> Veracode has provided us with a 100% free portal to scan the Metron code with, but in order to integrate, the safest option is probably to use the ASF's jenkins server
(1) Can you describe this more? How has this been provided? Is this for all Apache projects; just Metron? Was this based on a relationship you have within CA? (2) Why Veracode? Can you describe this platform more? Is it open source or proprietary? Why is this better than alternatives? (3) I have no objection to experimenting with the service to see if it provides actionable results, but is there no simpler way to do this? It doesn't seem like we should have to mess with a bunch of Apache infrastructure to see if the service works at a basic level. Can't we manually submit master and/or previous releases to Veracode to see if we get actionable results? On Thu, Dec 21, 2017 at 10:48 AM, zeo...@gmail.com <zeo...@gmail.com> wrote: > Just following up on this conversation again - > > I have discussed this ad-hoc with a few PMC members recently and wanted to > bring it up on the list. Veracode has provided us with a 100% free portal > to scan the Metron code with, but in order to integrate, the safest option > is probably to use the ASF's jenkins server (as I'm not aware of a safe way > to automatically pass API creds to Veracode from GitHub). My long-term > interest here would be to scan and clean up the code base generally, and > then to try and scan PRs for concerns (non-blocking). Perhaps at some > point, if we identify that these scans are actually useful and not > false-positive prone/onerous, we could turn this into a blocking > requirement for contributions. Being a security project, I feel that we > should be doing as much as we can to ensure that what we're providing is > safe. > > I looked briefly at the Veracode Jenkins integrations, and the ASF Jenkins > setup. It looks like Veracode has a Jenkins plugin > <https://help.veracode.com/reader/PgbNZUD7j8aY7iG~hQZWxQ/ > _4G8gT1rhWMgVVtCI1C57A>, > Jenkins has a plugin for Veracode in its plugin repo > <https://plugins.jenkins.io/veracode-scanner> (not supported by Veracode), > the ASF supports adding plugins > <https://wiki.apache.org/general/Jenkins#How_do_I_ > install_a_new_Jenkins_plugin.3F> > to their Jenkins servers (although I think > <http://What_do_Administrators_do.3F> the admins are supposed to do this), > and Metron is not yet set up <https://builds.apache.org/view/M-R/> on the > ASF Jenkins server. The ASF seems to support giving non-PMC committers > access <https://wiki.apache.org/general/Jenkins#How_do_I_get_an_account> > to > Jenkins, but it requires that the PMC chair do some work, and generally it > looks like they want admins > <https://wiki.apache.org/general/Jenkins#FAQ_For_Administrators>/PMC > <https://wiki.apache.org/general/Jenkins#FAQ_For_PMCs> members to be > involved (I also don't have access to the builds JIRA project > <https://issues.apache.org/jira/projects/BUILDS>, if it really exists). > > I'm happy to play around with this and see how it could be useful, but in > order to do so I need to get some additional authorization. Does anybody > have any concerns with delegating this access to me, or with this general > approach? > > Jon > > On Fri, Dec 16, 2016 at 11:39 AM James Sirota <jsir...@apache.org> wrote: > > > That would be great. I can work with them > > > > 15.12.2016, 18:38, "zeo...@gmail.com" <zeo...@gmail.com>: > > > I recently discussed this topic with Veracode regarding the metron > > project > > > and they mentioned there may be interest in providing free services, > > > however they would need to work with an official project rep. If > there's > > > interest in pursuing this please let me know. > > > > > > On Thu, Jun 2, 2016, 21:17 zeo...@gmail.com <zeo...@gmail.com> wrote: > > > > > >> Per the other discussion it is possible that this conflicts with the > > >> Apache stance for vulnerability disclosure/management. I'm going to > > hold > > >> off on any additional effort until I know more. > > >> > > >> Jon > > >> > > >> On Tue, May 31, 2016, 16:07 James Sirota <jsir...