metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zeolla@GMail.com" <zeo...@gmail.com>
Subject Re: Secure code analysis
Date Thu, 21 Dec 2017 15:48:03 GMT
Just following up on this conversation again -

I have discussed this ad-hoc with a few PMC members recently and wanted to
bring it up on the list.  Veracode has provided us with a 100% free portal
to scan the Metron code with, but in order to integrate, the safest option
is probably to use the ASF's jenkins server (as I'm not aware of a safe way
to automatically pass API creds to Veracode from GitHub).  My long-term
interest here would be to scan and clean up the code base generally, and
then to try and scan PRs for concerns (non-blocking).  Perhaps at some
point, if we identify that these scans are actually useful and not
false-positive prone/onerous, we could turn this into a blocking
requirement for contributions.  Being a security project, I feel that we
should be doing as much as we can to ensure that what we're providing is
safe.

I looked briefly at the Veracode Jenkins integrations, and the ASF Jenkins
setup.  It looks like Veracode has a Jenkins plugin
<https://help.veracode.com/reader/PgbNZUD7j8aY7iG~hQZWxQ/_4G8gT1rhWMgVVtCI1C57A>,
Jenkins has a plugin for Veracode in its plugin repo
<https://plugins.jenkins.io/veracode-scanner> (not supported by Veracode),
the ASF supports adding plugins
<https://wiki.apache.org/general/Jenkins#How_do_I_install_a_new_Jenkins_plugin.3F>
to their Jenkins servers (although I think
<http://What_do_Administrators_do.3F> the admins are supposed to do this),
and Metron is not yet set up <https://builds.apache.org/view/M-R/> on the
ASF Jenkins server.  The ASF seems to support giving non-PMC committers
access <https://wiki.apache.org/general/Jenkins#How_do_I_get_an_account> to
Jenkins, but it requires that the PMC chair do some work, and generally it
looks like they want admins
<https://wiki.apache.org/general/Jenkins#FAQ_For_Administrators>/PMC
<https://wiki.apache.org/general/Jenkins#FAQ_For_PMCs> members to be
involved (I also don't have access to the builds JIRA project
<https://issues.apache.org/jira/projects/BUILDS>, if it really exists).

I'm happy to play around with this and see how it could be useful, but in
order to do so I need to get some additional authorization.  Does anybody
have any concerns with delegating this access to me, or with this general
approach?

Jon

On Fri, Dec 16, 2016 at 11:39 AM James Sirota <jsirota@apache.org> wrote:

