Comments etc inline

Bryan Sullivan | AT&T

From: Luke Hinds []
Sent: Monday, February 12, 2018 9:04 AM
Cc:; degirmenci, fatih 
<>; Raymond Paik <>
Subject: Re: [opnfv-tech-discuss] Anteater status and link issue

On Tue, Feb 6, 2018 at 2:32 PM, SULLIVAN, BRYAN L (BRYAN L) 
<<>> wrote:
Hi all,
I’m wondering where the Anteater program is – and want to note a broken link: 
build jobs with Anteater violations reference “Please visit:<>”,
 which is the wiki page<>,
 which says “Project specific exceptions can be added for file_name, 
file_contents and binaries, by using the name of the repository within the 
anteater/exceptions/ directory of the 
 repository.” – but that link 
 is broken.
I want to start adding the exceptions for Models etc as an example for the LF 
IT team that is setting up the Acumos project gerrit/CI/CD process, and in 
general to help optimize the Anteater overhead for projects. I think we need to 
get some analysis of the types of exceptions that are typical, and establish a 
process for vetting those exceptions that goes beyond a simple review by a 
releng committer.
Further, we need to bring in other scan tools (e.g. security vulnerability, 
virus, or malicious code scans) into the Anteater process. This is in response 
to concerns about the security of the governance process for open source (e.g. 
upstream, but also direct contribution in projects) that is used to build 
production-oriented systems. We need to demonstrate that OPNFV and other LF 
projects are addressing these concerns through their infra toolsets.

Sorry Bryan, I missed a few of these emails thanks (or rather no thanks) to a 
bad mail filter rule.
I am working on the following now which we will see soon:
Much better documentation:<>
[bryan] Are you going to start hosting these docs at
Virus total integration:
   * Any binaries will be scanned using the virus total API, unless a sha256 
waiver is already present e.g.<>
   * Any IP addresses / domain name / URL will be scanned (again using the 
Virus Total API) for known malware and other nastiness.
[bryan] VirusTotal looks like a useful service. Are there any stats for its 
effectiveness at detecting threats, including new threats and delay in 
supporting them?
I also have a load of new strings to add to dig out and report anything of a 
more recent finding (for example a javascript based bitcoin miner).
[bryan] I would like to see how we can improve the contextual effectiveness of 
the pattern matching approach. Any bar (or port in a storm) may seem to be 
better than none, and can at least catch newbie mistakes and anti-patterns, but 
most of the strings I’ve included in 
relate to IMO innocuous (if admittedly sometimes cheap or anti-patterned) use 
of prohibited words. Others, I clearly need to fix.
The project is also hopefully going to move into github (once agreed with LF) 
to encourage wider contributions and allow it to be more easily consumed else.
[bryan] Anything that broadens contribution and consumption makes sense to me. 
Are there any other open source projects in this same space that you are 
considering leveraging, to avoid re-developing features unnecessarily?
Once the above is in place, docs will be clearer to follow, project will be 
more presentable, with more coverage in finding vulns will be wider.

[bryan] We probably need more docs re the process for getting exceptions 
approved, and how the community can track its effectiveness in the mission 
represented by this toolset, through the types of approved exception patterns, 
as they grow (or shrink… it would be good to see the community improving 
through reduction in the need to maintain exceptions, and partly because the 
tool is getting smarter).
Bryan Sullivan | AT&T

opnfv-tech-discuss mailing list<><>

Luke Hinds | NFV Partner Engineering | CTO Office | Red Hat
e:<> | irc: lhinds @freenode | t: +44 
12 52 36 2483
opnfv-tech-discuss mailing list

Reply via email to