metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zeolla@GMail.com" <zeo...@gmail.com>
Subject Re: Secure code analysis
Date Fri, 03 Jun 2016 01:17:47 GMT
Per the other discussion it is possible that this conflicts with the Apache
stance for vulnerability disclosure/management.  I'm going to hold off on
any additional effort until I know more.

Jon

On Tue, May 31, 2016, 16:07 James Sirota <jsirota@apache.org> wrote:

> Jon, would it be possible for you to scan Metron from your own branch?
> I'd like to know if this is useful at all.  If we get value out of it I'll
> run this down and see how we can get it hooked up.
>
> 31.05.2016, 10:08, "Nick Allen" <nick@nickallen.org>:
> > I connect Travis to my own personal fork of Metron so that the CI builds
> > run on my own branches before I submit PRs. Thinking you could do the
> same
> > with this. Maybe I'm wrong.
> >
> > On Tue, May 31, 2016 at 1:06 PM, Zeolla@GMail.com <zeolla@gmail.com>
> wrote:
> >
> >>  To register project on Coverity Scan, you must be contributor or
> maintainer
> >>  of the project.
> >>
> >>  It may also be worth mentioning that there are a ton of Apache projects
> >>  already registered, including Ambari, Drill, Flume, Hadoop, HBase,
> NiFi,
> >>  Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
> >>  https://scan.coverity.com/projects?page=2
> >>
> >>  Jon
> >>
> >>  On Tue, May 31, 2016 at 12:52 PM Nick Allen <nick@nickallen.org>
> wrote:
> >>
> >>  > You could set it up on your own fork of Metron in Github. Then you
> can
> >>  > tell us if it is useful at all.
> >>  >
> >>  > On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <zeolla@gmail.com>
> >>  > wrote:
> >>  >
> >>  > > So I did a bit of digging today and I found a few op
> >>  > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so
far my
> >>  > > favourite is Coverity Scan <https://scan.coverity.com/travis_ci>.
> >>  I've
> >>  > > never used this product before, so I'm not exactly sure what to
> expect,
> >>  > but
> >>  > > I guess anyone can kick off a scan of an open source project and
> get
> >>  > > results within 48 hours. I was in the process of registering
> Metron to
> >>  > be
> >>  > > scanned but I found some things in their scan user agreement which
> I
> >>  > wasn't
> >>  > > sure everybody would be in line with (see below for the excerpts
-
> >>  note I
> >>  > > did NOT read the entire document and IANAL).
> >>  > >
> >>  > > Here's the TL;DR of what Coverity Scan is:
> >>  > >
> >>  > > Coverity Scan <http://scan.coverity.com/> is a free static
code
> >>  analysis
> >>  > > tool for Java, C, C++, C# and JavaScript.
> >>  > >
> >>  > > This addon leverages the Travis-CI infrastructure to automatically
> run
> >>  > code
> >>  > > analysis on your GitHub projects.
> >>  > >
> >>  > > Coverity Scan is a service by which Coverity provides the results
> of
> >>  > > analysis on open source coding projects to open source code
> developers
> >>  > that
> >>  > > have registered their products with Coverity Scan.
> >>  > >
> >>  > > Some examples of defects and vulnerabilities found by Coverity
> Quality
> >>  > > Advisor include:
> >>  > >
> >>  > > - resources leaks
> >>  > > - dereferences of NULL pointers
> >>  > > - incorrect usage of APIs
> >>  > > - use of uninitialized data
> >>  > > - memory corruptions
> >>  > > - buffer overruns
> >>  > > - control flow issues
> >>  > > - error handling issues
> >>  > > - incorrect expressions
> >>  > > - concurrency issues
> >>  > > - insecure data handling
> >>  > > - unsafe use of signed values
> >>  > > - use of resources that have been freed
> >>  > >
> >>  > > Register your project with Coverity Scan by completing the project
> >>  > > registration form found at scan.coverity.com. Upon your
> completion of
> >>  > > project registration (including acceptance of the Scan User
> Agreement)
> >>  > and
> >>  > > your receipt of confirmation of registration of your project, you
> will
> >>  be
> >>  > > able to download the Software required to submit a build of your
> code
> >>  for
> >>  > > analysis by Coverity Scan. You may then download the Software,
> >>  complete a
> >>  > > build and submit your Registered Project build for analysis and
> review
> >>  in
> >>  > > Coverity Scan. Coverity Scan is only available for use with open
> source
> >>  > > projects that are registered with Coverity Scan.
> >>  > > Here are some interesting snippets from their scan user agreement:
> >>  > >
> >>  > > Your use of our software is acceptance of our Terms
> >>  > > <https://scan.coverity.com/policy>
> >>  > >
> >>  > > You will not disassemble, decompile, reverse engineer, modify or
> create
> >>  > > derivative works of Our Service, software products or
> documentation nor
> >>  > > permit any third party to do so, except to the extent such
> restrictions
> >>  > are
> >>  > > prohibited by applicable mandatory local law
> >>  > >
> >>  > > You will not disclose to any third party any comparison of the
> results
> >>  of
> >>  > > operation of Our Service or software products with other services
> or
> >>  > > products, except as expressly permitted by this Agreement
> >>  > >
> >>  > > You will not publish any findings regarding or resulting from use
> of
> >>  the
> >>  > > Service or the Software
> >>  > >
