Sure, please keep exploring Veracode, I am also checking on what are their options for seamlessly scanning directly from github. I work with Fortify on a day to day basis and they have a command line client called FodUploader which potentially can be integrated with a CI system if needed and also their API has some interesting options there. The fortify on demand has a Github integration feature as well on the portal itself.
On Sat, Dec 23, 2017 at 7:32 PM, zeo...@gmail.com <zeo...@gmail.com> wrote: > Sure, not a problem. > > (1) I went to an event where a presenter from Veracode was calling out some > bugs in open source projects, and that Veracode wanted to be a part of the > solution. As such, they offered to give free analysis to open source > projects that reach out. At this point the account that I have access to > is just for the Apache Metron project, but it is possible that the > relationship could grow if it makes sense for other projects. For > instance, this <https://twitter.com/PeteChestna/status/943845893597483008 > >. > > (2) No specific reason - in the past I looked at Coverity (see below in > this thread) but was deterred from personally setting it up due to some of > their policies about who can register new scans (i.e. I was not a committer > at the time I believe, and that level of involvement was requested). I > have used Veracode in the past, along with others (AppScan, Fortify, etc.), > and had a good experience albeit in a very different setting than this. I > would be more than happy to play around with any of these kinds of services > and no affinity to one or the other, but right now the only thing I > actually have access to is Veracode and free options like Coverity. > > Veracode is a proprietary cloud-hosted platform that has dynamic and static > scan offerings, and they have various integrations > <https://community.veracode.com/s/integrations> with build systems (maven, > Jenkins, Bamboo, etc.) and IDEs (IntelliJ, Eclipse, etc.). They also > appear to have opened up their training materials > <https://community.veracode.com/s/education-and-training>, which are handy > to point to from time to time. I've worked with it in the past and things > largely seem to work as you would expect, although it has been 5 years > since I really used their products regularly. > > (3) I have been manually making submissions dating back to 2017-02-13, but > because the file transfer is uploaded from my home Internet (upload speeds > of ~6Mbps), it takes quite a while and so I don't do it very frequently. > Usually just around releases. > > Jon > > On Sat, Dec 23, 2017 at 11:13 AM Nick Allen <n...@nickallen.org> wrote: > > > > Veracode has provided us with a 100% free portal to scan the Metron > code > > with, but in order to integrate, the safest option is probably to use the > > ASF's jenkins server > > > > (1) Can you describe this more? How has this been provided? Is this > for > > all Apache projects; just Metron? Was this based on a relationship you > > have within CA? > > > > > > (2) Why Veracode? Can you describe this platform more? Is it open > source > > or proprietary? Why is this better than alternatives? > > > > > > (3) I have no objection to experimenting with the service to see if it > > provides actionable results, but is there no simpler way to do this? It > > doesn't seem like we should have to mess with a bunch of Apache > > infrastructure to see if the service works at a basic level. Can't we > > manually submit master and/or previous releases to Veracode to see if we > > get actionable results? > > > > > > > > > > > > On Thu, Dec 21, 2017 at 10:48 AM, zeo...@gmail.com <zeo...