That would be great. I can work with them 15.12.2016, 18:38, "[email protected]" <[email protected]>: > I recently discussed this topic with Veracode regarding the metron project > and they mentioned there may be interest in providing free services, > however they would need to work with an official project rep. If there's > interest in pursuing this please let me know. > > On Thu, Jun 2, 2016, 21:17 [email protected] <[email protected]> wrote: > >> Per the other discussion it is possible that this conflicts with the >> Apache stance for vulnerability disclosure/management. I'm going to hold >> off on any additional effort until I know more. >> >> Jon >> >> On Tue, May 31, 2016, 16:07 James Sirota <[email protected]> wrote: >> >> Jon, would it be possible for you to scan Metron from your own branch? >> I'd like to know if this is useful at all. If we get value out of it I'll >> run this down and see how we can get it hooked up. >> >> 31.05.2016, 10:08, "Nick Allen" <[email protected]>: >> > I connect Travis to my own personal fork of Metron so that the CI builds >> > run on my own branches before I submit PRs. Thinking you could do the >> same >> > with this. Maybe I'm wrong. >> > >> > On Tue, May 31, 2016 at 1:06 PM, [email protected] <[email protected]> >> wrote: >> > >> >> To register project on Coverity Scan, you must be contributor or >> maintainer >> >> of the project. >> >> >> >> It may also be worth mentioning that there are a ton of Apache projects >> >> already registered, including Ambari, Drill, Flume, Hadoop, HBase, >> NiFi, >> >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See >> >> https://scan.coverity.com/projects?page=2 >> >> >> >> Jon >> >> >> >> On Tue, May 31, 2016 at 12:52 PM Nick Allen <[email protected]> >> wrote: >> >> >> >> > You could set it up on your own fork of Metron in Github. Then you >> can >> >> > tell us if it is useful at all. >> >> > >> >> > On Sat, May 28, 2016 at 2:36 PM, [email protected] <[email protected]> >> >> > wrote: >> >> > >> >> > > So I did a bit of digging today and I found a few op >> >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so far my >> >> > > favourite is Coverity Scan <https://scan.coverity.com/travis_ci>. >> >> I've >> >> > > never used this product before, so I'm not exactly sure what to >> expect, >> >> > but >> >> > > I guess anyone can kick off a scan of an open source project and >> get >> >> > > results within 48 hours. I was in the process of registering >> Metron to >> >> > be >> >> > > scanned but I found some things in their scan user agreement which >> I >> >> > wasn't >> >> > > sure everybody would be in line with (see below for the excerpts - >> >> note I >> >> > > did NOT read the entire document and IANAL). >> >> > > >> >> > > Here's the TL;DR of what Coverity Scan is: >> >> > > >> >> > > Coverity Scan <http://scan.coverity.com/> is a free static code >> >> analysis >> >> > > tool for Java, C, C++, C# and JavaScript. >> >> > > >> >> > > This addon leverages the Travis-CI infrastructure to automatically >> run >> >> > code >> >> > > analysis on your GitHub projects. >> >> > > >> >> > > Coverity Scan is a service by which Coverity provides the results >> of >> >> > > analysis on open source coding projects to open source code >> developers >> >> > that >> >> > > have registered their products with Coverity Scan. >> >> > > >> >> > > Some examples of defects and vulnerabilities found by Coverity >> Quality >> >> > > Advisor include: >> >> > > >> >> > > - resources leaks >> >> > > - dereferences of NULL pointers >> >> > > - incorrect usage of APIs >> >> > > - use of uninitialized data >> >> > > - memory corruptions >> >> > > - buffer overruns >> >> > > - control flow issues >> >> > > - error handling issues >> >> > > - incorrect expressions >> >> > > - concurrency issues >> >> > > - insecure data handling >> >> > > - unsafe use of signed values >> >> > > - use of resources that have been freed >> >> > > >> >> > > Register your project with Coverity Scan by completing the project >> >> > > registration form found at scan.coverity.com. Upon your >> completion of >> >> > > project registration (including acceptance of the Scan User >> Agreement) >> >> > and >> >> > > your receipt of confirmation of registration of your project, you >> will >> >> be >> >> > > able to download the Software required to submit a build of your >> code >> >> for >> >> > > analysis by Coverity Scan. You may then download the Software, >> >> complete a >> >> > > build and submit your Registered Project build for analysis and >> review >> >> in >> >> > > Coverity Scan. Coverity Scan is only available for use with open >> source >> >> > > projects that are registered with Coverity Scan. >> >> > > Here are some interesting snippets from their scan user agreement: >> >> > > >> >> > > Your use of our software is acceptance of our Terms >> >> > > <https://scan.coverity.com/policy> >> >> > > >> >> > > You will not disassemble, decompile, reverse engineer, modify or >> create >> >> > > derivative works of Our Service, software products or >> documentation nor >> >> > > permit any third party to do so, except to the extent such >> restrictions >> >> > are >> >> > > prohibited by applicable mandatory local law >> >> > > >> >> > > You will not disclose to any third party any comparison of the >> results >> >> of >> >> > > operation of Our Service or software products with other services >> or >> >> > > products, except as expressly permitted by this Agreement >> >> > > >> >> > > You will not publish any findings