> >>  > > You agree that We may use Your name and logo (in a form approved
by
> >>  You)
> >>  > > and Registered Product information to identify You and such
> project as
> >>  a
> >>  > > participant of Our Scan Program on Our website or in Our marketing
> or
> >>  > > publicity materials or in any filings made in connection with
> state or
> >>  > > federal securities laws.
> >>  > >
> >>  > > Additionally, upon execution of this Agreement, the parties will
> use
> >>  > > commercially reasonable efforts to issue mutually agreed upon joint
> >>  press
> >>  > > releases or other public communications announcing Your entry into
> this
> >>  > > Agreement.
> >>  > >
> >>  > > At Our written request, You will furnish Us with (a) a
> certification
> >>  > signed
> >>  > > by an officer of Your company providing user or access information
> that
> >>  > > identifies whether the Service and the Software is being used in
> >>  > accordance
> >>  > > with the terms of this Agreement, and (b) log files from any
> License
> >>  > > Manager. Upon at least thirty (30) days prior written notice, We
> may
> >>  > > engage, at Our expense, an independent auditor to audit Your use
> of the
> >>  > > Service and the Software to ensure that You are in compliance with
> the
> >>  > > terms of this Agreement. ... You will provide the auditor with
> access
> >>  to
> >>  > > the relevant records and facilities.
> >>  > >
> >>  > > Jon
> >>  > >
> >>  > > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <
> zeolla@gmail.com>
> >>  > > wrote:
> >>  > >
> >>  > > > There's nothing built-in with Travis, but we could install a
> tool to
> >>  do
> >>  > > > this as part of the installation of tools on the build box.
I'm
> >>  gonna
> >>  > > > reach out to people in my local circle who specialize in secure
> code
> >>  > > > analysis and see what all of the options are.
> >>  > > >
> >>  > > > Jon
> >>  > > >
> >>  > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <nick@nickallen.org>
> >>  wrote:
> >>  > > >
> >>  > > >> I completely agree that we will need some focus on this.
> >>  > > >>
> >>  > > >> What could Travis do for us? I wasn't aware that they offered
> >>  > security
> >>  > > >> scanning.
> >>  > > >>
> >>  > > >> Are you aware of any security scan services that offer free
> support
> >>  to
> >>  > > >> open
> >>  > > >> source projects?
> >>  > > >>
> >>  > > >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <
> zeolla@gmail.com
> >>  >
> >>  > > >> wrote:
> >>  > > >>
> >>  > > >> > So I've never done anything like this before in Travis
but I
> have
> >>  > done
> >>  > > >> IDE
> >>  > > >> > plugins and pre prod scans in the past at large companies
> which
> >>  > worked
> >>  > > >> > well. I floated the idea past a friend working at Travis
and
> she
> >>  > said
> >>  > > >> if
> >>  > > >> > we go that route she would assist.
> >>  > > >> >
> >>  > > >> > I just think that if this is integrated from the beginning
and
> >>  fail
> >>  > > >> builds
> >>  > > >> > on critical issues (to start), this could be a big
> differentiator,
> >>  > > >> > especially because we're talking about a security platform
> that
> >>  > > >> centralizes
> >>  > > >> > tons of sensitive information, tries to parse almost
anything
> >>  that's
> >>  > > >> thrown
> >>  > > >> > at it (think of what's been happening to AV products
> recently),
> >>  and
> >>  > is
> >>  > > >> open
> >>  > > >> > source for bad guys to dig into much more easily.
> >>  > > >> >
> >>  > > >> > Jon
> >>  > > >> >
> >>  > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <nick@nickallen.org>
> >>  wrote:
> >>  > > >> >
> >>  > > >> > > I am not aware of any discussions around this,
Jon. What are
> >>  you
> >>  > > >> > thinking?
> >>  > > >> > >
> >>  > > >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com
<
> >>  > zeolla@gmail.com
> >>  > > >
> >>  > > >> > > wrote:
> >>  > > >> > >
> >>  > > >> > > > I was just wondering if there is any sort
of static (or
> even
> >>  > > >> dynamic)
> >>  > > >> > > code
> >>  > > >> > > > analysis, or penetrating testing/vulnerability
assessment,
> >>  > > >> occurring at
> >>  > > >> > > any
> >>  > > >> > > > point on the metron code. Has there been
any discussion of
> >>  > > >> installing
> >>  > > >> > > > something along those lines on the Travis
build server
> (if it
> >>  > > isn't
> >>  > > >> > there
> >>  > > >> > > > already)? Thanks,
> >>  > > >> > > >
> >>  > > >> > > > Jon
> >>  > > >> > > > --
> >>  > > >> > > >
> >>  > > >> > > > Jon
> >>  > > >> > > >
> >>  > > >> > >
> >>  > > >> > >
> >>  > > >> > >
> >>  > > >> > > --
> >>  > > >> > > Nick Allen <nick@nickallen.org>
> >>  > > >> > >
> >>  > > >> > --
> >>  > > >> >
> >>  > > >> > Jon
> >>  > > >> >
> >>  > > >>
> >>  > > >>
> >>  > > >>
> >>  > > >> --
> >>  > > >> Nick Allen <nick@nickallen.org>
> >>  > > >>
> >>  > > > --
> >>  > > >
> >>  > > > Jon
> >>  > > >
> >>  > > --
> >>  > >
> >>  > > Jon
> >>  > >
> >>  >
> >>  >
> >>  >
> >>  > --
> >>  > Nick Allen <nick@nickallen.org>
> >>  >
> >>  --
> >>
> >>  Jon
> >
> > --
> > Nick Allen <nick@nickallen.org>
>
> -------------------
> Thank you,
>
> James Sirota
> PPMC- Apache Metron (Incubating)
> jsirota AT apache DOT org
>
-- 

Jon

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message