@gmail.com> > > wrote: > > > > > Just following up on this conversation again - > > > > > > I have discussed this ad-hoc with a few PMC members recently and wanted > > to > > > bring it up on the list. Veracode has provided us with a 100% free > > portal > > > to scan the Metron code with, but in order to integrate, the safest > > option > > > is probably to use the ASF's jenkins server (as I'm not aware of a safe > > way > > > to automatically pass API creds to Veracode from GitHub). My long-term > > > interest here would be to scan and clean up the code base generally, > and > > > then to try and scan PRs for concerns (non-blocking). Perhaps at some > > > point, if we identify that these scans are actually useful and not > > > false-positive prone/onerous, we could turn this into a blocking > > > requirement for contributions. Being a security project, I feel that > we > > > should be doing as much as we can to ensure that what we're providing > is > > > safe. > > > > > > I looked briefly at the Veracode Jenkins integrations, and the ASF > > Jenkins > > > setup. It looks like Veracode has a Jenkins plugin > > > <https://help.veracode.com/reader/PgbNZUD7j8aY7iG~hQZWxQ/ > > > _4G8gT1rhWMgVVtCI1C57A>, > > > Jenkins has a plugin for Veracode in its plugin repo > > > <https://plugins.jenkins.io/veracode-scanner> (not supported by > > Veracode), > > > the ASF supports adding plugins > > > <https://wiki.apache.org/general/Jenkins#How_do_I_ > > > install_a_new_Jenkins_plugin.3F> > > > to their Jenkins servers (although I think > > > <http://What_do_Administrators_do.3F> the admins are supposed to do > > this), > > > and Metron is not yet set up <https://builds.apache.org/view/M-R/> on > > the > > > ASF Jenkins server. The ASF seems to support giving non-PMC committers > > > access <https://wiki.apache.org/general/Jenkins#How_do_I_get_ > an_account> > > > to > > > Jenkins, but it requires that the PMC chair do some work, and generally > > it > > > looks like they want admins > > > <https://wiki.apache.org/general/Jenkins#FAQ_For_Administrators>/PMC > > > <https://wiki.apache.org/general/Jenkins#FAQ_For_PMCs> members to be > > > involved (I also don't have access to the builds JIRA project > > > <https://issues.apache.org/jira/projects/BUILDS>, if it really > exists). > > > > > > I'm happy to play around with this and see how it could be useful, but > in > > > order to do so I need to get some additional authorization. Does > anybody > > > have any concerns with delegating this access to me, or with this > general > > > approach? > > > > > > Jon > > > > > > On Fri, Dec 16, 2016 at 11:39 AM James Sirota <jsir...@apache.org> > > wrote: > > > > > > > That would be great. I can work with them > > > > > > > > 15.12.2016, 18:38, "zeo...@gmail.com" <zeo...@gmail.com>: > > > > > I recently discussed this topic with Veracode regarding the metron > > > > project > > > > > and they mentioned there may be interest in providing free > services, > > > > > however they would need to work with an official project rep. If > > > there's > > > > > interest in pursuing this please let me know. > > > > > > > > > > On Thu, Jun 2, 2016, 21:17 zeo...@gmail.com <zeo...@gmail.com> > > wrote: > > > > > > > > > >> Per the other discussion it is possible that this conflicts with > > the > > > > >> Apache stance for vulnerability disclosure/management. I'm going > to > > > > hold > > > > >> off on any additional effort until I know more. > > > > >> > > > > >> Jon > > > > >> > > > > >> On Tue, May 31, 2016, 16:07 James Sirota <jsir...@apache.org> > > wrote: > > > > >> > > > > >> Jon, would it be possible for you to scan Metron from your own > > > branch? > > > > >> I'd like to know if this is useful at all. If we get value out of > > it > > > > I'll > > > > >> run this down and see how we can get it hooked up. > > > > >> > > > > >> 31.05.2016, 10:08, "Nick Allen" <n...@nickallen.org>: > > > > >> > I connect Travis to my own personal fork of Metron so that the > CI > > > > builds > > > > >> > run on my own branches before I submit PRs. Thinking you could > do > > > the > > > > >> same > > > > >> > with this. Maybe I'm wrong. > > > > >> > > > > > >> > On Tue, May 31, 2016 at 1:06 PM, zeo...@gmail.com < > > > zeo...@gmail.com> > > > > >> wrote: > > > > >> > > > > > >> >> To register project on Coverity Scan, you must be contributor > or > > > > >> maintainer > > > > >> >> of the project. > > > > >> >> > > > > >> >> It may also be worth mentioning that there are a ton of Apache > > > > projects > > > > >> >> already registered, including Ambari, Drill, Flume, Hadoop, > > HBase, > > > > >> NiFi, > > > > >> >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See > > > > >> >> https://scan.coverity.com/projects?page=2 > > > > >> >> > > > > >> >> Jon > > > > >> >> > > > > >> >> On Tue, May 31, 2016 at 12:52 PM Nick Allen < > n...