You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@metron.apache.org by "Zeolla@GMail.com" <ze...@gmail.com> on 2016/05/26 20:35:54 UTC
Secure code analysis
I was just wondering if there is any sort of static (or even dynamic) code
analysis, or penetrating testing/vulnerability assessment, occurring at any
point on the metron code. Has there been any discussion of installing
something along those lines on the Travis build server (if it isn't there
already)? Thanks,
Jon
--
Jon
Re: Secure code analysis
Posted by "Zeolla@GMail.com" <ze...@gmail.com>.
I would like to volunteer some effort to see how we might be able to
integrate Veracode scans with the ASF Jenkins instance to see how it could
be useful, but in order to do so I need to get some additional
authorization. *Would a PMC member mind getting me access* so I can take a
look, given that nobody seems to have had an issue with this? For
reference, from my prior email:
The ASF seems to support giving non-PMC committers access
<https://wiki.apache.org/general/Jenkins#How_do_I_get_an_account> to
Jenkins, but it requires that the PMC chair do some work, and generally it
looks like they want admins
<https://wiki.apache.org/general/Jenkins#FAQ_For_Administrators>/PMC
<https://wiki.apache.org/general/Jenkins#FAQ_For_PMCs> members to be
involved (I also don't have access to the builds JIRA project
<https://issues.apache.org/jira/projects/BUILDS>, if it really exists).
Jon
On Sun, Jan 7, 2018 at 8:16 AM Nadir Hajiyani <na...@gmail.com>
wrote:
> Here is the documentation for various Veracode integrations -
> https://help.veracode.com/reader/QJgoLlv~uqsO6Zvu9jG9pw/
> h2NG_xyaRqXJtAUioBS2SA
>
> A few options can be explored here, like:
>
> - Sending the scans directly via the IDE (Eclipse, IntelliJ, Visual
> Studio)
> - Utilizing the API Wrapper
> - Using the Upload API (Easier said than done)
>
>
> On Sun, Dec 24, 2017 at 9:58 AM, Nick Allen <ni...@nickallen.org> wrote:
>
> > > 3) I have been manually making submissions dating back to 2017-02-13,
> but
> >
> > Oh, great.
> > So your general impression based on those submissions is that this would
> > be useful for us?
> >
> > I didn't realize that you had already been reviewing the output of the
> tool
> > over a period of time.
> >
> > Thanks, Jon
> >
> >
> > On Dec 23, 2017 8:32 PM, "Zeolla@GMail.com" <ze...@gmail.com> wrote:
> >
> > Sure, not a problem.
> >
> > (1) I went to an event where a presenter from Veracode was calling out
> some
> > bugs in open source projects, and that Veracode wanted to be a part of
> the
> > solution. As such, they offered to give free analysis to open source
> > projects that reach out. At this point the account that I have access to
> > is just for the Apache Metron project, but it is possible that the
> > relationship could grow if it makes sense for other projects. For
> > instance, this <
> https://twitter.com/PeteChestna/status/943845893597483008
> > >.
> >
> > (2) No specific reason - in the past I looked at Coverity (see below in
> > this thread) but was deterred from personally setting it up due to some
> of
> > their policies about who can register new scans (i.e. I was not a
> committer
> > at the time I believe, and that level of involvement was requested). I
> > have used Veracode in the past, along with others (AppScan, Fortify,
> etc.),
> > and had a good experience albeit in a very different setting than this.
> I
> > would be more than happy to play around with any of these kinds of
> services
> > and no affinity to one or the other, but right now the only thing I
> > actually have access to is Veracode and free options like Coverity.
> >
> > Veracode is a proprietary cloud-hosted platform that has dynamic and
> static
> > scan offerings, and they have various integrations
> > <https://community.veracode.com/s/integrations> with build systems
> (maven,
> > Jenkins, Bamboo, etc.) and IDEs (IntelliJ, Eclipse, etc.). They also
> > appear to have opened up their training materials
> > <https://community.veracode.com/s/education-and-training>, which are
> handy
> > to point to from time to time. I've worked with it in the past and
> things
> > largely seem to work as you would expect, although it has been 5 years
> > since I really used their products regularly.
> >
> > (3) I have been manually making submissions dating back to 2017-02-13,
> but
> > because the file transfer is uploaded from my home Internet (upload
> speeds
> > of ~6Mbps), it takes quite a while and so I don't do it very frequently.
> > Usually just around releases.
> >
> > Jon
> >
> > On Sat, Dec 23, 2017 at 11:13 AM Nick Allen <ni...@nickallen.org> wrote:
> >
> > > > Veracode has provided us with a 100% free portal to scan the Metron
> > code
> > > with, but in order to integrate, the safest option is probably to use
> the
> > > ASF's jenkins server
> > >
> > > (1) Can you describe this more? How has this been provided? Is this
> > for
> > > all Apache projects; just Metron? Was this based on a relationship you
> > > have within CA?
> > >
> > >
> > > (2) Why Veracode? Can you describe this platform more? Is it open
> > source
> > > or proprietary? Why is this better than alternatives?
> > >
> > >
> > > (3) I have no objection to experimenting with the service to see if it
> > > provides actionable results, but is there no simpler way to do this?
> It
> > > doesn't seem like we should have to mess with a bunch of Apache
> > > infrastructure to see if the service works at a basic level. Can't we
> > > manually submit master and/or previous releases to Veracode to see if
> we
> > > get actionable results?