regarding or resulting from use >> of >> >> the >> >> > > Service or the Software >> >> > > >> >> > > You agree that We may use Your name and logo (in a form approved by >> >> You) >> >> > > and Registered Product information to identify You and such >> project as >> >> a >> >> > > participant of Our Scan Program on Our website or in Our marketing >> or >> >> > > publicity materials or in any filings made in connection with >> state or >> >> > > federal securities laws. >> >> > > >> >> > > Additionally, upon execution of this Agreement, the parties will >> use >> >> > > commercially reasonable efforts to issue mutually agreed upon joint >> >> press >> >> > > releases or other public communications announcing Your entry into >> this >> >> > > Agreement. >> >> > > >> >> > > At Our written request, You will furnish Us with (a) a >> certification >> >> > signed >> >> > > by an officer of Your company providing user or access information >> that >> >> > > identifies whether the Service and the Software is being used in >> >> > accordance >> >> > > with the terms of this Agreement, and (b) log files from any >> License >> >> > > Manager. Upon at least thirty (30) days prior written notice, We >> may >> >> > > engage, at Our expense, an independent auditor to audit Your use >> of the >> >> > > Service and the Software to ensure that You are in compliance with >> the >> >> > > terms of this Agreement. ... You will provide the auditor with >> access >> >> to >> >> > > the relevant records and facilities. >> >> > > >> >> > > Jon >> >> > > >> >> > > On Fri, May 27, 2016 at 11:14 AM [email protected] < >> [email protected]> >> >> > > wrote: >> >> > > >> >> > > > There's nothing built-in with Travis, but we could install a >> tool to >> >> do >> >> > > > this as part of the installation of tools on the build box. I'm >> >> gonna >> >> > > > reach out to people in my local circle who specialize in secure >> code >> >> > > > analysis and see what all of the options are. >> >> > > > >> >> > > > Jon >> >> > > > >> >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <[email protected]> >> >> wrote: >> >> > > > >> >> > > >> I completely agree that we will need some focus on this. >> >> > > >> >> >> > > >> What could Travis do for us? I wasn't aware that they offered >> >> > security >> >> > > >> scanning. >> >> > > >> >> >> > > >> Are you aware of any security scan services that offer free >> support >> >> to >> >> > > >> open >> >> > > >> source projects? >> >> > > >> >> >> > > >> On Fri, May 27, 2016 at 9:42 AM, [email protected] < >> [email protected] >> >> > >> >> > > >> wrote: >> >> > > >> >> >> > > >> > So I've never done anything like this before in Travis but I >> have >> >> > done >> >> > > >> IDE >> >> > > >> > plugins and pre prod scans in the past at large companies >> which >> >> > worked >> >> > > >> > well. I floated the idea past a friend working at Travis and >> she >> >> > said >> >> > > >> if >> >> > > >> > we go that route she would assist. >> >> > > >> > >> >> > > >> > I just think that if this is integrated from the beginning and >> >> fail >> >> > > >> builds >> >> > > >> > on critical issues (to start), this could be a big >> differentiator, >> >> > > >> > especially because we're talking about a security platform >> that >> >> > > >> centralizes >> >> > > >> > tons of sensitive information, tries to parse almost anything >> >> that's >> >> > > >> thrown >> >> > > >> > at it (think of what's been happening to AV products >> recently), >> >> and >> >> > is >> >> > > >> open >> >> > > >> > source for bad guys to dig into much more easily. >> >> > > >> > >> >> > > >> > Jon >> >> > > >> > >> >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <[email protected]> >> >> wrote: >> >> > > >> > >> >> > > >> > > I am not aware of any discussions around this, Jon. What are >> >> you >> >> > > >> > thinking? >> >> > > >> > > >> >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, [email protected] < >> >> > [email protected] >> >> > > > >> >> > > >> > > wrote: >> >> > > >> > > >> >> > > >> > > > I was just wondering if there is any sort of static (or >> even >> >> > > >> dynamic) >> >> > > >> > > code >> >> > > >> > > > analysis, or penetrating testing/vulnerability assessment, >> >> > > >> occurring at >> >> > > >> > > any >> >> > > >> > > > point on the metron code. Has there been any discussion of >> >> > > >> installing >> >> > > >> > > > something along those lines on the Travis build server >> (if it >> >> > > isn't >> >> > > >> > there >> >> > > >> > > > already)? Thanks, >> >> > > >> > > > >> >> > > >> > > > Jon >> >> > > >> > > > -- >> >> > > >> > > > >> >> > > >> > > > Jon >> >> > > >> > > > >> >> > > >> > > >> >> > > >> > > >> >> > > >> > > >> >> > > >> > > -- >> >> > > >> > > Nick Allen <[email protected]> >> >> > > >> > > >> >> > > >> > -- >> >> > > >> > >> >> > > >> > Jon >> >> > > >> > >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> -- >> >> > > >> Nick Allen <[email protected]> >> >> > > >> >> >> > > > -- >> >> > > > >> >> > > > Jon >> >> > > > >> >> > > -- >> >> > > >> >> > > Jon >> >> > > >> >> > >> >> > >> >> > >> >> > -- >> >> > Nick Allen <[email protected]> >> >> > >> >> -- >> >> >> >> Jon >> > >> > -- >> > Nick Allen <[email protected]> >> >> ------------------- >> Thank you, >> >> James Sirota >> PPMC- Apache Metron (Incubating) >> jsirota AT apache DOT org >> >> -- >> >> Jon > -- > > Jon > > Sent from my mobile device
------------------- Thank you, James Sirota PPMC- Apache Metron (Incubating) jsirota AT apache DOT org