@nickallen.org > > > > > > > >> wrote: > > > > >> >> > > > > >> >> > You could set it up on your own fork of Metron in Github. > Then > > > you > > > > >> can > > > > >> >> > tell us if it is useful at all. > > > > >> >> > > > > > >> >> > On Sat, May 28, 2016 at 2:36 PM, zeo...@gmail.com < > > > > zeo...@gmail.com> > > > > >> >> > wrote: > > > > >> >> > > > > > >> >> > > So I did a bit of digging today and I found a few op > > > > >> >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but > so > > > > far my > > > > >> >> > > favourite is Coverity Scan <https://scan.coverity.com/ > > > travis_ci > > > > >. > > > > >> >> I've > > > > >> >> > > never used this product before, so I'm not exactly sure > what > > > to > > > > >> expect, > > > > >> >> > but > > > > >> >> > > I guess anyone can kick off a scan of an open source > project > > > and > > > > >> get > > > > >> >> > > results within 48 hours. I was in the process of > registering > > > > >> Metron to > > > > >> >> > be > > > > >> >> > > scanned but I found some things in their scan user > agreement > > > > which > > > > >> I > > > > >> >> > wasn't > > > > >> >> > > sure everybody would be in line with (see below for the > > > > excerpts - > > > > >> >> note I > > > > >> >> > > did NOT read the entire document and IANAL). > > > > >> >> > > > > > > >> >> > > Here's the TL;DR of what Coverity Scan is: > > > > >> >> > > > > > > >> >> > > Coverity Scan <http://scan.coverity.com/> is a free > static > > > code > > > > >> >> analysis > > > > >> >> > > tool for Java, C, C++, C# and JavaScript. > > > > >> >> > > > > > > >> >> > > This addon leverages the Travis-CI infrastructure to > > > > automatically > > > > >> run > > > > >> >> > code > > > > >> >> > > analysis on your GitHub projects. > > > > >> >> > > > > > > >> >> > > Coverity Scan is a service by which Coverity provides the > > > > results > > > > >> of > > > > >> >> > > analysis on open source coding projects to open source > code > > > > >> developers > > > > >> >> > that > > > > >> >> > > have registered their products with Coverity Scan. > > > > >> >> > > > > > > >> >> > > Some examples of defects and vulnerabilities found by > > Coverity > > > > >> Quality > > > > >> >> > > Advisor include: > > > > >> >> > > > > > > >> >> > > - resources leaks > > > > >> >> > > - dereferences of NULL pointers > > > > >> >> > > - incorrect usage of APIs > > > > >> >> > > - use of uninitialized data > > > > >> >> > > - memory corruptions > > > > >> >> > > - buffer overruns > > > > >> >> > > - control flow issues > > > > >> >> > > - error handling issues > > > > >> >> > > - incorrect expressions > > > > >> >> > > - concurrency issues > > > > >> >> > > - insecure data handling > > > > >> >> > > - unsafe use of signed values > > > > >> >> > > - use of resources that have been freed > > > > >> >> > > > > > > >> >> > > Register your project with Coverity Scan by completing the > > > > project > > > > >> >> > > registration form found at scan.coverity.com. Upon your > > > > >> completion of > > > > >> >> > > project registration (including acceptance of the Scan > User > > > > >> Agreement) > > > > >> >> > and > > > > >> >> > > your receipt of confirmation of registration of your > > project, > > > > you > > > > >> will > > > > >> >> be > > > > >> >> > > able to download the Software required to submit a build > of > > > your > > > > >> code > > > > >> >> for > > > > >> >> > > analysis by Coverity Scan. You may then download the > > Software, > > > > >> >> complete a > > > > >> >> > > build and submit your Registered Project build for > analysis > > > and > > > > >> review > > > > >> >> in > > > > >> >> > > Coverity Scan. Coverity Scan is only available for use > with > > > open > > > > >> source > > > > >> >> > > projects that are registered with Coverity Scan. > > > > >> >> > > Here are some interesting snippets from their scan user > > > > agreement: > > > > >> >> > > > > > > >> >> > > Your use of our software is acceptance of our Terms > > > > >> >> > > <https://scan.coverity.com/policy> > > > > >> >> > > > > > > >> >> > > You will not disassemble, decompile, reverse engineer, > > modify > > > or > > > > >> create > > > > >> >> > > derivative works of Our Service, software products or > > > > >> documentation nor > > > > >> >> > > permit any third party to do so, except to the extent such > > > > >> restrictions > > > > >> >> > are > > > > >> >> > > prohibited by applicable mandatory local law > > > > >> >> > > > > > > >> >> > > You will not disclose to any third party any comparison of > > the > > > > >> results > > > > >> >> of > > > > >> >> > > operation of Our Service or software products with other > > > > services > > > > >> or > > > > >> >> > > products, except as expressly permitted by this Agreement > > > > >> >> > > > > > > >> >> > > You will not publish any findings regarding or resulting > > from > > > > use > > > > >> of > > > > >> >> the > > > > >> >> > > Service or the Software > > > > >> >> > > > > > > >> >> > > You agree that We may use Your name and logo (in a form > > > > approved by > > > > >> >> You) > > > > >> >> > > and Registered Product information to identify You and > such > > > > >> project as > > > > >> >> a > > > > >> >> > > participant of Our Scan Program on Our website or in Our > > > > marketing > > > > >> or > > > > >> >> > > publicity materials or in any filings made in connection > > with > > > > >> state or > > > > >> >> > > federal securities laws. > > > > >> >> > > > > > > >> >> > > Additionally, upon execution of this Agreement, the > parties > > > will > > > > >> use > > > > >> >> > > commercially reasonable efforts to issue mutually agreed > > upon > > > > joint > > > > >> >> press > > > > >> >> > > releases or other public communications announcing Your > > entry > > > > into > > > > >> this > > > > >> >> > > Agreement. > > > > >> >> > > > > > > >> >> > > At Our written request, You will furnish Us with (a) a > > > > >> certification > > > > >> >> > signed > > > > >> >> > > by an officer of Your company providing user or access > > > > information > > > > >> that > > > > >> >> > > identifies whether the Service and the Software is being > > used > > > in > > > > >> >> > accordance > > > > >> >> > > with the terms of this Agreement, and (b) log files from > any > > > > >> License > > > > >> >> > > Manager. Upon at least thirty (30) days prior written > > notice, > > > We > > > > >> may > > > > >> >> > > engage, at Our expense, an independent auditor to audit > Your > > > use > > > > >> of the > > > > >> >> > > Service and the Software to ensure that You are in > > compliance > > > > with > > > > >> the > > > > >> >> > > terms of this Agreement. ... You will provide the auditor > > with > > > > >> access > > > > >> >> to > > > > >> >> > > the relevant records and facilities. > > > > >> >> > > > > > > >> >> > > Jon > > > > >> >> > > > > > > >> >> > > On Fri, May 27, 2016 at 11:14 AM zeo...@gmail.com < > > > > >> zeo...@gmail.com> > > > > >> >> > > wrote: > > > > >> >> > > > > > > >> >> > > > There's nothing built-in with Travis, but we could > > install a > > > > >> tool to > > > > >> >> do > > > > >> >> > > > this as part of the installation of tools on the build > > box. > > > > I'm > > > > >> >> gonna > > > > >> >> > > > reach out to people in my local circle who specialize in > > > > secure > > > > >> code > > > > >> >> > > > analysis and see what all of the options are. > > > > >> >> > > > > > > > >> >> > > > Jon > > > > >> >> > > > > > > > >> >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen < > > > > n...@nickallen.org> > > > > >> >> wrote: > > > > >> >> > > > > > > > >> >> > > >> I completely agree that we will need some focus on > this. > > > > >> >> > > >> > > > > >> >> > > >> What could Travis do for us? I wasn't aware that they > > > offered > > > > >> >> > security > > > > >> >> > > >> scanning. > > > > >> >> > > >> > > > > >> >> > > >> Are you aware of any security scan services that offer > > free > > > > >> support > > > > >> >> to > > > > >> >> > > >> open > > > > >> >> > > >> source projects? > > > > >> >> > > >> > > > > >> >> > > >> On Fri, May 27, 2016 at 9:42 AM, zeo...@gmail.com < > > > > >> zeo...