metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nadir Hajiyani <nadir.hajiy...@gmail.com>
Subject Re: Secure code analysis
Date Sun, 07 Jan 2018 13:16:28 GMT
Here is the documentation for various Veracode integrations -
https://help.veracode.com/reader/QJgoLlv~uqsO6Zvu9jG9pw/
h2NG_xyaRqXJtAUioBS2SA

A few options can be explored here, like:

   - Sending the scans directly via the IDE (Eclipse, IntelliJ, Visual
   Studio)
   - Utilizing the API Wrapper
   - Using the Upload API (Easier said than done)


On Sun, Dec 24, 2017 at 9:58 AM, Nick Allen <nick@nickallen.org> wrote:

> > 3) I have been manually making submissions dating back to 2017-02-13, but
>
> Oh, great.
> ​So your general impression based on those submissions is that this would
> be useful for us?
>
> I didn't realize that you had already been reviewing the output of the tool
> over a period of time.
>
> Thanks, Jon
>
>
> On Dec 23, 2017 8:32 PM, "Zeolla@GMail.com" <zeolla@gmail.com> wrote:
>
> Sure, not a problem.
>
> (1) I went to an event where a presenter from Veracode was calling out some
> bugs in open source projects, and that Veracode wanted to be a part of the
> solution.  As such, they offered to give free analysis to open source
> projects that reach out.  At this point the account that I have access to
> is just for the Apache Metron project, but it is possible that the
> relationship could grow if it makes sense for other projects.  For
> instance, this <https://twitter.com/PeteChestna/status/943845893597483008
> >.
>
> (2) No specific reason - in the past I looked at Coverity (see below in
> this thread) but was deterred from personally setting it up due to some of
> their policies about who can register new scans (i.e. I was not a committer
> at the time I believe, and that level of involvement was requested).  I
> have used Veracode in the past, along with others (AppScan, Fortify, etc.),
> and had a good experience albeit in a very different setting than this.  I
> would be more than happy to play around with any of these kinds of services
> and no affinity to one or the other, but right now the only thing I
> actually have access to is Veracode and free options like Coverity.
>
> Veracode is a proprietary cloud-hosted platform that has dynamic and static
> scan offerings, and they have various integrations
> <https://community.veracode.com/s/integrations> with build systems (maven,
> Jenkins, Bamboo, etc.) and IDEs (IntelliJ, Eclipse, etc.).  They also
> appear to have opened up their training materials
> <https://community.veracode.com/s/education-and-training>, which are handy
> to point to from time to time.  I've worked with it in the past and things
> largely seem to work as you would expect, although it has been 5 years
> since I really used their products regularly.
>
> (3) I have been manually making submissions dating back to 2017-02-13, but
> because the file transfer is uploaded from my home Internet (upload speeds
> of ~6Mbps), it takes quite a while and so I don't do it very frequently.
> Usually just around releases.
>
> Jon
>
> On Sat, Dec 23, 2017 at 11:13 AM Nick Allen <nick@nickallen.org> wrote:
>
> > > Veracode has provided us with a 100% free portal to scan the Metron
> code
> > with, but in order to integrate, the safest option is probably to use the
> > ASF's jenkins server
> >
> > (1) Can you describe this more?   How has this been provided?  Is this
> for
> > all Apache projects; just Metron?  Was this based on a relationship you
> > have within CA?
> >
> >
> > (2) Why Veracode?  Can you describe this platform more?  Is it open
> source
> > or proprietary?  Why is this better than alternatives?
> >
> >
> > (3) I have no objection to experimenting with the service to see if it
> > provides actionable results, but is there no simpler way to do this?  It
> > doesn't seem like we should have to mess with a bunch of Apache
> > infrastructure to see if the service works at a basic level.  Can't we
> > manually submit master and/or previous releases to Veracode to see if we
> > get actionable results?