> > >
> > >
> > >
> > >
> > >
> > > On Thu, Dec 21, 2017 at 10:48 AM, Zeolla@GMail.com <ze...@gmail.com>
> > > wrote:
> > >
> > > > Just following up on this conversation again -
> > > >
> > > > I have discussed this ad-hoc with a few PMC members recently and
> wanted
> > > to
> > > > bring it up on the list. Veracode has provided us with a 100% free
> > > portal
> > > > to scan the Metron code with, but in order to integrate, the safest
> > > option
> > > > is probably to use the ASF's jenkins server (as I'm not aware of a
> safe
> > > way
> > > > to automatically pass API creds to Veracode from GitHub). My
> long-term
> > > > interest here would be to scan and clean up the code base generally,
> > and
> > > > then to try and scan PRs for concerns (non-blocking). Perhaps at
> some
> > > > point, if we identify that these scans are actually useful and not
> > > > false-positive prone/onerous, we could turn this into a blocking
> > > > requirement for contributions. Being a security project, I feel that
> > we
> > > > should be doing as much as we can to ensure that what we're providing
> > is
> > > > safe.
> > > >
> > > > I looked briefly at the Veracode Jenkins integrations, and the ASF
> > > Jenkins
> > > > setup. It looks like Veracode has a Jenkins plugin
> > > > <https://help.veracode.com/reader/PgbNZUD7j8aY7iG~hQZWxQ/
> > > > _4G8gT1rhWMgVVtCI1C57A>,
> > > > Jenkins has a plugin for Veracode in its plugin repo
> > > > <https://plugins.jenkins.io/veracode-scanner> (not supported by
> > > Veracode),
> > > > the ASF supports adding plugins
> > > > <https://wiki.apache.org/general/Jenkins#How_do_I_
> > > > install_a_new_Jenkins_plugin.3F>
> > > > to their Jenkins servers (although I think
> > > > <http://What_do_Administrators_do.3F> the admins are supposed to do
> > > this),
> > > > and Metron is not yet set up <https://builds.apache.org/view/M-R/>
> on
> > > the
> > > > ASF Jenkins server. The ASF seems to support giving non-PMC
> committers
> > > > access <https://wiki.apache.org/general/Jenkins#How_do_I_get_an_
> > account>
> > > > to
> > > > Jenkins, but it requires that the PMC chair do some work, and
> generally
> > > it
> > > > looks like they want admins
> > > > <https://wiki.apache.org/general/Jenkins#FAQ_For_Administrators>/PMC
> > > > <https://wiki.apache.org/general/Jenkins#FAQ_For_PMCs> members to be
> > > > involved (I also don't have access to the builds JIRA project
> > > > <https://issues.apache.org/jira/projects/BUILDS>, if it really
> > exists).
> > > >
> > > > I'm happy to play around with this and see how it could be useful,
> but
> > in
> > > > order to do so I need to get some additional authorization. Does
> > anybody
> > > > have any concerns with delegating this access to me, or with this
> > general
> > > > approach?
> > > >
> > > > Jon
> > > >
> > > > On Fri, Dec 16, 2016 at 11:39 AM James Sirota <js...@apache.org>
> > > wrote:
> > > >
> > > > > That would be great. I can work with them
> > > > >
> > > > > 15.12.2016, 18:38, "Zeolla@GMail.com" <ze...@gmail.com>:
> > > > > > I recently discussed this topic with Veracode regarding the
> metron
> > > > > project
> > > > > > and they mentioned there may be interest in providing free
> > services,
> > > > > > however they would need to work with an official project rep. If
> > > > there's
> > > > > > interest in pursuing this please let me know.
> > > > > >
> > > > > > On Thu, Jun 2, 2016, 21:17 Zeolla@GMail.com <ze...@gmail.com>
> > > wrote:
> > > > > >
> > > > > >> Per the other discussion it is possible that this conflicts
> with
> > > the
> > > > > >> Apache stance for vulnerability disclosure/management. I'm
> going
> > to
> > > > > hold
> > > > > >> off on any additional effort until I know more.
> > > > > >>
> > > > > >> Jon
> > > > > >>
> > > > > >> On Tue, May 31, 2016, 16:07 James Sirota <js...@apache.org>
> > > wrote:
> > > > > >>
> > > > > >> Jon, would it be possible for you to scan Metron from your own
> > > > branch?
> > > > > >> I'd like to know if this is useful at all. If we get value out
> of
> > > it
> > > > > I'll
> > > > > >> run this down and see how we can get it hooked up.
> > > > > >>
> > > > > >> 31.05.2016, 10:08, "Nick Allen" <ni...@nickallen.org>:
> > > > > >> > I connect Travis to my own personal fork of Metron so that
> the
> > CI
> > > > > builds
> > > > > >> > run on my own branches before I submit PRs. Thinking you
> could
> > do
> > > > the
> > > > > >> same
> > > > > >> > with this. Maybe I'm wrong.
> > > > > >> >
> > > > > >> > On Tue, May 31, 2016 at 1:06 PM, Zeolla@GMail.com <
> > > > zeolla@gmail.com>
> > > > > >> wrote:
> > > > > >> >
> > > > > >> >> To register project on Coverity Scan, you must be
> contributor
> > or
> > > > > >> maintainer
> > > > > >> >> of the project.