@gmail.com > > > > >> >> > > > > > >> >> > > >> wrote: > > > > >> >> > > >> > > > > >> >> > > >> > So I've never done anything like this before in > Travis > > > but > > > > I > > > > >> have > > > > >> >> > done > > > > >> >> > > >> IDE > > > > >> >> > > >> > plugins and pre prod scans in the past at large > > companies > > > > >> which > > > > >> >> > worked > > > > >> >> > > >> > well. I floated the idea past a friend working at > > Travis > > > > and > > > > >> she > > > > >> >> > said > > > > >> >> > > >> if > > > > >> >> > > >> > we go that route she would assist. > > > > >> >> > > >> > > > > > >> >> > > >> > I just think that if this is integrated from the > > > beginning > > > > and > > > > >> >> fail > > > > >> >> > > >> builds > > > > >> >> > > >> > on critical issues (to start), this could be a big > > > > >> differentiator, > > > > >> >> > > >> > especially because we're talking about a security > > > platform > > > > >> that > > > > >> >> > > >> centralizes > > > > >> >> > > >> > tons of sensitive information, tries to parse almost > > > > anything > > > > >> >> that's > > > > >> >> > > >> thrown > > > > >> >> > > >> > at it (think of what's been happening to AV products > > > > >> recently), > > > > >> >> and > > > > >> >> > is > > > > >> >> > > >> open > > > > >> >> > > >> > source for bad guys to dig into much more easily. > > > > >> >> > > >> > > > > > >> >> > > >> > Jon > > > > >> >> > > >> > > > > > >> >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen < > > > n...@nickallen.org > > > > > > > > > >> >> wrote: > > > > >> >> > > >> > > > > > >> >> > > >> > > I am not aware of any discussions around this, Jon. > > > What > > > > are > > > > >> >> you > > > > >> >> > > >> > thinking? > > > > >> >> > > >> > > > > > > >> >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, zeo...@gmail.com > < > > > > >> >> > zeo...@gmail.com > > > > >> >> > > > > > > > >> >> > > >> > > wrote: > > > > >> >> > > >> > > > > > > >> >> > > >> > > > I was just wondering if there is any sort of > static > > > (or > > > > >> even > > > > >> >> > > >> dynamic) > > > > >> >> > > >> > > code > > > > >> >> > > >> > > > analysis, or penetrating testing/vulnerability > > > > assessment, > > > > >> >> > > >> occurring at > > > > >> >> > > >> > > any > > > > >> >> > > >> > > > point on the metron code. Has there been any > > > > discussion of > > > > >> >> > > >> installing > > > > >> >> > > >> > > > something along those lines on the Travis build > > > server > > > > >> (if it > > > > >> >> > > isn't > > > > >> >> > > >> > there > > > > >> >> > > >> > > > already)? Thanks, > > > > >> >> > > >> > > > > > > > >> >> > > >> > > > Jon > > > > >> >> > > >> > > > -- > > > > >> >> > > >> > > > > > > > >> >> > > >> > > > Jon > > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > > > >> >> > > >> > > > > > > >> >> > > >> > > > > > > >> >> > > >> > > -- > > > > >> >> > > >> > > Nick Allen <n...@nickallen.org> > > > > >> >> > > >> > > > > > > >> >> > > >> > -- > > > > >> >> > > >> > > > > > >> >> > > >> > Jon > > > > >> >> > > >> > > > > > >> >> > > >> > > > > >> >> > > >> > > > > >> >> > > >> > > > > >> >> > > >> -- > > > > >> >> > > >> Nick Allen <n...@nickallen.org> > > > > >> >> > > >> > > > > >> >> > > > -- > > > > >> >> > > > > > > > >> >> > > > Jon > > > > >> >> > > > > > > > >> >> > > -- > > > > >> >> > > > > > > >> >> > > Jon > > > > >> >> > > > > > > >> >> > > > > > >> >> > > > > > >> >> > > > > > >> >> > -- > > > > >> >> > Nick Allen <n...@nickallen.org> > > > > >> >> > > > > > >> >> -- > > > > >> >> > > > > >> >> Jon > > > > >> > > > > > >> > -- > > > > >> > Nick Allen <n...@nickallen.org> > > > > >> > > > > >> ------------------- > > > > >> Thank you, > > > > >> > > > > >> James Sirota > > > > >> PPMC- Apache Metron (Incubating) > > > > >> jsirota AT apache DOT org > > > > >> > > > > >> -- > > > > >> > > > > >> Jon > > > > > -- > > > > > > > > > > Jon > > > > > > > > > > Sent from my mobile device > > > > > > > > ------------------- > > > > Thank you, > > > > > > > > James Sirota > > > > PPMC- Apache Metron (Incubating) > > > > jsirota AT apache DOT org > > > > > > > -- > > > > > > Jon > > > > > > -- > > Jon > -- Regards, Nadir Hajiyani