> That would be great. I can work with them
>
> 15.12.2016, 18:38, "Zeolla@GMail.com" <zeolla@gmail.com>:
> > I recently discussed this topic with Veracode regarding the metron
> project
> > and they mentioned there may be interest in providing free services,
> > however they would need to work with an official project rep. If there's
> > interest in pursuing this please let me know.
> >
> > On Thu, Jun 2, 2016, 21:17 Zeolla@GMail.com <zeolla@gmail.com> wrote:
> >
> >>  Per the other discussion it is possible that this conflicts with the
> >>  Apache stance for vulnerability disclosure/management. I'm going to
> hold
> >>  off on any additional effort until I know more.
> >>
> >>  Jon
> >>
> >>  On Tue, May 31, 2016, 16:07 James Sirota <jsirota@apache.org> wrote:
> >>
> >>  Jon, would it be possible for you to scan Metron from your own branch?
> >>  I'd like to know if this is useful at all. If we get value out of it
> I'll
> >>  run this down and see how we can get it hooked up.
> >>
> >>  31.05.2016, 10:08, "Nick Allen" <nick@nickallen.org>:
> >>  > I connect Travis to my own personal fork of Metron so that the CI
> builds
> >>  > run on my own branches before I submit PRs. Thinking you could do the
> >>  same
> >>  > with this. Maybe I'm wrong.
> >>  >
> >>  > On Tue, May 31, 2016 at 1:06 PM, Zeolla@GMail.com <zeolla@gmail.com>
> >>  wrote:
> >>  >
> >>  >> To register project on Coverity Scan, you must be contributor or
> >>  maintainer
> >>  >> of the project.
> >>  >>
> >>  >> It may also be worth mentioning that there are a ton of Apache
> projects
> >>  >> already registered, including Ambari, Drill, Flume, Hadoop, HBase,
> >>  NiFi,
> >>  >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
> >>  >> https://scan.coverity.com/projects?page=2
> >>  >>
> >>  >> Jon
> >>  >>
> >>  >> On Tue, May 31, 2016 at 12:52 PM Nick Allen <nick@nickallen.org>
> >>  wrote:
> >>  >>
> >>  >> > You could set it up on your own fork of Metron in Github. Then
you
> >>  can
> >>  >> > tell us if it is useful at all.
> >>  >> >
> >>  >> > On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <
> zeolla@gmail.com>
> >>  >> > wrote:
> >>  >> >
> >>  >> > > So I did a bit of digging today and I found a few op
> >>  >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions,
but so
> far my
> >>  >> > > favourite is Coverity Scan <https://scan.coverity.com/travis_ci
> >.
> >>  >> I've
> >>  >> > > never used this product before, so I'm not exactly sure
what to
> >>  expect,
> >>  >> > but
> >>  >> > > I guess anyone can kick off a scan of an open source project
and
> >>  get
> >>  >> > > results within 48 hours. I was in the process of registering
> >>  Metron to
> >>  >> > be
> >>  >> > > scanned but I found some things in their scan user agreement
> which
> >>  I
> >>  >> > wasn't
> >>  >> > > sure everybody would be in line with (see below for the
> excerpts -
> >>  >> note I
> >>  >> > > did NOT read the entire document and IANAL).
> >>  >> > >
> >>  >> > > Here's the TL;DR of what Coverity Scan is:
> >>  >> > >
> >>  >> > > Coverity Scan <http://scan.coverity.com/> is a free
static code
> >>  >> analysis
> >>  >> > > tool for Java, C, C++, C# and JavaScript.
> >>  >> > >
> >>  >> > > This addon leverages the Travis-CI infrastructure to
> automatically
> >>  run
> >>  >> > code
> >>  >> > > analysis on your GitHub projects.
> >>  >> > >
> >>  >> > > Coverity Scan is a service by which Coverity provides the
> results
> >>  of
> >>  >> > > analysis on open source coding projects to open source code
> >>  developers
> >>  >> > that
> >>  >> > > have registered their products with Coverity Scan.
> >>  >> > >
> >>  >> > > Some examples of defects and vulnerabilities found by Coverity
> >>  Quality
> >>  >> > > Advisor include:
> >>  >> > >
> >>  >> > > - resources leaks
> >>  >> > > - dereferences of NULL pointers
> >>  >> > > - incorrect usage of APIs
> >>  >> > > - use of uninitialized data
> >>  >> > > - memory corruptions
> >>  >> > > - buffer overruns
> >>  >> > > - control flow issues
> >>  >> > > - error handling issues
