Date   

Re: security & CNCF projects

Shubhra Kar
 

The scan data from Snyk right now is fairly clean as they curate and weed out false positives proactively. In the tool, we do have flags on the bugs to dismiss it (in case it's still a false positive).

We can definitely put a big Beta tag on the service. We are adding code secrets scanning from another vendor partnership in the next couple of months. We are planning to provide a  "regex" filter to maintainers to eliminate FPs globally as well. 


Shubhra



On Tue, Feb 16, 2021, 10:36 AM Liz Rice <liz@...> wrote:
I have an idea that there were concerns about making the data publicly available because of false positives, and the worry that if projects appear (incorrectly) to be unsafe that will impede adoption. Do we have progress on reducing those FPs e.g. being able to flag parts of a project as not relevant to scan? (I hope Kubernetes doesn't really have 261 high-severity vulnerabilities, as it currently appears). 

Can we also more clearly flag that this is a work in progress? 

Thanks,
Liz



On Tue, Feb 16, 2021 at 6:23 PM Shubhra Kar <skar@...> wrote:
Essentially we want them to create LFIDs to grant access.


Shubhra


On Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:

Thanks Stephen.

 

We have granted access to given access to stefan@....

 

We are unable to find accounts for hidde@... and michael@... .

 

Regards,

Vasu

 

 

From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

As I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.

 

-- Stephen

 

On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:

I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).

 

Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?


Kind Regards,

 

Shubhra Kar

CTO and GM of Products and IT

tweet: @shubhrakar

 

 

On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:

thanks, how do I share these with the flux maintainers and community

 

On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:

Hi Alexis,

 

You should have access to the security reports of the flux project. Please let me know if you have any questions.

 

https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details

 

Regards,

Vasu

 

 

From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <
caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <
cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects

+ Pranab and Vasu (product/eng leads on LFX I believe.)

 

Jim

 

From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

 

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

 

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:

Hi all

 

Has anyone looked at this? 

 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

 

Can we have something more open & useful please?

 

a

 

 


 

--

Chris Aniszczyk (@cra)


Re: security & CNCF projects

Liz Rice
 

I have an idea that there were concerns about making the data publicly available because of false positives, and the worry that if projects appear (incorrectly) to be unsafe that will impede adoption. Do we have progress on reducing those FPs e.g. being able to flag parts of a project as not relevant to scan? (I hope Kubernetes doesn't really have 261 high-severity vulnerabilities, as it currently appears). 

Can we also more clearly flag that this is a work in progress? 

Thanks,
Liz



On Tue, Feb 16, 2021 at 6:23 PM Shubhra Kar <skar@...> wrote:
Essentially we want them to create LFIDs to grant access.


Shubhra


On Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:

Thanks Stephen.

 

We have granted access to given access to stefan@....

 

We are unable to find accounts for hidde@... and michael@... .

 

Regards,

Vasu

 

 

From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

As I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.

 

-- Stephen

 

On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:

I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).

 

Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?


Kind Regards,

 

Shubhra Kar

CTO and GM of Products and IT

tweet: @shubhrakar

 

 

On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:

thanks, how do I share these with the flux maintainers and community

 

On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:

Hi Alexis,

 

You should have access to the security reports of the flux project. Please let me know if you have any questions.

 

https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details

 

Regards,

Vasu

 

 

From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <
caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <
cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects

+ Pranab and Vasu (product/eng leads on LFX I believe.)

 

Jim

 

From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

 

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

 

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:

Hi all

 

Has anyone looked at this? 

 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

 

Can we have something more open & useful please?

 

a

 

 


 

--

Chris Aniszczyk (@cra)


Re: security & CNCF projects

Stephen Augustus
 

Idea: It would be cool if all CNCF projects had the same metadata for representing "maintainers".

If that was standardized, some tool could ingest and compare against LFIDs.

-- Stephen

On Tue, Feb 16, 2021, 13:22 Shubhra Kar <skar@...> wrote:
Essentially we want them to create LFIDs to grant access.


Shubhra


On Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:

Thanks Stephen.

 

We have granted access to given access to stefan@....

 

We are unable to find accounts for hidde@... and michael@... .

 

Regards,

Vasu

 

 

From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

As I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.

 

-- Stephen

 

On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:

I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).