> >
> >
> >
> >
> >
> > On Thu, Dec 21, 2017 at 10:48 AM, Zeolla@GMail.com <zeolla@gmail.com>
> > wrote:
> >
> > > Just following up on this conversation again -
> > >
> > > I have discussed this ad-hoc with a few PMC members recently and wanted
> > to
> > > bring it up on the list.  Veracode has provided us with a 100% free
> > portal
> > > to scan the Metron code with, but in order to integrate, the safest
> > option
> > > is probably to use the ASF's jenkins server (as I'm not aware of a safe
> > way
> > > to automatically pass API creds to Veracode from GitHub).  My long-term
> > > interest here would be to scan and clean up the code base generally,
> and
> > > then to try and scan PRs for concerns (non-blocking).  Perhaps at some
> > > point, if we identify that these scans are actually useful and not
> > > false-positive prone/onerous, we could turn this into a blocking
> > > requirement for contributions.  Being a security project, I feel that
> we
> > > should be doing as much as we can to ensure that what we're providing
> is
> > > safe.
> > >
> > > I looked briefly at the Veracode Jenkins integrations, and the ASF
> > Jenkins
> > > setup.  It looks like Veracode has a Jenkins plugin
> > > <https://help.veracode.com/reader/PgbNZUD7j8aY7iG~hQZWxQ/
> > > _4G8gT1rhWMgVVtCI1C57A>,
> > > Jenkins has a plugin for Veracode in its plugin repo
> > > <https://plugins.jenkins.io/veracode-scanner> (not supported by
> > Veracode),
> > > the ASF supports adding plugins
> > > <https://wiki.apache.org/general/Jenkins#How_do_I_
> > > install_a_new_Jenkins_plugin.3F>
> > > to their Jenkins servers (although I think
> > > <http://What_do_Administrators_do.3F> the admins are supposed to do
> > this),
> > > and Metron is not yet set up <https://builds.apache.org/view/M-R/> on
> > the
> > > ASF Jenkins server.  The ASF seems to support giving non-PMC committers
> > > access <https://wiki.apache.org/general/Jenkins#How_do_I_get_an_
> account>
> > > to
> > > Jenkins, but it requires that the PMC chair do some work, and generally
> > it
> > > looks like they want admins
> > > <https://wiki.apache.org/general/Jenkins#FAQ_For_Administrators>/PMC
> > > <https://wiki.apache.org/general/Jenkins#FAQ_For_PMCs> members to be
> > > involved (I also don't have access to the builds JIRA project
> > > <https://issues.apache.org/jira/projects/BUILDS>, if it really
> exists).
> > >
> > > I'm happy to play around with this and see how it could be useful, but
> in
> > > order to do so I need to get some additional authorization.  Does
> anybody
> > > have any concerns with delegating this access to me, or with this
> general
> > > approach?
> > >
> > > Jon
> > >
> > > On Fri, Dec 16, 2016 at 11:39 AM James Sirota <jsirota@apache.org>
> > wrote:
> > >
> > > > That would be great. I can work with them
> > > >
> > > > 15.12.2016, 18:38, "Zeolla@GMail.com" <zeolla@gmail.com>:
> > > > > I recently discussed this topic with Veracode regarding the metron
> > > > project
> > > > > and they mentioned there may be interest in providing free
> services,
> > > > > however they would need to work with an official project rep. If
> > > there's
> > > > > interest in pursuing this please let me know.
> > > > >
> > > > > On Thu, Jun 2, 2016, 21:17 Zeolla@GMail.com <zeolla@gmail.com>
> > wrote:
> > > > >
> > > > >>  Per the other discussion it is possible that this conflicts
with
> > the
> > > > >>  Apache stance for vulnerability disclosure/management. I'm going
> to
> > > > hold
> > > > >>  off on any additional effort until I know more.
> > > > >>
> > > > >>  Jon
> > > > >>
> > > > >>  On Tue, May 31, 2016, 16:07 James Sirota <jsirota@apache.org>
> > wrote:
> > > > >>
> > > > >>  Jon, would it be possible for you to scan Metron from your own
> > > branch?
> > > > >>  I'd like to know if this is useful at all. If we get value out
of
> > it
> > > > I'll
> > > > >>  run this down and see how we can get it hooked up.