> > > > > >> >>
> > > > > >> >> It may also be worth mentioning that there are a ton of
> Apache
> > > > > projects
> > > > > >> >> already registered, including Ambari, Drill, Flume, Hadoop,
> > > HBase,
> > > > > >> NiFi,
> > > > > >> >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
> > > > > >> >> https://scan.coverity.com/projects?page=2
> > > > > >> >>
> > > > > >> >> Jon
> > > > > >> >>
> > > > > >> >> On Tue, May 31, 2016 at 12:52 PM Nick Allen <
> > nick@nickallen.org
> > > >
> > > > > >> wrote:
> > > > > >> >>
> > > > > >> >> > You could set it up on your own fork of Metron in Github.
> > Then
> > > > you
> > > > > >> can
> > > > > >> >> > tell us if it is useful at all.
> > > > > >> >> >
> > > > > >> >> > On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <
> > > > > zeolla@gmail.com>
> > > > > >> >> > wrote:
> > > > > >> >> >
> > > > > >> >> > > So I did a bit of digging today and I found a few op
> > > > > >> >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions,
> but
> > so
> > > > > far my
> > > > > >> >> > > favourite is Coverity Scan <https://scan.coverity.com/
> > > > travis_ci
> > > > > >.
> > > > > >> >> I've
> > > > > >> >> > > never used this product before, so I'm not exactly sure
> > what
> > > > to
> > > > > >> expect,
> > > > > >> >> > but
> > > > > >> >> > > I guess anyone can kick off a scan of an open source
> > project
> > > > and
> > > > > >> get
> > > > > >> >> > > results within 48 hours. I was in the process of
> > registering
> > > > > >> Metron to
> > > > > >> >> > be
> > > > > >> >> > > scanned but I found some things in their scan user
> > agreement
> > > > > which
> > > > > >> I
> > > > > >> >> > wasn't
> > > > > >> >> > > sure everybody would be in line with (see below for the
> > > > > excerpts -
> > > > > >> >> note I
> > > > > >> >> > > did NOT read the entire document and IANAL).
> > > > > >> >> > >
> > > > > >> >> > > Here's the TL;DR of what Coverity Scan is:
> > > > > >> >> > >
> > > > > >> >> > > Coverity Scan <http://scan.coverity.com/> is a free
> > static
> > > > code
> > > > > >> >> analysis
> > > > > >> >> > > tool for Java, C, C++, C# and JavaScript.
> > > > > >> >> > >
> > > > > >> >> > > This addon leverages the Travis-CI infrastructure to
> > > > > automatically
> > > > > >> run
> > > > > >> >> > code
> > > > > >> >> > > analysis on your GitHub projects.
> > > > > >> >> > >
> > > > > >> >> > > Coverity Scan is a service by which Coverity provides
> the
> > > > > results
> > > > > >> of
> > > > > >> >> > > analysis on open source coding projects to open source
> > code
> > > > > >> developers
> > > > > >> >> > that
> > > > > >> >> > > have registered their products with Coverity Scan.
> > > > > >> >> > >
> > > > > >> >> > > Some examples of defects and vulnerabilities found by
> > > Coverity
> > > > > >> Quality
> > > > > >> >> > > Advisor include:
> > > > > >> >> > >
> > > > > >> >> > > - resources leaks
> > > > > >> >> > > - dereferences of NULL pointers
> > > > > >> >> > > - incorrect usage of APIs
> > > > > >> >> > > - use of uninitialized data
> > > > > >> >> > > - memory corruptions
> > > > > >> >> > > - buffer overruns
> > > > > >> >> > > - control flow issues
> > > > > >> >> > > - error handling issues
> > > > > >> >> > > - incorrect expressions
> > > > > >> >> > > - concurrency issues
> > > > > >> >> > > - insecure data handling
> > > > > >> >> > > - unsafe use of signed values
> > > > > >> >> > > - use of resources that have been freed
> > > > > >> >> > >
> > > > > >> >> > > Register your project with Coverity Scan by completing
> the
> > > > > project
> > > > > >> >> > > registration form found at scan.coverity.com. Upon your
> > > > > >> completion of
> > > > > >> >> > > project registration (including acceptance of the Scan
> > User
> > > > > >> Agreement)
> > > > > >> >> > and
> > > > > >> >> > > your receipt of confirmation of registration of your
> > > project,
> > > > > you
> > > > > >> will
> > > > > >> >> be
> > > > > >> >> > > able to download the Software required to submit a build
> > of
> > > > your
> > > > > >> code
> > > > > >> >> for
> > > > > >> >> > > analysis by Coverity Scan. You may then download the
> > > Software,
> > > > > >> >> complete a
> > > > > >> >> > > build and submit your Registered Project build for
> > analysis
> > > > and
> > > > > >> review
> > > > > >> >> in
> > > > > >> >> > > Coverity Scan. Coverity Scan is only available for use
> > with
> > > > open
> > > > > >> source
> > > > > >> >> > > projects that are registered with Coverity Scan.