 

Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?


Kind Regards,

 

Shubhra Kar

CTO and GM of Products and IT

tweet: @shubhrakar

 

 

On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:

thanks, how do I share these with the flux maintainers and community

 

On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:

Hi Alexis,

 

You should have access to the security reports of the flux project. Please let me know if you have any questions.

 

https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details

 

Regards,

Vasu

 

 

From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <
caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <
cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects

+ Pranab and Vasu (product/eng leads on LFX I believe.)

 

Jim

 

From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

 

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

 

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:

Hi all

 

Has anyone looked at this? 

 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

 

Can we have something more open & useful please?

 

a

 

 


 

--

Chris Aniszczyk (@cra)


Re: security & CNCF projects

Shubhra Kar
 

Essentially we want them to create LFIDs to grant access.


Shubhra


On Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:

Thanks Stephen.

 

We have granted access to given access to stefan@....

 

We are unable to find accounts for hidde@... and michael@... .

 

Regards,

Vasu

 

 

From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

As I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.

 

-- Stephen

 

On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:

I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).

 

Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?


Kind Regards,

 

Shubhra Kar

CTO and GM of Products and IT

tweet: @shubhrakar

 

 

On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:

thanks, how do I share these with the flux maintainers and community

 

On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:

Hi Alexis,

 

You should have access to the security reports of the flux project. Please let me know if you have any questions.

 

https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details

 

Regards,

Vasu

 

 

From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <
caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <
cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects

+ Pranab and Vasu (product/eng leads on LFX I believe.)

 

Jim

 

From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

 

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

 

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:

Hi all

 

Has anyone looked at this? 

 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

 

Can we have something more open & useful please?

 

a

 

 


 

--

Chris Aniszczyk (@cra)


Re: security & CNCF projects

Vasu Naidu <vnaidu@...>
 

Thanks Stephen.

 

We have granted access to given access to stefan@....

 

We are unable to find accounts for hidde@... and michael@... .

 

Regards,

Vasu

 

 

From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

As I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.

 

-- Stephen

 

On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:

I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).

 

Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?


Kind Regards,

 

Shubhra Kar

CTO and GM of Products and IT

tweet: @shubhrakar

 

 

On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:

thanks, how do I share these with the flux maintainers and community

 

On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:

Hi Alexis,

 

You should have access to the security reports of the flux project. Please let me know if you have any questions.

 

https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details

 

Regards,

Vasu

 

 

From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <
caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <
cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects

+ Pranab and Vasu (product/eng leads on LFX I believe.)

 

Jim

 

From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

 

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

 

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:

Hi all

 

Has anyone looked at this? 

 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

 

Can we have something more open & useful please?

 

a

 

 


 

--

Chris Aniszczyk (@cra)


Re: security & CNCF projects

Vasu Naidu <vnaidu@...>
 

Hi Alexis,

 

You should have access to the security reports of the flux project. Please let me know if you have any questions.

 

https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details

 

Regards,

Vasu



 

From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects

+ Pranab and Vasu (product/eng leads on LFX I believe.)

 

Jim

 

From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

 

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

 

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:

Hi all

 

Has anyone looked at this? 

 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

 

Can we have something more open & useful please?

 

a

 

 


 

--

Chris Aniszczyk (@cra)


Re: security & CNCF projects

Stephen Augustus
 

As I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.

-- Stephen


On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:
I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).

Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?

Kind Regards,

Shubhra Kar
CTO and GM of Products and IT
tweet: @shubhrakar



On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:
thanks, how do I share these with the flux maintainers and community

On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:

Hi Alexis,

 

You should have access to the security reports of the flux project. Please let me know if you have any questions.

 

https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details

 

Regards,

Vasu



 

From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects

+ Pranab and Vasu (product/eng leads on LFX I believe.)

 

Jim

 

From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

 

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

 

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:

Hi all

 

Has anyone looked at this? 

 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

 

Can we have something more open & useful please?

 

a

 

 


 

--

Chris Aniszczyk (@cra)


Re: security & CNCF projects

Shubhra Kar
 

I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).

Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?

Kind Regards,

Shubhra Kar
CTO and GM of Products and IT
tweet: @shubhrakar



On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:
thanks, how do I share these with the flux maintainers and community

On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:

Hi Alexis,

 

You should have access to the security reports of the flux project. Please let me know if you have any questions.