> >>  >> > > - incorrect expressions
> >>  >> > > - concurrency issues
> >>  >> > > - insecure data handling
> >>  >> > > - unsafe use of signed values
> >>  >> > > - use of resources that have been freed
> >>  >> > >
> >>  >> > > Register your project with Coverity Scan by completing the
> project
> >>  >> > > registration form found at scan.coverity.com. Upon your
> >>  completion of
> >>  >> > > project registration (including acceptance of the Scan User
> >>  Agreement)
> >>  >> > and
> >>  >> > > your receipt of confirmation of registration of your project,
> you
> >>  will
> >>  >> be
> >>  >> > > able to download the Software required to submit a build
of your
> >>  code
> >>  >> for
> >>  >> > > analysis by Coverity Scan. You may then download the Software,
> >>  >> complete a
> >>  >> > > build and submit your Registered Project build for analysis
and
> >>  review
> >>  >> in
> >>  >> > > Coverity Scan. Coverity Scan is only available for use with
open
> >>  source
> >>  >> > > projects that are registered with Coverity Scan.
> >>  >> > > Here are some interesting snippets from their scan user
> agreement:
> >>  >> > >
> >>  >> > > Your use of our software is acceptance of our Terms
> >>  >> > > <https://scan.coverity.com/policy>
> >>  >> > >
> >>  >> > > You will not disassemble, decompile, reverse engineer, modify
or
> >>  create
> >>  >> > > derivative works of Our Service, software products or
> >>  documentation nor
> >>  >> > > permit any third party to do so, except to the extent such
> >>  restrictions
> >>  >> > are
> >>  >> > > prohibited by applicable mandatory local law
> >>  >> > >
> >>  >> > > You will not disclose to any third party any comparison
of the
> >>  results
> >>  >> of
> >>  >> > > operation of Our Service or software products with other
> services
> >>  or
> >>  >> > > products, except as expressly permitted by this Agreement
> >>  >> > >
> >>  >> > > You will not publish any findings regarding or resulting
from
> use
> >>  of
> >>  >> the
> >>  >> > > Service or the Software
> >>  >> > >
> >>  >> > > You agree that We may use Your name and logo (in a form
> approved by
> >>  >> You)
> >>  >> > > and Registered Product information to identify You and such
> >>  project as
> >>  >> a
> >>  >> > > participant of Our Scan Program on Our website or in Our
> marketing
> >>  or
> >>  >> > > publicity materials or in any filings made in connection
with
> >>  state or
> >>  >> > > federal securities laws.
> >>  >> > >
> >>  >> > > Additionally, upon execution of this Agreement, the parties
will
> >>  use
> >>  >> > > commercially reasonable efforts to issue mutually agreed
upon
> joint
> >>  >> press
> >>  >> > > releases or other public communications announcing Your
entry
> into
> >>  this
> >>  >> > > Agreement.
> >>  >> > >
> >>  >> > > At Our written request, You will furnish Us with (a) a
> >>  certification
> >>  >> > signed
> >>  >> > > by an officer of Your company providing user or access
> information
> >>  that
> >>  >> > > identifies whether the Service and the Software is being
used in
> >>  >> > accordance
> >>  >> > > with the terms of this Agreement, and (b) log files from
any
> >>  License
> >>  >> > > Manager. Upon at least thirty (30) days prior written notice,
We
> >>  may
> >>  >> > > engage, at Our expense, an independent auditor to audit
Your use
> >>  of the
> >>  >> > > Service and the Software to ensure that You are in compliance
> with
> >>  the
> >>  >> > > terms of this Agreement. ... You will provide the auditor
with
> >>  access
> >>  >> to
> >>  >> > > the relevant records and facilities.
> >>  >> > >
> >>  >> > > Jon
> >>  >> > >
> >>  >> > > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <
> >>  zeolla@gmail.com>
> >>  >> > > wrote:
> >>  >> > >
> >>  >> > > > There's nothing built-in with Travis, but we could
install a
> >>  tool to
> >>  >> do
> >>  >> > > > this as part of the installation of tools on the build
box.
> I'm
> >>  >> gonna
> >>  >> > > > reach out to people in my local circle who specialize
in
> secure
> >>  code
> >>  >> > > > analysis and see what all of the options are.