> > > > > >> >> > > Here are some interesting snippets from their scan user
> > > > > agreement:
> > > > > >> >> > >
> > > > > >> >> > > Your use of our software is acceptance of our Terms
> > > > > >> >> > > <https://scan.coverity.com/policy>
> > > > > >> >> > >
> > > > > >> >> > > You will not disassemble, decompile, reverse engineer,
> > > modify
> > > > or
> > > > > >> create
> > > > > >> >> > > derivative works of Our Service, software products or
> > > > > >> documentation nor
> > > > > >> >> > > permit any third party to do so, except to the extent
> such
> > > > > >> restrictions
> > > > > >> >> > are
> > > > > >> >> > > prohibited by applicable mandatory local law
> > > > > >> >> > >
> > > > > >> >> > > You will not disclose to any third party any comparison
> of
> > > the
> > > > > >> results
> > > > > >> >> of
> > > > > >> >> > > operation of Our Service or software products with other
> > > > > services
> > > > > >> or
> > > > > >> >> > > products, except as expressly permitted by this
> Agreement
> > > > > >> >> > >
> > > > > >> >> > > You will not publish any findings regarding or resulting
> > > from
> > > > > use
> > > > > >> of
> > > > > >> >> the
> > > > > >> >> > > Service or the Software
> > > > > >> >> > >
> > > > > >> >> > > You agree that We may use Your name and logo (in a form
> > > > > approved by
> > > > > >> >> You)
> > > > > >> >> > > and Registered Product information to identify You and
> > such
> > > > > >> project as
> > > > > >> >> a
> > > > > >> >> > > participant of Our Scan Program on Our website or in Our
> > > > > marketing
> > > > > >> or
> > > > > >> >> > > publicity materials or in any filings made in connection
> > > with
> > > > > >> state or
> > > > > >> >> > > federal securities laws.
> > > > > >> >> > >
> > > > > >> >> > > Additionally, upon execution of this Agreement, the
> > parties
> > > > will
> > > > > >> use
> > > > > >> >> > > commercially reasonable efforts to issue mutually agreed
> > > upon
> > > > > joint
> > > > > >> >> press
> > > > > >> >> > > releases or other public communications announcing Your
> > > entry
> > > > > into
> > > > > >> this
> > > > > >> >> > > Agreement.
> > > > > >> >> > >
> > > > > >> >> > > At Our written request, You will furnish Us with (a) a
> > > > > >> certification
> > > > > >> >> > signed
> > > > > >> >> > > by an officer of Your company providing user or access
> > > > > information
> > > > > >> that
> > > > > >> >> > > identifies whether the Service and the Software is being
> > > used
> > > > in
> > > > > >> >> > accordance
> > > > > >> >> > > with the terms of this Agreement, and (b) log files from
> > any
> > > > > >> License
> > > > > >> >> > > Manager. Upon at least thirty (30) days prior written
> > > notice,
> > > > We
> > > > > >> may
> > > > > >> >> > > engage, at Our expense, an independent auditor to audit
> > Your
> > > > use
> > > > > >> of the
> > > > > >> >> > > Service and the Software to ensure that You are in
> > > compliance
> > > > > with
> > > > > >> the
> > > > > >> >> > > terms of this Agreement. ... You will provide the
> auditor
> > > with
> > > > > >> access
> > > > > >> >> to
> > > > > >> >> > > the relevant records and facilities.
> > > > > >> >> > >
> > > > > >> >> > > Jon
> > > > > >> >> > >
> > > > > >> >> > > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <
> > > > > >> zeolla@gmail.com>
> > > > > >> >> > > wrote:
> > > > > >> >> > >
> > > > > >> >> > > > There's nothing built-in with Travis, but we could
> > > install a
> > > > > >> tool to
> > > > > >> >> do
> > > > > >> >> > > > this as part of the installation of tools on the build
> > > box.
> > > > > I'm
> > > > > >> >> gonna
> > > > > >> >> > > > reach out to people in my local circle who specialize
> in
> > > > > secure
> > > > > >> code
> > > > > >> >> > > > analysis and see what all of the options are.
> > > > > >> >> > > >
> > > > > >> >> > > > Jon
> > > > > >> >> > > >
> > > > > >> >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <
> > > > > nick@nickallen.org>
> > > > > >> >> wrote:
> > > > > >> >> > > >
> > > > > >> >> > > >> I completely agree that we will need some focus on
> > this.
> > > > > >> >> > > >>
> > > > > >> >> > > >> What could Travis do for us? I wasn't aware that they
> > > > offered
> > > > > >> >> > security
> > > > > >> >> > > >> scanning.
> > > > > >> >> > > >>
> > > > > >> >> > > >> Are you aware of any security scan services that
> offer
> > > free
> > > > > >> support
> > > > > >> >> to
> > > > > >> >> > > >> open
> > > > > >> >> > > >> source projects?
> > > > > >> >> > > >>
> > > > > >> >> > > >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <
> > > > > >> zeolla@gmail.com
> > > > > >> >> >
> > > > > >> >> > > >> wrote:
> > > > > >> >> > > >>
> > > > > >> >> > > >> > So I've never done anything like this before in
> > Travis
> > > > but
> > > > > I
> > > > > >> have
> > > > > >> >> > done
> > > > > >> >> > > >> IDE
> > > > > >> >> > > >> > plugins and pre prod scans in the past at large
> > > companies
> > > > > >> which
> > > > > >> >> > worked
> > > > > >> >> > > >> > well. I floated the idea past a friend working at
> > > Travis
> > > > > and
> > > > > >> she
> > > > > >> >> > said
> > > > > >> >> > > >> if
> > > > > >> >> > > >> > we go that route she would assist.
> > > > > >> >> > > >> >
> > > > > >> >> > > >> > I just think that if this is integrated from the
> > > > beginning
> > > > > and
> > > > > >> >> fail
> > > > > >> >> > > >> builds
> > > > > >> >> > > >> > on critical issues (to start), this could be a big
> > > > > >> differentiator,
> > > > > >> >> > > >> > especially because we're talking about a security
> > > > platform
> > > > > >> that
> > > > > >> >> > > >> centralizes
> > > > > >> >> > > >> > tons of sensitive information, tries to parse
> almost
> > > > > anything
> > > > > >> >> that's
> > > > > >> >> > > >> thrown
> > > > > >> >> > > >> > at it (think of what's been happening to AV
> products
> > > > > >> recently),
> > > > > >> >> and
> > > > > >> >> > is
> > > > > >> >> > > >> open
> > > > > >> >> > > >> > source for bad guys to dig into much more easily.
> > > > > >> >> > > >> >
> > > > > >> >> > > >> > Jon
> > > > > >> >> > > >> >
> > > > > >> >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <
> > > > nick@nickallen.org
> > > > > >
> > > > > >> >> wrote:
> > > > > >> >> > > >> >
> > > > > >> >> > > >> > > I am not aware of any discussions around this,
> Jon.
> > > > What
> > > > > are
> > > > > >> >> you
> > > > > >> >> > > >> > thinking?
> > > > > >> >> > > >> > >
> > > > > >> >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com
> > <
> > > > > >> >> > zeolla@gmail.com
> > > > > >> >> > > >
> > > > > >> >> > > >> > > wrote:
> > > > > >> >> > > >> > >
> > > > > >> >> > > >> > > > I was just wondering if there is any sort of
> > static
> > > > (or
> > > > > >> even
> > > > > >> >> > > >> dynamic)
> > > > > >> >> > > >> > > code
> > > > > >> >> > > >> > > > analysis, or penetrating testing/vulnerability
> > > > > assessment,
> > > > > >> >> > > >> occurring at
> > > > > >> >> > > >> > > any
> > > > > >> >> > > >> > > > point on the metron code. Has there been any
> > > > > discussion of
> > > > > >> >> > > >> installing
> > > > > >> >> > > >> > > > something along those lines on the Travis build
> > > > server
> > > > > >> (if it
> > > > > >> >> > > isn't
> > > > > >> >> > > >> > there
> > > > > >> >> > > >> > > > already)? Thanks,
> > > > > >> >> > > >> > > >
> > > > > >> >> > > >> > > > Jon
> > > > > >> >> > > >> > > > --
> > > > > >> >> > > >> > > >
> > > > > >> >> > > >> > > > Jon
> > > > > >> >> > > >> > > >
> > > > > >> >> > > >> > >
> > > > > >> >> > > >> > >
> > > > > >> >> > > >> > >
> > > > > >> >> > > >> > > --
> > > > > >> >> > > >> > > Nick Allen <ni...@nickallen.org>
> > > > > >> >> > > >> > >
> > > > > >> >> > > >> > --
> > > > > >> >> > > >> >
> > > > > >> >> > > >> > Jon
> > > > > >> >> > > >> >
> > > > > >> >> > > >>
> > > > > >> >> > > >>
> > > > > >> >> > > >>
> > > > > >> >> > > >> --
> > > > > >> >> > > >> Nick Allen <ni...@nickallen.org>
> > > > > >> >> > > >>
> > > > > >> >> > > > --
> > > > > >> >> > > >
> > > > > >> >> > > > Jon
> > > > > >> >> > > >
> > > > > >> >> > > --
> > > > > >> >> > >
> > > > > >> >> > > Jon
> > > > > >> >> > >
> > > > > >> >> >
> > > > > >> >> >
> > > > > >> >> >
> > > > > >> >> > --
> > > > > >> >> > Nick Allen <ni...@nickallen.org>
> > > > > >> >> >
> > > > > >> >> --
> > > > > >> >>
> > > > > >> >> Jon
> > > > > >> >
> > > > > >> > --
> > > > > >> > Nick Allen <ni...@nickallen.org>
> > > > > >>
> > > > > >> -------------------
> > > > > >> Thank you,
> > > > > >>
> > > > > >> James Sirota
> > > > > >> PPMC- Apache Metron (Incubating)
> > > > > >> jsirota AT apache DOT org
> > > > > >>
> > > > > >> --
> > > > > >>
> > > > > >> Jon
> > > > > > --
> > > > > >
> > > > > > Jon
> > > > > >
> > > > > > Sent from my mobile device
> > > > >
> > > > > -------------------
> > > > > Thank you,
> > > > >
> > > > > James Sirota
> > > > > PPMC- Apache Metron (Incubating)
> > > > > jsirota AT apache DOT org
> > > > >
> > > > --
> > > >
> > > > Jon
> > > >
> > >
> > --
> >
> > Jon
> >
>
>
>
> --
> Regards,
> Nadir Hajiyani
>
--
Jon
Re: Secure code analysis
Posted by Nadir Hajiyani <na...@gmail.com>.
Here is the documentation for various Veracode integrations -
https://help.veracode.com/reader/QJgoLlv~uqsO6Zvu9jG9pw/
h2NG_xyaRqXJtAUioBS2SA
A few options can be explored here, like:
- Sending the scans directly via the IDE (Eclipse, IntelliJ, Visual
Studio)
- Utilizing the API Wrapper
- Using the Upload API (Easier said than done)
On Sun, Dec 24, 2017 at 9:58 AM, Nick Allen <ni...@nickallen.org> wrote:
> > 3) I have been manually making submissions dating back to 2017-02-13, but
>
> Oh, great.
> So your general impression based on those submissions is that this would
> be useful for us?
>
> I didn't realize that you had already been reviewing the output of the tool
> over a period of time.
>
> Thanks, Jon
>
>
> On Dec 23, 2017 8:32 PM, "Zeolla@GMail.com" <ze...@gmail.com> wrote:
>
> Sure, not a problem.
>
> (1) I went to an event where a presenter from Veracode was calling out some
> bugs in open source projects, and that Veracode wanted to be a part of the
> solution. As such, they offered to give free analysis to open source
> projects that reach out. At this point the account that I have access to
> is just for the Apache Metron project, but it is possible that the
> relationship could grow if it makes sense for other projects. For
> instance, this <https://twitter.com/PeteChestna/status/943845893597483008
> >.
>
> (2) No specific reason - in the past I looked at Coverity (see below in
> this thread) but was deterred from personally setting it up due to some of
> their policies about who can register new scans (i.e. I was not a committer
> at the time I believe, and that level of involvement was requested). I
> have used Veracode in the past, along with others (AppScan, Fortify, etc.),
> and had a good experience albeit in a very different setting than this. I
> would be more than happy to play around with any of these kinds of services
> and no affinity to one or the other, but right now the only thing I
> actually have access to is Veracode and free options like Coverity.
>
> Veracode is a proprietary cloud-hosted platform that has dynamic and static
> scan offerings, and they have various integrations
> <https://community.veracode.com/s/integrations> with build systems (maven,
> Jenkins, Bamboo, etc.) and IDEs (IntelliJ, Eclipse, etc.). They also
> appear to have opened up their training materials
> <https://community.veracode.com/s/education-and-training>, which are handy
> to point to from time to time. I've worked with it in the past and things
> largely seem to work as you would expect, although it has been 5 years
> since I really used their products regularly.
>
> (3) I have been manually making submissions dating back to 2017-02-13, but
> because the file transfer is uploaded from my home Internet (upload speeds
> of ~6Mbps), it takes quite a while and so I don't do it very frequently.
> Usually just around releases.
>
> Jon
>
> On Sat, Dec 23, 2017 at 11:13 AM Nick Allen <ni...@nickallen.org> wrote:
>
> > > Veracode has provided us with a 100% free portal to scan the Metron
> code
> > with, but in order to integrate, the safest option is probably to use the
> > ASF's jenkins server
> >
> > (1) Can you describe this more? How has this been provided? Is this
> for
> > all Apache projects; just Metron? Was this based on a relationship you
> > have within CA?
> >
> >
> > (2) Why Veracode? Can you describe this platform more? Is it open
> source
> > or proprietary? Why is this better than alternatives?
> >
> >
> > (3) I have no objection to experimenting with the service to see if it
> > provides actionable results, but is there no simpler way to do this? It
> > doesn't seem like we should have to mess with a bunch of Apache
> > infrastructure to see if the service works at a basic level. Can't we
> > manually submit master and/or previous releases to Veracode to see if we
> > get actionable results?
> >
> >
> >
> >
> >
> > On Thu, Dec 21, 2017 at 10:48 AM, Zeolla@GMail.com <ze...@gmail.com>
> > wrote:
> >
> > > Just following up on this conversation again -
> > >
> > > I have discussed this ad-hoc with a few PMC members recently and wanted
> > to
> > > bring it up on the list. Veracode has provided us with a 100% free
> > portal
> > > to scan the Metron code with, but in order to integrate, the safest
> > option
> > > is probably to use the ASF's jenkins server (as I'm not aware of a safe
> > way
> > > to automatically pass API creds to Veracode from GitHub). My long-term
> > > interest here would be to scan and clean up the code base generally,
> and
> > > then to try and scan PRs for concerns (non-blocking). Perhaps at some
> > > point, if we identify that these scans are actually useful and not
> > > false-positive prone/onerous, we could turn this into a blocking
> > > requirement for contributions. Being a security project, I feel that
> we
> > > should be doing as much as we can to ensure that what we're providing
> is
> > > safe.
> > >
> > > I looked briefly at the Veracode Jenkins integrations, and the ASF
> > Jenkins
> > > setup. It looks like Veracode has a Jenkins plugin
> > > <https://help.veracode.com/reader/PgbNZUD7j8aY7iG~hQZWxQ/
> > > _4G8gT1rhWMgVVtCI1C57A>,
> > > Jenkins has a plugin for Veracode in its plugin repo
> > > <https://plugins.jenkins.io/veracode-scanner> (not supported by
> > Veracode),
> > > the ASF supports adding plugins
> > > <https://wiki.apache.org/general/Jenkins#How_do_I_
> > > install_a_new_Jenkins_plugin.3F>
> > > to their Jenkins servers (although I think
> > > <http://What_do_Administrators_do.3F> the admins are supposed to do
> > this),
> > > and Metron is not yet set up <https://builds.apache.org/view/M-R/> on
> > the
> > > ASF Jenkins server. The ASF seems to support giving non-PMC committers
> > > access <https://wiki.apache.org/general/Jenkins#How_do_I_get_an_
> account>
> > > to
> > > Jenkins, but it requires that the PMC chair do some work, and generally
> > it
> > > looks like they want admins
> > > <https://wiki.apache.org/general/Jenkins#FAQ_For_Administrators>/PMC
> > > <https://wiki.apache.org/general/Jenkins#FAQ_For_PMCs> members to be
> > > involved (I also don't have access to the builds JIRA project
> > > <https://issues.apache.org/jira/projects/BUILDS>, if it really
> exists).
> > >
> > > I'm happy to play around with this and see how it could be useful, but
> in
> > > order to do so I need to get some additional authorization. Does
> anybody
> > > have any concerns with delegating this access to me, or with this
> general
> > > approach?
> > >
> > > Jon
> > >
> > > On Fri, Dec 16, 2016 at 11:39 AM James Sirota <js...@apache.org>
> > wrote:
> > >
> > > > That would be great. I can work with them
> > > >
> > > > 15.12.2016, 18:38, "Zeolla@GMail.com" <ze...@gmail.com>:
> > > > > I recently discussed this topic with Veracode regarding the metron
> > > > project
> > > > > and they mentioned there may be interest in providing free
> services,
> > > > > however they would need to work with an official project rep. If
> > > there's
> > > > > interest in pursuing this please let me know.
> > > > >
> > > > > On Thu, Jun 2, 2016, 21:17 Zeolla@GMail.com <ze...@gmail.com>
> > wrote:
> > > > >
> > > > >> Per the other discussion it is possible that this conflicts with
> > the
> > > > >> Apache stance for vulnerability disclosure/management. I'm going
> to
> > > > hold
> > > > >> off on any additional effort until I know more.
> > > > >>
> > > > >> Jon
> > > > >>
> > > > >> On Tue, May 31, 2016, 16:07 James Sirota <js...@apache.org>
> > wrote:
> > > > >>
> > > > >> Jon, would it be possible for you to scan Metron from your own
> > > branch?
> > > > >> I'd like to know if this is useful at all. If we get value out of
> > it
> > > > I'll
> > > > >> run this down and see how we can get it hooked up.
> > > > >>
> > > > >> 31.05.2016, 10:08, "Nick Allen" <ni...@nickallen.org>:
> > > > >> > I connect Travis to my own personal fork of Metron so that the
> CI
> > > > builds
> > > > >> > run on my own branches before I submit PRs. Thinking you could
> do
> > > the
> > > > >> same
> > > > >> > with this. Maybe I'm wrong.
> > > > >> >
> > > > >> > On Tue, May 31, 2016 at 1:06 PM, Zeolla@GMail.com <
> > > zeolla@gmail.com>
> > > > >> wrote:
> > > > >> >
> > > > >> >> To register project on Coverity Scan, you must be contributor
> or
> > > > >> maintainer
> > > > >> >> of the project.
> > > > >> >>
> > > > >> >> It may also be worth mentioning that there are a ton of Apache
> > > > projects
> > > > >> >> already registered, including Ambari, Drill, Flume, Hadoop,
> > HBase,
> > > > >> NiFi,
> > > > >> >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
> > > > >> >> https://scan.coverity.com/projects?page=2
> > > > >> >>
> > > > >> >> Jon
> > > > >> >>
> > > > >> >> On Tue, May 31, 2016 at 12:52 PM Nick Allen <
> nick@nickallen.org
> > >
> > > > >> wrote:
> > > > >> >>
> > > > >> >> > You could set it up on your own fork of Metron in Github.
> Then
> > > you
> > > > >> can
> > > > >> >> > tell us if it is useful at all.
> > > > >> >> >
> > > > >> >> > On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <
> > > > zeolla@gmail.com>
> > > > >> >> > wrote:
> > > > >> >> >
> > > > >> >> > > So I did a bit of digging today and I found a few op
> > > > >> >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but
> so
> > > > far my
> > > > >> >> > > favourite is Coverity Scan <https://scan.coverity.com/
> > > travis_ci
> > > > >.
> > > > >> >> I've
> > > > >> >> > > never used this product before, so I'm not exactly sure
> what
> > > to
> > > > >> expect,
> > > > >> >> > but
> > > > >> >> > > I guess anyone can kick off a scan of an open source
> project
> > > and
> > > > >> get
> > > > >> >> > > results within 48 hours. I was in the process of
> registering
> > > > >> Metron to
> > > > >> >> > be
> > > > >> >> > > scanned but I found some things in their scan user
> agreement
> > > > which
> > > > >> I
> > > > >> >> > wasn't
> > > > >> >> > > sure everybody would be in line with (see below for the
> > > > excerpts -
> > > > >> >> note I
> > > > >> >> > > did NOT read the entire document and IANAL).
> > > > >> >> > >
> > > > >> >> > > Here's the TL;DR of what Coverity Scan is:
> > > > >> >> > >
> > > > >> >> > > Coverity Scan <http://scan.coverity.com/> is a free
> static
> > > code
> > > > >> >> analysis
> > > > >> >> > > tool for Java, C, C++, C# and JavaScript.