> > > > >>
> > > > >>  31.05.2016, 10:08, "Nick Allen" <nick@nickallen.org>:
> > > > >>  > I connect Travis to my own personal fork of Metron so that
the
> CI
> > > > builds
> > > > >>  > run on my own branches before I submit PRs. Thinking you
could
> do
> > > the
> > > > >>  same
> > > > >>  > with this. Maybe I'm wrong.
> > > > >>  >
> > > > >>  > On Tue, May 31, 2016 at 1:06 PM, Zeolla@GMail.com <
> > > zeolla@gmail.com>
> > > > >>  wrote:
> > > > >>  >
> > > > >>  >> To register project on Coverity Scan, you must be contributor
> or
> > > > >>  maintainer
> > > > >>  >> of the project.
> > > > >>  >>
> > > > >>  >> It may also be worth mentioning that there are a ton
of Apache
> > > > projects
> > > > >>  >> already registered, including Ambari, Drill, Flume,
Hadoop,
> > HBase,
> > > > >>  NiFi,
> > > > >>  >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
> > > > >>  >> https://scan.coverity.com/projects?page=2
> > > > >>  >>
> > > > >>  >> Jon
> > > > >>  >>
> > > > >>  >> On Tue, May 31, 2016 at 12:52 PM Nick Allen <
> nick@nickallen.org
> > >
> > > > >>  wrote:
> > > > >>  >>
> > > > >>  >> > You could set it up on your own fork of Metron
in Github.
> Then
> > > you
> > > > >>  can
> > > > >>  >> > tell us if it is useful at all.
> > > > >>  >> >
> > > > >>  >> > On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com
<
> > > > zeolla@gmail.com>
> > > > >>  >> > wrote:
> > > > >>  >> >
> > > > >>  >> > > So I did a bit of digging today and I found
a few op
> > > > >>  >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions,
but
> so
> > > > far my
> > > > >>  >> > > favourite is Coverity Scan <https://scan.coverity.com/
> > > travis_ci
> > > > >.
> > > > >>  >> I've
> > > > >>  >> > > never used this product before, so I'm not
exactly sure
> what
> > > to
> > > > >>  expect,
> > > > >>  >> > but
> > > > >>  >> > > I guess anyone can kick off a scan of an
open source
> project
> > > and
> > > > >>  get
> > > > >>  >> > > results within 48 hours. I was in the process
of
> registering
> > > > >>  Metron to
> > > > >>  >> > be
> > > > >>  >> > > scanned but I found some things in their
scan user
> agreement
> > > > which
> > > > >>  I
> > > > >>  >> > wasn't
> > > > >>  >> > > sure everybody would be in line with (see
below for the
> > > > excerpts -
> > > > >>  >> note I
> > > > >>  >> > > did NOT read the entire document and IANAL).
> > > > >>  >> > >
> > > > >>  >> > > Here's the TL;DR of what Coverity Scan is:
> > > > >>  >> > >
> > > > >>  >> > > Coverity Scan <http://scan.coverity.com/>
is a free
> static
> > > code
> > > > >>  >> analysis
> > > > >>  >> > > tool for Java, C, C++, C# and JavaScript.
> > > > >>  >> > >
> > > > >>  >> > > This addon leverages the Travis-CI infrastructure
to
> > > > automatically
> > > > >>  run
> > > > >>  >> > code
> > > > >>  >> > > analysis on your GitHub projects.
> > > > >>  >> > >
> > > > >>  >> > > Coverity Scan is a service by which Coverity
provides the
> > > > results
> > > > >>  of
> > > > >>  >> > > analysis on open source coding projects to
open source
> code
> > > > >>  developers
> > > > >>  >> > that
> > > > >>  >> > > have registered their products with Coverity
Scan.
