Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

Mon, 19 Dec 2016 09:08:50 -0800 

On 12/19/2016 04:49 PM, Luke Hinds wrote:




On Mon, Dec 19, 2016 at 2:30 PM, Tapio Tallgren 
<tapio.tallg...@nokia.com <mailto:tapio.tallg...@nokia.com>> wrote:


    Luke,

    Since you are checking for binary files (point 2), will you also
    check all checkouts from version control systems (like git)? I
    would like all of these to pull in explicit versions (as opposed
    to main), since otherwise you will have no idea what you are building.



Is this a case of opnfv code / scripts  that clone in an external 
repo? If you could give me an example case to help understand..


I meant this code:

    #! /usr/bin/bash
    git clone https://github.om/tapiot/innocent_code.git
    cd innocent_code
    make
    sudo make install


The innocent_code is totally harmless and you can inspect it. However, 
one day I may make a mistake in my code repository.


-Tapio





    We also have a similar problem with external repositories: if you
    install Linux packages from an external repository, you again have
    a risk that there are random changes to what is installed. This is
    fortunately mostly relevant for installers.



 Understood, there is not much I believe we can do here in respect of 
this work item.



    -Tapio




    On 12/19/2016 03:28 PM, Luke Hinds wrote:

    Hi Yujun,

    I would need Fatih to comment as I am not that up to speed on CI.
    The following is an albeit incomplete example of how we will wire
    this in:

    
https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=refs%2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%2Fopnfv-security-scan.yml
    
<https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=refs%2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%2Fopnfv-security-scan.yml>

    Regards,

    Luke

    On Mon, Dec 19, 2016 at 1:12 PM, Yujun Zhang
    <zhangyujun+...@gmail.com <mailto:zhangyujun+...@gmail.com>> wrote:

        Luke,

        I remember that Fatih once mentioned that there are no gates
        in OPNFV CI yet. So you are talking about some additional
        verification jobs enforced on each commit. Or it is something
        like the current daily/weekly job.

        Could you help to clarify it?

        On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds <lhi...@redhat.com
        <mailto:lhi...@redhat.com>> wrote:

            Hi,

            Myself and Ash with help from Fatih are currently
            prototyping some new gates we plan to phase in overtime.

            The idea is that each commit made to an OPNFV repo will
            perform some checks.

            1. Search for any strings containing passwords, ssh / tls
            certs and other stuff we don't want sitting around in
            repos to then be scooped up for a release.

            2. Search out any binaries. We need to be very strict
            over what compiled binaries are packaged in release (if
            any at all), as a binary could be compromised (without
            the knowledge of the project itself).

            3. Security lint checks. Code will be searched for
            patterns such as shell executions, xss flaws etc and
            reports linked within the gate.

            The plan is to have 1,2 as voting (-1 / +1) and 3
            initially as a guide for projects, with the support of
            the security group, if needed.

            For both 1,2 we will maintain a waiver / exception list.
            This means that if no threat is shown to be present, an
            ignore entry can be made for a single project. The gate
            will then allow the said string, file etc to pass with no
            vote.

            Initially we are working with a sandbox project, so
            expect no interruptions at all. From there we will start
            to bring projects over, so they will be aware ahead of
            any changes implemented that will affect them.

            Cheers,

            Luke
            _______________________________________________
            opnfv-security mailing list
            opnfv-secur...@lists.opnfv.org
            <mailto:opnfv-secur...@lists.opnfv.org>
            https://lists.opnfv.org/mailman/listinfo/opnfv-security
            <https://lists.opnfv.org/mailman/listinfo/opnfv-security>





    -- 
    Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat

    e: lhi...@redhat.com <mailto:lhi...@redhat.com> | irc: lhinds
    @freenode | m: +44 77 45 63 98 84 | t: +44 12 52 36 2483


    _______________________________________________
    opnfv-tech-discuss mailing list
    opnfv-tech-discuss@lists.opnfv.org
    <mailto:opnfv-tech-discuss@lists.opnfv.org>
    https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
    <https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss>


    _______________________________________________ opnfv-tech-discuss
    mailing list opnfv-tech-discuss@lists.opnfv.org
    <mailto:opnfv-tech-discuss@lists.opnfv.org>
    https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

    <https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss> 


--

Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat 
e: lhi...@redhat.com <mailto:lhi...@redhat.com> | irc: lhinds 
@freenode | m: +44 77 45 63 98 84 | t: +44 12 52 36 2483



_______________________________________________
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss






















					Reply via email to