 

https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details

 

Regards,

Vasu



 

From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects

+ Pranab and Vasu (product/eng leads on LFX I believe.)

 

Jim

 

From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

 

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

 

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:

Hi all

 

Has anyone looked at this? 

 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

 

Can we have something more open & useful please?

 

a

 

 


 

--

Chris Aniszczyk (@cra)


Re: security & CNCF projects

alexis richardson
 

thanks, how do I share these with the flux maintainers and community


On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:

Hi Alexis,

 

You should have access to the security reports of the flux project. Please let me know if you have any questions.

 

https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details

 

Regards,

Vasu



 

From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects

+ Pranab and Vasu (product/eng leads on LFX I believe.)

 

Jim

 

From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

 

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

 

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:

Hi all

 

Has anyone looked at this? 

 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

 

Can we have something more open & useful please?

 

a

 

 


 

--

Chris Aniszczyk (@cra)


Re: security & CNCF projects

alexis richardson
 

Yes, please.

To your general point -- I have a view that if Snyk (or similar) offers a free scanning service to CNCF projects, then the community should benefit.  These are completely standard scanning tools used by many.  I am sure external attackers already have this info.  Don't hold it back, there is NO benefit.







On Tue, Feb 16, 2021 at 4:15 PM Chris Aniszczyk <caniszczyk@...> wrote:
That depends on your viewpoint, the maintainers ideally should make that call per project based on whatever security process they have in place for the project. You can have a view that maintainers should know first before external attackers? Also a lot of thes security tools can have false positives and so on that may not reflect reality, so it's a bit of a nuanced topic.

If your project wants access to these security tools or others, feel free to file a SD ticket! https://github.com/cncf/servicedesk#tools - in this case Alexis, I'll have someone on my team reach out and get flux squared away. However, most of these are already free for open source projects so you can readily just adopt them yourselves.

On Tue, Feb 16, 2021 at 9:33 AM Alexis Richardson <alexis@...> wrote:
I see.  Well, I'm not.

This info should be open to all, without any barriers whatsoever 


On Tue, 16 Feb 2021, 15:29 Matt Jarvis, <matt@...> wrote:
I think what Chris means is that if you are already scanning with Snyk, then you won't see anything different in the LFX feed. 

On Tue, 16 Feb 2021 at 14:42, alexis richardson <alexis@...> wrote:
Thanks Chris

It would be great if this data was readily accessible.   I don't think packing into GH actions provides that, however useful it may be for other purposes


On Tue, 16 Feb 2021, 14:13 Chris Aniszczyk, <caniszczyk@...> wrote:
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all

Has anyone looked at this? 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

Can we have something more open & useful please?

a




--
Chris Aniszczyk (@cra)



--
Chris Aniszczyk (@cra)


Re: security & CNCF projects

Vasu Naidu <vnaidu@...>
 

Jim,

 

We are looking into, let me get back to you with an update.

 

Regards,

Vasu

---
Sr. Director, Head Of Engineering
Cell: 1.408.420.0404

Slack: @Vasu

signature_151163572

 

From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects

+ Pranab and Vasu (product/eng leads on LFX I believe.)

 

Jim

 

From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

 

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

 

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:

Hi all

 

Has anyone looked at this? 

 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

 

Can we have something more open & useful please?

 

a

 

 


 

--

Chris Aniszczyk (@cra)


Re: security & CNCF projects

Chris Aniszczyk
 

That depends on your viewpoint, the maintainers ideally should make that call per project based on whatever security process they have in place for the project. You can have a view that maintainers should know first before external attackers? Also a lot of thes security tools can have false positives and so on that may not reflect reality, so it's a bit of a nuanced topic.

If your project wants access to these security tools or others, feel free to file a SD ticket! https://github.com/cncf/servicedesk#tools - in this case Alexis, I'll have someone on my team reach out and get flux squared away. However, most of these are already free for open source projects so you can readily just adopt them yourselves.

On Tue, Feb 16, 2021 at 9:33 AM Alexis Richardson <alexis@...> wrote:
I see.  Well, I'm not.