> > > > >>  >> > >
> > > > >>  >> > > Some examples of defects and vulnerabilities
found by
> > Coverity
> > > > >>  Quality
> > > > >>  >> > > Advisor include:
> > > > >>  >> > >
> > > > >>  >> > > - resources leaks
> > > > >>  >> > > - dereferences of NULL pointers
> > > > >>  >> > > - incorrect usage of APIs
> > > > >>  >> > > - use of uninitialized data
> > > > >>  >> > > - memory corruptions
> > > > >>  >> > > - buffer overruns
> > > > >>  >> > > - control flow issues
> > > > >>  >> > > - error handling issues
> > > > >>  >> > > - incorrect expressions
> > > > >>  >> > > - concurrency issues
> > > > >>  >> > > - insecure data handling
> > > > >>  >> > > - unsafe use of signed values
> > > > >>  >> > > - use of resources that have been freed
> > > > >>  >> > >
> > > > >>  >> > > Register your project with Coverity Scan
by completing the
> > > > project
> > > > >>  >> > > registration form found at scan.coverity.com.
Upon your
> > > > >>  completion of
> > > > >>  >> > > project registration (including acceptance
of the Scan
> User
> > > > >>  Agreement)
> > > > >>  >> > and
> > > > >>  >> > > your receipt of confirmation of registration
of your
> > project,
> > > > you
> > > > >>  will
> > > > >>  >> be
> > > > >>  >> > > able to download the Software required to
submit a build
> of
> > > your
> > > > >>  code
> > > > >>  >> for
> > > > >>  >> > > analysis by Coverity Scan. You may then download
the
> > Software,
> > > > >>  >> complete a
> > > > >>  >> > > build and submit your Registered Project
build for
> analysis
> > > and
> > > > >>  review
> > > > >>  >> in
> > > > >>  >> > > Coverity Scan. Coverity Scan is only available
for use
> with
> > > open
> > > > >>  source
> > > > >>  >> > > projects that are registered with Coverity
Scan.
> > > > >>  >> > > Here are some interesting snippets from their
scan user
> > > > agreement:
> > > > >>  >> > >
> > > > >>  >> > > Your use of our software is acceptance of
our Terms
> > > > >>  >> > > <https://scan.coverity.com/policy>
> > > > >>  >> > >
> > > > >>  >> > > You will not disassemble, decompile, reverse
engineer,
> > modify
> > > or
> > > > >>  create
> > > > >>  >> > > derivative works of Our Service, software
products or
> > > > >>  documentation nor
> > > > >>  >> > > permit any third party to do so, except to
the extent such
> > > > >>  restrictions
> > > > >>  >> > are
> > > > >>  >> > > prohibited by applicable mandatory local
law
> > > > >>  >> > >
> > > > >>  >> > > You will not disclose to any third party
any comparison of
> > the
> > > > >>  results
> > > > >>  >> of
> > > > >>  >> > > operation of Our Service or software products
with other
> > > > services
> > > > >>  or
> > > > >>  >> > > products, except as expressly permitted by
this Agreement
> > > > >>  >> > >
> > > > >>  >> > > You will not publish any findings regarding
or resulting
> > from
> > > > use
> > > > >>  of
> > > > >>  >> the
> > > > >>  >> > > Service or the Software
> > > > >>  >> > >
> > > > >>  >> > > You agree that We may use Your name and logo
(in a form
> > > > approved by
> > > > >>  >> You)
> > > > >>  >> > > and Registered Product information to identify
You and
> such
> > > > >>  project as
> > > > >>  >> a
> > > > >>  >> > > participant of Our Scan Program on Our website
or in Our
> > > > marketing
> > > > >>  or
> > > > >>  >> > > publicity materials or in any filings made
in connection
> > with
> > > > >>  state or
> > > > >>  >> > > federal securities laws.
> > > > >>  >> > >
> > > > >>  >> > > Additionally, upon execution of this Agreement,
the
> parties
> > > will
> > > > >>  use
> > > > >>  >> > > commercially reasonable efforts to issue
mutually agreed
> > upon
> > > > joint
> > > > >>  >> press
> > > > >>  >> > > releases or other public communications announcing
Your
> > entry
> > > > into
> > > > >>  this
> > > > >>  >> > > Agreement.
