Hi Bryan, I’m sure Luke will respond to this mail as well but let me put our experience here as a user of this tool.
We have been using Anteater for a while now – we started running it against patches around the middle of last year. The tool definitely helped us to catch and fix some crucial things such as keys stored in repos, passwords, downloading stuff from unknown IPs, and so on. We started running weekly scans as well and sending reports to PTLs so they see what else they have in their repos and fix them – some leftovers from before we enabled the gating in none-voting fashion. I believe what Anteater brings in is valuable for Acumos as well (and any other project that lacks this type of scanning) and it is pretty easy to get it up and running on CI. The broken link on Wiki has also been fixed. /Fatih From: <opnfv-tech-discuss-boun...@lists.opnfv.org> on behalf of "SULLIVAN, BRYAN L (BRYAN L)" <bryan.sulli...@research.att.com> Date: Tuesday, 6 February 2018 at 15:34 To: "opnfv-tech-discuss@lists.opnfv.org" <opnfv-tech-discuss@lists.opnfv.org> Subject: [opnfv-tech-discuss] Anteater status and link issue Hi all, I’m wondering where the Anteater program is – and want to note a broken link: build jobs with Anteater violations reference “Please visit: https://wiki.opnfv.org/x/5oey”, which is the wiki page https://wiki.opnfv.org/pages/viewpage.action?pageId=11700198, which says “Project specific exceptions can be added for file_name, file_contents and binaries, by using the name of the repository within the anteater/exceptions/ directory of the releng-anteater<https://wiki.opnfv.org/gerrit.opnfv.org:29418/releng-anteater.git> repository.” – but that link (releng-anteater<https://wiki.opnfv.org/gerrit.opnfv.org:29418/releng-anteater.git>) is broken. I want to start adding the exceptions for Models etc as an example for the LF IT team that is setting up the Acumos project gerrit/CI/CD process, and in general to help optimize the Anteater overhead for projects. I think we need to get some analysis of the types of exceptions that are typical, and establish a process for vetting those exceptions that goes beyond a simple review by a releng committer. Further, we need to bring in other scan tools (e.g. security vulnerability, virus, or malicious code scans) into the Anteater process. This is in response to concerns about the security of the governance process for open source (e.g. upstream, but also direct contribution in projects) that is used to build production-oriented systems. We need to demonstrate that OPNFV and other LF projects are addressing these concerns through their infra toolsets. Thanks, Bryan Sullivan | AT&T
_______________________________________________ opnfv-tech-discuss mailing list opnfv-tech-discuss@lists.opnfv.org https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss