree that we will need some focus on this. > >> >> > > >> > >> >> > > >> What could Travis do for us? I wasn't aware that they offered > >> >> > security > >> >> > > >> scanning. > >> >> > > >> > >> >> > > >> Are you aware of any security scan services that offer free > >> support > >> >> to > >> >> > > >> open > >> >> > > >> source projects? > >> >> > > >> > >> >> > > >> On Fri, May 27, 2016 at 9:42 AM, zeo...@gmail.com < > >> zeo...@gmail.com > >> >> > > >> >> > > >> wrote: > >> >> > > >> > >> >> > > >> > So I've never done anything like this before in Travis but > I > >> have > >> >> > done > >> >> > > >> IDE > >> >> > > >> > plugins and pre prod scans in the past at large companies > >> which > >> >> > worked > >> >> > > >> > well. I floated the idea past a friend working at Travis > and > >> she > >> >> > said > >> >> > > >> if > >> >> > > >> > we go that route she would assist. > >> >> > > >> > > >> >> > > >> > I just think that if this is integrated from the beginning > and > >> >> fail > >> >> > > >> builds > >> >> > > >> > on critical issues (to start), this could be a big > >> differentiator, > >> >> > > >> > especially because we're talking about a security platform > >> that > >> >> > > >> centralizes > >> >> > > >> > tons of sensitive information, tries to parse almost > anything > >> >> that's > >> >> > > >> thrown > >> >> > > >> > at it (think of what's been happening to AV products > >> recently), > >> >> and > >> >> > is > >> >> > > >> open > >> >> > > >> > source for bad guys to dig into much more easily. > >> >> > > >> > > >> >> > > >> > Jon > >> >> > > >> > > >> >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <n...@nickallen.org > > > >> >> wrote: > >> >> > > >> > > >> >> > > >> > > I am not aware of any discussions around this, Jon. What > are > >> >> you > >> >> > > >> > thinking? > >> >> > > >> > > > >> >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, zeo...@gmail.com < > >> >> > zeo...@gmail.com > >> >> > > > > >> >> > > >> > > wrote: > >> >> > > >> > > > >> >> > > >> > > > I was just wondering if there is any sort of static (or > >> even > >> >> > > >> dynamic) > >> >> > > >> > > code > >> >> > > >> > > > analysis, or penetrating testing/vulnerability > assessment, > >> >> > > >> occurring at > >> >> > > >> > > any > >> >> > > >> > > > point on the metron code. Has there been any > discussion of > >> >> > > >> installing > >> >> > > >> > > > something along those lines on the Travis build server > >> (if it > >> >> > > isn't > >> >> > > >> > there > >> >> > > >> > > > already)? Thanks, > >> >> > > >> > > > > >> >> > > >> > > > Jon > >> >> > > >> > > > -- > >> >> > > >> > > > > >> >> > > >> > > > Jon > >> >> > > >> > > > > >> >> > > >> > > > >> >> > > >> > > > >> >> > > >> > > > >> >> > > >> > > -- > >> >> > > >> > > Nick Allen <n...@nickallen.org> > >> >> > > >> > > > >> >> > > >> > -- > >> >> > > >> > > >> >> > > >> > Jon > >> >> > > >> > > >> >> > > >> > >> >> > > >> > >> >> > > >> > >> >> > > >> -- > >> >> > > >> Nick Allen <n...@nickallen.org> > >> >> > > >> > >> >> > > > -- > >> >> > > > > >> >> > > > Jon > >> >> > > > > >> >> > > -- > >> >> > > > >> >> > > Jon > >> >> > > > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > Nick Allen <n...@nickallen.org> > >> >> > > >> >> -- > >> >> > >> >> Jon > >> > > >> > -- > >> > Nick Allen <n...@nickallen.org> > >> > >> ------------------- > >> Thank you, > >> > >> James Sirota > >> PPMC- Apache Metron (Incubating) > >> jsirota AT apache DOT org > >> > >> -- > >> > >> Jon > > -- > > > > Jon > > > > Sent from my mobile device > > ------------------- > Thank you, > > James Sirota > PPMC- Apache Metron (Incubating) > jsirota AT apache DOT org > -- Jon