@apache.org> wrote: > > >> > > >> Jon, would it be possible for you to scan Metron from your own > branch? > > >> I'd like to know if this is useful at all. If we get value out of it > > I'll > > >> run this down and see how we can get it hooked up. > > >> > > >> 31.05.2016, 10:08, "Nick Allen" <n...@nickallen.org>: > > >> > I connect Travis to my own personal fork of Metron so that the CI > > builds > > >> > run on my own branches before I submit PRs. Thinking you could do > the > > >> same > > >> > with this. Maybe I'm wrong. > > >> > > > >> > On Tue, May 31, 2016 at 1:06 PM, zeo...@gmail.com < > zeo...@gmail.com> > > >> wrote: > > >> > > > >> >> To register project on Coverity Scan, you must be contributor or > > >> maintainer > > >> >> of the project. > > >> >> > > >> >> It may also be worth mentioning that there are a ton of Apache > > projects > > >> >> already registered, including Ambari, Drill, Flume, Hadoop, HBase, > > >> NiFi, > > >> >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See > > >> >> https://scan.coverity.com/projects?page=2 > > >> >> > > >> >> Jon > > >> >> > > >> >> On Tue, May 31, 2016 at 12:52 PM Nick Allen <n...@nickallen.org> > > >> wrote: > > >> >> > > >> >> > You could set it up on your own fork of Metron in Github. Then > you > > >> can > > >> >> > tell us if it is useful at all. > > >> >> > > > >> >> > On Sat, May 28, 2016 at 2:36 PM, zeo...@gmail.com < > > zeo...@gmail.com> > > >> >> > wrote: > > >> >> > > > >> >> > > So I did a bit of digging today and I found a few op > > >> >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so > > far my > > >> >> > > favourite is Coverity Scan <https://scan.coverity.com/ > travis_ci > > >. > > >> >> I've > > >> >> > > never used this product before, so I'm not exactly sure what > to > > >> expect, > > >> >> > but > > >> >> > > I guess anyone can kick off a scan of an open source project > and > > >> get > > >> >> > > results within 48 hours. I was in the process of registering > > >> Metron to > > >> >> > be > > >> >> > > scanned but I found some things in their scan user agreement > > which > > >> I > > >> >> > wasn't > > >> >> > > sure everybody would be in line with (see below for the > > excerpts - > > >> >> note I > > >> >> > > did NOT read the entire document and IANAL). > > >> >> > > > > >> >> > > Here's the TL;DR of what Coverity Scan is: > > >> >> > > > > >> >> > > Coverity Scan <http://scan.coverity.com/> is a free static > code > > >> >> analysis > > >> >> > > tool for Java, C, C++, C# and JavaScript. > > >> >> > > > > >> >> > > This addon leverages the Travis-CI infrastructure to > > automatically > > >> run > > >> >> > code > > >> >> > > analysis on your GitHub projects. > > >> >> > > > > >> >> > > Coverity Scan is a service by which Coverity provides the > > results > > >> of > > >> >> > > analysis on open source coding projects to open source code > > >> developers > > >> >> > that > > >> >> > > have registered their products with Coverity Scan. > > >> >> > > > > >> >> > > Some examples of defects and vulnerabilities found by Coverity > > >> Quality > > >> >> > > Advisor include: > > >> >> > > > > >> >> > > - resources leaks > > >> >> > > - dereferences of NULL pointers > > >> >> > > - incorrect usage of APIs > > >> >> > > - use of uninitialized data > > >> >> > > - memory corruptions > > >> >> > > - buffer overruns > > >> >> > > - control flow issues > > >> >> > > - error handling issues > > >> >> > > - incorrect expressions > > >> >> > > - concurrency issues > > >> >> > > - insecure data handling > > >> >> > > - unsafe use of signed values > > >> >> > > - use of resources that have been freed > > >> >> > > > > >> >> > > Register your project with Coverity Scan by completing the > > project > > >> >> > > registration form found at scan.coverity.com. Upon your > > >> completion of > > >> >> > > project registration (including acceptance of the Scan User > > >> Agreement) > > >> >> > and > > >> >> > > your receipt of confirmation of registration of your project, > > you > > >> will > > >> >> be > > >> >> > > able to download the Software required to submit a build of > your > > >> code > > >> >> for > > >> >> > > analysis by Coverity Scan. You may then download the Software, > > >> >> complete a > > >> >> > > build and submit your Registered Project build for analysis > and > > >> review > > >> >> in > > >> >> > > Coverity Scan. Coverity Scan is only available for use with > open > > >> source > > >> >> > > projects that are registered with Coverity Scan. > > >> >> > > Here are some interesting snippets from their scan user > > agreement: > > >> >> > > > > >> >> > > Your use of our software is acceptance of our Terms > > >> >> > > <https://scan.coverity.com/policy> > > >> >> > > > > >> >> > > You will not disassemble, decompile, reverse engineer, modify > or > > >> create > > >> >> > > derivative works of Our Service, software products or > > >> documentation nor > > >> >> > > permit any third party to do so, except to the extent such > > >> restrictions > > >> >> > are > > >> >> > > prohibited by applicable mandatory local law > > >> >> > > > > >> >> > > You will not disclose to any third party any comparison of the > > >> results > > >> >> of > > >> >> > > operation of Our Service or software products with other > > services > > >> or > > >> >> > > products, except as expressly permitted by this Agreement > > >> >> > > > > >> >> > > You will not publish any findings regarding or resulting from > > use > > >> of > > >> >> the > > >> >> > > Service or the Software > > >> >> > > > > >> >> > > You agree that We may use Your name and logo (in a form > > approved by > > >> >> You) > > >> >> > > and Registered Product information to identify You and such > > >> project as > > >> >> a > > >> >> > > participant of Our Scan Program on Our website or in Our > > marketing > > >> or > > >> >> > > publicity materials or in any filings made in connection with > > >> state or > > >> >> > > federal securities laws. > > >> >> > > > > >> >> > > Additionally, upon execution of this Agreement, the parties > will > > >> use > > >> >> > > commercially reasonable efforts to issue mutually agreed upon > > joint > > >> >> press > > >> >> > > releases or other public communications announcing Your entry > > into > > >> this > > >> >> > > Agreement. > > >> >> > > > > >> >> > > At Our written request, You will furnish Us with (a) a > > >> certification > > >> >> > signed > > >> >> > > by an officer of Your company providing user or access > > information > > >> that > > >> >> > > identifies whether the Service and the Software is being used > in > > >> >> > accordance > > >> >> > > with the terms of this Agreement, and (b) log files from any > > >> License > > >> >> > > Manager. Upon at least thirty (30) days prior written notice, > We > > >> may > > >> >> > > engage, at Our expense, an independent auditor to audit Your > use > > >> of the > > >> >> > > Service and the Software to ensure that You are in compliance > > with > > >> the > > >> >> > > terms of this Agreement. ... You will provide the auditor with > > >> access > > >> >> to > > >> >> > > the relevant records and facilities. > > >> >> > > > > >> >> > > Jon > > >> >> > > > > >> >> > > On Fri, May 27, 2016 at 11:14 AM zeo...@gmail.com < > > >> zeo...@gmail.com> > > >> >> > > wrote: > > >> >> > > > > >> >> > > > There's nothing built-in with Travis, but we could install a > > >> tool to > > >> >> do > > >> >> > > > this as part of the installation of tools on the build box. > > I'm > > >> >> gonna > > >> >> > > > reach out to people in my local circle who specialize in > > secure > > >> code > > >> >> > > > analysis and see what all of the options are. > > >> >> > > > > > >> >> > > > Jon > > >> >> > > > > > >> >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen < > > n...