> > > > >>  >> > >
> > > > >>  >> > > At Our written request, You will furnish
Us with (a) a
> > > > >>  certification
> > > > >>  >> > signed
> > > > >>  >> > > by an officer of Your company providing user
or access
> > > > information
> > > > >>  that
> > > > >>  >> > > identifies whether the Service and the Software
is being
> > used
> > > in
> > > > >>  >> > accordance
> > > > >>  >> > > with the terms of this Agreement, and (b)
log files from
> any
> > > > >>  License
> > > > >>  >> > > Manager. Upon at least thirty (30) days prior
written
> > notice,
> > > We
> > > > >>  may
> > > > >>  >> > > engage, at Our expense, an independent auditor
to audit
> Your
> > > use
> > > > >>  of the
> > > > >>  >> > > Service and the Software to ensure that You
are in
> > compliance
> > > > with
> > > > >>  the
> > > > >>  >> > > terms of this Agreement. ... You will provide
the auditor
> > with
> > > > >>  access
> > > > >>  >> to
> > > > >>  >> > > the relevant records and facilities.
> > > > >>  >> > >
> > > > >>  >> > > Jon
> > > > >>  >> > >
> > > > >>  >> > > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com
<
> > > > >>  zeolla@gmail.com>
> > > > >>  >> > > wrote:
> > > > >>  >> > >
> > > > >>  >> > > > There's nothing built-in with Travis,
but we could
> > install a
> > > > >>  tool to
> > > > >>  >> do
> > > > >>  >> > > > this as part of the installation of
tools on the build
> > box.
> > > > I'm
> > > > >>  >> gonna
> > > > >>  >> > > > reach out to people in my local circle
who specialize in
> > > > secure
> > > > >>  code
> > > > >>  >> > > > analysis and see what all of the options
are.
> > > > >>  >> > > >
> > > > >>  >> > > > Jon
> > > > >>  >> > > >
> > > > >>  >> > > > On Fri, May 27, 2016 at 9:50 AM Nick
Allen <
> > > > nick@nickallen.org>
> > > > >>  >> wrote:
> > > > >>  >> > > >
> > > > >>  >> > > >> I completely agree that we will
need some focus on
> this.
> > > > >>  >> > > >>
> > > > >>  >> > > >> What could Travis do for us? I wasn't
aware that they
> > > offered
> > > > >>  >> > security
> > > > >>  >> > > >> scanning.
> > > > >>  >> > > >>
> > > > >>  >> > > >> Are you aware of any security scan
services that offer
> > free
> > > > >>  support
> > > > >>  >> to
> > > > >>  >> > > >> open
> > > > >>  >> > > >> source projects?
> > > > >>  >> > > >>
> > > > >>  >> > > >> On Fri, May 27, 2016 at 9:42 AM,
Zeolla@GMail.com <
> > > > >>  zeolla@gmail.com
> > > > >>  >> >
> > > > >>  >> > > >> wrote:
> > > > >>  >> > > >>
> > > > >>  >> > > >> > So I've never done anything
like this before in
> Travis
> > > but
> > > > I
> > > > >>  have
> > > > >>  >> > done
> > > > >>  >> > > >> IDE
> > > > >>  >> > > >> > plugins and pre prod scans
in the past at large
> > companies
> > > > >>  which
> > > > >>  >> > worked
> > > > >>  >> > > >> > well. I floated the idea past
a friend working at
> > Travis
> > > > and
> > > > >>  she
> > > > >>  >> > said
> > > > >>  >> > > >> if
> > > > >>  >> > > >> > we go that route she would
assist.
> > > > >>  >> > > >> >
> > > > >>  >> > > >> > I just think that if this is
integrated from the
> > > beginning
> > > > and
> > > > >>  >> fail
> > > > >>  >> > > >> builds
> > > > >>  >> > > >> > on critical issues (to start),
this could be a big
> > > > >>  differentiator,
> > > > >>  >> > > >> > especially because we're talking
about a security
> > > platform
> > > > >>  that
> > > > >>  >> > > >> centralizes
> > > > >>  >> > > >> > tons of sensitive information,
tries to parse almost
> > > > anything
> > > > >>  >> that's
> > > > >>  >> > > >> thrown
> > > > >>  >> > > >> > at it (think of what's been
happening to AV products
> > > > >>  recently),
> > > > >>  >> and
> > > > >>  >> > is
> > > > >>  >> > > >> open
> > > > >>  >> > > >> > source for bad guys to dig
into much more easily.