> >>  >> > > >
> >>  >> > > > Jon
> >>  >> > > >
> >>  >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <
> nick@nickallen.org>
> >>  >> wrote:
> >>  >> > > >
> >>  >> > > >> I completely agree that we will need some focus
on this.
> >>  >> > > >>
> >>  >> > > >> What could Travis do for us? I wasn't aware that
they offered
> >>  >> > security
> >>  >> > > >> scanning.
> >>  >> > > >>
> >>  >> > > >> Are you aware of any security scan services that
offer free
> >>  support
> >>  >> to
> >>  >> > > >> open
> >>  >> > > >> source projects?
> >>  >> > > >>
> >>  >> > > >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com
<
> >>  zeolla@gmail.com
> >>  >> >
> >>  >> > > >> wrote:
> >>  >> > > >>
> >>  >> > > >> > So I've never done anything like this before
in Travis but
> I
> >>  have
> >>  >> > done
> >>  >> > > >> IDE
> >>  >> > > >> > plugins and pre prod scans in the past at
large companies
> >>  which
> >>  >> > worked
> >>  >> > > >> > well. I floated the idea past a friend working
at Travis
> and
> >>  she
> >>  >> > said
> >>  >> > > >> if
> >>  >> > > >> > we go that route she would assist.
> >>  >> > > >> >
> >>  >> > > >> > I just think that if this is integrated from
the beginning
> and
> >>  >> fail
> >>  >> > > >> builds
> >>  >> > > >> > on critical issues (to start), this could
be a big
> >>  differentiator,
> >>  >> > > >> > especially because we're talking about a security
platform
> >>  that
> >>  >> > > >> centralizes
> >>  >> > > >> > tons of sensitive information, tries to parse
almost
> anything
> >>  >> that's
> >>  >> > > >> thrown
> >>  >> > > >> > at it (think of what's been happening to AV
products
> >>  recently),
> >>  >> and
> >>  >> > is
> >>  >> > > >> open
> >>  >> > > >> > source for bad guys to dig into much more
easily.
> >>  >> > > >> >
> >>  >> > > >> > Jon
> >>  >> > > >> >
> >>  >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <nick@nickallen.org
> >
> >>  >> wrote:
> >>  >> > > >> >
> >>  >> > > >> > > I am not aware of any discussions around
this, Jon. What
> are
> >>  >> you
> >>  >> > > >> > thinking?
> >>  >> > > >> > >
> >>  >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com
<
> >>  >> > zeolla@gmail.com
> >>  >> > > >
> >>  >> > > >> > > wrote:
> >>  >> > > >> > >
> >>  >> > > >> > > > I was just wondering if there is
any sort of static (or
> >>  even
> >>  >> > > >> dynamic)
> >>  >> > > >> > > code
> >>  >> > > >> > > > analysis, or penetrating testing/vulnerability
> assessment,
> >>  >> > > >> occurring at
> >>  >> > > >> > > any
> >>  >> > > >> > > > point on the metron code. Has there
been any
> discussion of
> >>  >> > > >> installing
> >>  >> > > >> > > > something along those lines on the
Travis build server
> >>  (if it
> >>  >> > > isn't
> >>  >> > > >> > there
> >>  >> > > >> > > > already)? Thanks,
> >>  >> > > >> > > >
> >>  >> > > >> > > > Jon
> >>  >> > > >> > > > --
> >>  >> > > >> > > >
> >>  >> > > >> > > > Jon
> >>  >> > > >> > > >
> >>  >> > > >> > >
> >>  >> > > >> > >
> >>  >> > > >> > >
> >>  >> > > >> > > --
> >>  >> > > >> > > Nick Allen <nick@nickallen.org>
> >>  >> > > >> > >
> >>  >> > > >> > --
> >>  >> > > >> >
> >>  >> > > >> > Jon
> >>  >> > > >> >
> >>  >> > > >>
> >>  >> > > >>
> >>  >> > > >>
> >>  >> > > >> --
> >>  >> > > >> Nick Allen <nick@nickallen.org>
> >>  >> > > >>
> >>  >> > > > --
> >>  >> > > >
> >>  >> > > > Jon
> >>  >> > > >
> >>  >> > > --
> >>  >> > >
> >>  >> > > Jon
> >>  >> > >
> >>  >> >
> >>  >> >
> >>  >> >
> >>  >> > --
> >>  >> > Nick Allen <nick@nickallen.org>
> >>  >> >
> >>  >> --
> >>  >>
> >>  >> Jon
> >>  >
> >>  > --
> >>  > Nick Allen <nick@nickallen.org>
> >>
> >>  -------------------
> >>  Thank you,
> >>
> >>  James Sirota
> >>  PPMC- Apache Metron (Incubating)
> >>  jsirota AT apache DOT org
> >>
> >>  --
> >>
> >>  Jon
> > --
> >
> > Jon
> >
> > Sent from my mobile device
>
> -------------------
> Thank you,
>
> James Sirota
> PPMC- Apache Metron (Incubating)
> jsirota AT apache DOT org
>
-- 

Jon

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message