This info should be open to all, without any barriers whatsoever 


On Tue, 16 Feb 2021, 15:29 Matt Jarvis, <matt@...> wrote:
I think what Chris means is that if you are already scanning with Snyk, then you won't see anything different in the LFX feed. 

On Tue, 16 Feb 2021 at 14:42, alexis richardson <alexis@...> wrote:
Thanks Chris

It would be great if this data was readily accessible.   I don't think packing into GH actions provides that, however useful it may be for other purposes


On Tue, 16 Feb 2021, 14:13 Chris Aniszczyk, <caniszczyk@...> wrote:
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all

Has anyone looked at this? 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

Can we have something more open & useful please?

a




--
Chris Aniszczyk (@cra)



--
Chris Aniszczyk (@cra)


Re: security & CNCF projects

alexis richardson
 

I see.  Well, I'm not.

This info should be open to all, without any barriers whatsoever 


On Tue, 16 Feb 2021, 15:29 Matt Jarvis, <matt@...> wrote:
I think what Chris means is that if you are already scanning with Snyk, then you won't see anything different in the LFX feed. 

On Tue, 16 Feb 2021 at 14:42, alexis richardson <alexis@...> wrote:
Thanks Chris

It would be great if this data was readily accessible.   I don't think packing into GH actions provides that, however useful it may be for other purposes


On Tue, 16 Feb 2021, 14:13 Chris Aniszczyk, <caniszczyk@...> wrote:
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all

Has anyone looked at this? 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

Can we have something more open & useful please?

a




--
Chris Aniszczyk (@cra)


Re: security & CNCF projects

Matt Jarvis
 

I think what Chris means is that if you are already scanning with Snyk, then you won't see anything different in the LFX feed. 


On Tue, 16 Feb 2021 at 14:42, alexis richardson <alexis@...> wrote:
Thanks Chris

It would be great if this data was readily accessible.   I don't think packing into GH actions provides that, however useful it may be for other purposes


On Tue, 16 Feb 2021, 14:13 Chris Aniszczyk, <caniszczyk@...> wrote:
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all

Has anyone looked at this? 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

Can we have something more open & useful please?

a




--
Chris Aniszczyk (@cra)


Re: Agenda for TOC Meeting for 2/16

Lee Calcote
 

Apologies - will miss TOC liaison discussion today. 

No electricity or water in my area. No/limited cellular. Hoping this message catches a signal before tomorrow’s call. 

-Lee

On Feb 15, 2021, at 3:24 PM, Amye Scavarda Perrin <ascavarda@...> wrote:


Hi all, 
We'll be meeting tomorrow at 8am Pacific.
We'll have a short discussion about TOC liaisons with the SIGs, and then have an open floor for discussion. 

Thanks!
-- amye 

--
Amye Scavarda Perrin | Program Manager | amye@...


Re: security & CNCF projects

St Leger, Jim
 

+ Pranab and Vasu (product/eng leads on LFX I believe.)

 

Jim

 

From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

 

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

 

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:

Hi all

 

Has anyone looked at this? 

 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

 

Can we have something more open & useful please?

 

a

 

 


 

--

Chris Aniszczyk (@cra)


Re: security & CNCF projects

alexis richardson
 

Thanks Chris

It would be great if this data was readily accessible.   I don't think packing into GH actions provides that, however useful it may be for other purposes


On Tue, 16 Feb 2021, 14:13 Chris Aniszczyk, <caniszczyk@...> wrote:
I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all

Has anyone looked at this? 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

Can we have something more open & useful please?

a




--
Chris Aniszczyk (@cra)


Re: security & CNCF projects

Chris Aniszczyk
 

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:
Hi all

Has anyone looked at this? 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

Can we have something more open & useful please?

a




--
Chris Aniszczyk (@cra)


security & CNCF projects

alexis richardson
 

Hi all

Has anyone looked at this? 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

Can we have something more open & useful please?

a



Agenda for TOC Meeting for 2/16

Amye Scavarda Perrin
 

Hi all, 
We'll be meeting tomorrow at 8am Pacific.
We'll have a short discussion about TOC liaisons with the SIGs, and then have an open floor for discussion. 

Thanks!
-- amye 

--
Amye Scavarda Perrin | Program Manager | amye@...

721 - 740 of 6383