> > > > >>  >> > > >> >
> > > > >>  >> > > >> > Jon
> > > > >>  >> > > >> >
> > > > >>  >> > > >> > On Fri, May 27, 2016, 09:34
Nick Allen <
> > > nick@nickallen.org
> > > > >
> > > > >>  >> wrote:
> > > > >>  >> > > >> >
> > > > >>  >> > > >> > > I am not aware of any
discussions around this, Jon.
> > > What
> > > > are
> > > > >>  >> you
> > > > >>  >> > > >> > thinking?
> > > > >>  >> > > >> > >
> > > > >>  >> > > >> > > On Thu, May 26, 2016 at
4:35 PM, Zeolla@GMail.com
> <
> > > > >>  >> > zeolla@gmail.com
> > > > >>  >> > > >
> > > > >>  >> > > >> > > wrote:
> > > > >>  >> > > >> > >
> > > > >>  >> > > >> > > > I was just wondering
if there is any sort of
> static
> > > (or
> > > > >>  even
> > > > >>  >> > > >> dynamic)
> > > > >>  >> > > >> > > code
> > > > >>  >> > > >> > > > analysis, or penetrating
testing/vulnerability
> > > > assessment,
> > > > >>  >> > > >> occurring at
> > > > >>  >> > > >> > > any
> > > > >>  >> > > >> > > > point on the metron
code. Has there been any
> > > > discussion of
> > > > >>  >> > > >> installing
> > > > >>  >> > > >> > > > something along those
lines on the Travis build
> > > server
> > > > >>  (if it
> > > > >>  >> > > isn't
> > > > >>  >> > > >> > there
> > > > >>  >> > > >> > > > already)? Thanks,
> > > > >>  >> > > >> > > >
> > > > >>  >> > > >> > > > Jon
> > > > >>  >> > > >> > > > --
> > > > >>  >> > > >> > > >
> > > > >>  >> > > >> > > > Jon
> > > > >>  >> > > >> > > >
> > > > >>  >> > > >> > >
> > > > >>  >> > > >> > >
> > > > >>  >> > > >> > >
> > > > >>  >> > > >> > > --
> > > > >>  >> > > >> > > Nick Allen <nick@nickallen.org>
> > > > >>  >> > > >> > >
> > > > >>  >> > > >> > --
> > > > >>  >> > > >> >
> > > > >>  >> > > >> > Jon
> > > > >>  >> > > >> >
> > > > >>  >> > > >>
> > > > >>  >> > > >>
> > > > >>  >> > > >>
> > > > >>  >> > > >> --
> > > > >>  >> > > >> Nick Allen <nick@nickallen.org>
> > > > >>  >> > > >>
> > > > >>  >> > > > --
> > > > >>  >> > > >
> > > > >>  >> > > > Jon
> > > > >>  >> > > >
> > > > >>  >> > > --
> > > > >>  >> > >
> > > > >>  >> > > Jon
> > > > >>  >> > >
> > > > >>  >> >
> > > > >>  >> >
> > > > >>  >> >
> > > > >>  >> > --
> > > > >>  >> > Nick Allen <nick@nickallen.org>
> > > > >>  >> >
> > > > >>  >> --
> > > > >>  >>
> > > > >>  >> Jon
> > > > >>  >
> > > > >>  > --
> > > > >>  > Nick Allen <nick@nickallen.org>
> > > > >>
> > > > >>  -------------------
> > > > >>  Thank you,
> > > > >>
> > > > >>  James Sirota
> > > > >>  PPMC- Apache Metron (Incubating)
> > > > >>  jsirota AT apache DOT org
> > > > >>
> > > > >>  --
> > > > >>
> > > > >>  Jon
> > > > > --
> > > > >
> > > > > Jon
> > > > >
> > > > > Sent from my mobile device
> > > >
> > > > -------------------
> > > > Thank you,
> > > >
> > > > James Sirota
> > > > PPMC- Apache Metron (Incubating)
> > > > jsirota AT apache DOT org
> > > >
> > > --
> > >
> > > Jon
> > >
> >
> --
>
> Jon
>



-- 
Regards,
Nadir Hajiyani

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message