@nickallen.org> > > >> >> wrote: > > >> >> > > > > > >> >> > > >> I completely agree that we will need some focus on this. > > >> >> > > >> > > >> >> > > >> What could Travis do for us? I wasn't aware that they > offered > > >> >> > security > > >> >> > > >> scanning. > > >> >> > > >> > > >> >> > > >> Are you aware of any security scan services that offer free > > >> support > > >> >> to > > >> >> > > >> open > > >> >> > > >> source projects? > > >> >> > > >> > > >> >> > > >> On Fri, May 27, 2016 at 9:42 AM, zeo...@gmail.com < > > >> zeo...@gmail.com > > >> >> > > > >> >> > > >> wrote: > > >> >> > > >> > > >> >> > > >> > So I've never done anything like this before in Travis > but > > I > > >> have > > >> >> > done > > >> >> > > >> IDE > > >> >> > > >> > plugins and pre prod scans in the past at large companies > > >> which > > >> >> > worked > > >> >> > > >> > well. I floated the idea past a friend working at Travis > > and > > >> she > > >> >> > said > > >> >> > > >> if > > >> >> > > >> > we go that route she would assist. > > >> >> > > >> > > > >> >> > > >> > I just think that if this is integrated from the > beginning > > and > > >> >> fail > > >> >> > > >> builds > > >> >> > > >> > on critical issues (to start), this could be a big > > >> differentiator, > > >> >> > > >> > especially because we're talking about a security > platform > > >> that > > >> >> > > >> centralizes > > >> >> > > >> > tons of sensitive information, tries to parse almost > > anything > > >> >> that's > > >> >> > > >> thrown > > >> >> > > >> > at it (think of what's been happening to AV products > > >> recently), > > >> >> and > > >> >> > is > > >> >> > > >> open > > >> >> > > >> > source for bad guys to dig into much more easily. > > >> >> > > >> > > > >> >> > > >> > Jon > > >> >> > > >> > > > >> >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen < > n...@nickallen.org > > > > > >> >> wrote: > > >> >> > > >> > > > >> >> > > >> > > I am not aware of any discussions around this, Jon. > What > > are > > >> >> you > > >> >> > > >> > thinking? > > >> >> > > >> > > > > >> >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, zeo...@gmail.com < > > >> >> > zeo...@gmail.com > > >> >> > > > > > >> >> > > >> > > wrote: > > >> >> > > >> > > > > >> >> > > >> > > > I was just wondering if there is any sort of static > (or > > >> even > > >> >> > > >> dynamic) > > >> >> > > >> > > code > > >> >> > > >> > > > analysis, or penetrating testing/vulnerability > > assessment, > > >> >> > > >> occurring at > > >> >> > > >> > > any > > >> >> > > >> > > > point on the metron code. Has there been any > > discussion of > > >> >> > > >> installing > > >> >> > > >> > > > something along those lines on the Travis build > server > > >> (if it > > >> >> > > isn't > > >> >> > > >> > there > > >> >> > > >> > > > already)? Thanks, > > >> >> > > >> > > > > > >> >> > > >> > > > Jon > > >> >> > > >> > > > -- > > >> >> > > >> > > > > > >> >> > > >> > > > Jon > > >> >> > > >> > > > > > >> >> > > >> > > > > >> >> > > >> > > > > >> >> > > >> > > > > >> >> > > >> > > -- > > >> >> > > >> > > Nick Allen <n...@nickallen.org> > > >> >> > > >> > > > > >> >> > > >> > -- > > >> >> > > >> > > > >> >> > > >> > Jon > > >> >> > > >> > > > >> >> > > >> > > >> >> > > >> > > >> >> > > >> > > >> >> > > >> -- > > >> >> > > >> Nick Allen <n...@nickallen.org> > > >> >> > > >> > > >> >> > > > -- > > >> >> > > > > > >> >> > > > Jon > > >> >> > > > > > >> >> > > -- > > >> >> > > > > >> >> > > Jon > > >> >> > > > > >> >> > > > >> >> > > > >> >> > > > >> >> > -- > > >> >> > Nick Allen <n...@nickallen.org> > > >> >> > > > >> >> -- > > >> >> > > >> >> Jon > > >> > > > >> > -- > > >> > Nick Allen <n...@nickallen.org> > > >> > > >> ------------------- > > >> Thank you, > > >> > > >> James Sirota > > >> PPMC- Apache Metron (Incubating) > > >> jsirota AT apache DOT org > > >> > > >> -- > > >> > > >> Jon > > > -- > > > > > > Jon > > > > > > Sent from my mobile device > > > > ------------------- > > Thank you, > > > > James Sirota > > PPMC- Apache Metron (Incubating) > > jsirota AT apache DOT org > > > -- > > Jon >