> > > > >> >> > >
> > > > >> >> > > This addon leverages the Travis-CI infrastructure to
> > > > automatically
> > > > >> run
> > > > >> >> > code
> > > > >> >> > > analysis on your GitHub projects.
> > > > >> >> > >
> > > > >> >> > > Coverity Scan is a service by which Coverity provides the
> > > > results
> > > > >> of
> > > > >> >> > > analysis on open source coding projects to open source
> code
> > > > >> developers
> > > > >> >> > that
> > > > >> >> > > have registered their products with Coverity Scan.
> > > > >> >> > >
> > > > >> >> > > Some examples of defects and vulnerabilities found by
> > Coverity
> > > > >> Quality
> > > > >> >> > > Advisor include:
> > > > >> >> > >
> > > > >> >> > > - resources leaks
> > > > >> >> > > - dereferences of NULL pointers
> > > > >> >> > > - incorrect usage of APIs
> > > > >> >> > > - use of uninitialized data
> > > > >> >> > > - memory corruptions
> > > > >> >> > > - buffer overruns
> > > > >> >> > > - control flow issues
> > > > >> >> > > - error handling issues
> > > > >> >> > > - incorrect expressions
> > > > >> >> > > - concurrency issues
> > > > >> >> > > - insecure data handling
> > > > >> >> > > - unsafe use of signed values
> > > > >> >> > > - use of resources that have been freed
> > > > >> >> > >
> > > > >> >> > > Register your project with Coverity Scan by completing the
> > > > project
> > > > >> >> > > registration form found at scan.coverity.com. Upon your
> > > > >> completion of
> > > > >> >> > > project registration (including acceptance of the Scan
> User
> > > > >> Agreement)
> > > > >> >> > and
> > > > >> >> > > your receipt of confirmation of registration of your
> > project,
> > > > you
> > > > >> will
> > > > >> >> be
> > > > >> >> > > able to download the Software required to submit a build
> of
> > > your
> > > > >> code
> > > > >> >> for
> > > > >> >> > > analysis by Coverity Scan. You may then download the
> > Software,
> > > > >> >> complete a
> > > > >> >> > > build and submit your Registered Project build for
> analysis
> > > and
> > > > >> review
> > > > >> >> in
> > > > >> >> > > Coverity Scan. Coverity Scan is only available for use
> with
> > > open
> > > > >> source
> > > > >> >> > > projects that are registered with Coverity Scan.
> > > > >> >> > > Here are some interesting snippets from their scan user
> > > > agreement:
> > > > >> >> > >
> > > > >> >> > > Your use of our software is acceptance of our Terms
> > > > >> >> > > <https://scan.coverity.com/policy>
> > > > >> >> > >
> > > > >> >> > > You will not disassemble, decompile, reverse engineer,
> > modify
> > > or
> > > > >> create
> > > > >> >> > > derivative works of Our Service, software products or
> > > > >> documentation nor
> > > > >> >> > > permit any third party to do so, except to the extent such
> > > > >> restrictions
> > > > >> >> > are
> > > > >> >> > > prohibited by applicable mandatory local law
> > > > >> >> > >
> > > > >> >> > > You will not disclose to any third party any comparison of
> > the
> > > > >> results
> > > > >> >> of
> > > > >> >> > > operation of Our Service or software products with other
> > > > services
> > > > >> or
> > > > >> >> > > products, except as expressly permitted by this Agreement
> > > > >> >> > >
> > > > >> >> > > You will not publish any findings regarding or resulting
> > from
> > > > use
> > > > >> of
> > > > >> >> the
> > > > >> >> > > Service or the Software
> > > > >> >> > >
> > > > >> >> > > You agree that We may use Your name and logo (in a form
> > > > approved by
> > > > >> >> You)
> > > > >> >> > > and Registered Product information to identify You and
> such
> > > > >> project as
> > > > >> >> a
> > > > >> >> > > participant of Our Scan Program on Our website or in Our
> > > > marketing
> > > > >> or
> > > > >> >> > > publicity materials or in any filings made in connection
> > with
> > > > >> state or
> > > > >> >> > > federal securities laws.
> > > > >> >> > >
> > > > >> >> > > Additionally, upon execution of this Agreement, the
> parties
> > > will
> > > > >> use
> > > > >> >> > > commercially reasonable efforts to issue mutually agreed
> > upon
> > > > joint
> > > > >> >> press
> > > > >> >> > > releases or other public communications announcing Your
> > entry
> > > > into
> > > > >> this
> > > > >> >> > > Agreement.
> > > > >> >> > >
> > > > >> >> > > At Our written request, You will furnish Us with (a) a
> > > > >> certification
> > > > >> >> > signed
> > > > >> >> > > by an officer of Your company providing user or access
> > > > information
> > > > >> that
> > > > >> >> > > identifies whether the Service and the Software is being
> > used
> > > in
> > > > >> >> > accordance
> > > > >> >> > > with the terms of this Agreement, and (b) log files from
> any
> > > > >> License
> > > > >> >> > > Manager. Upon at least thirty (30) days prior written
> > notice,
> > > We
> > > > >> may
> > > > >> >> > > engage, at Our expense, an independent auditor to audit
> Your
> > > use
> > > > >> of the
> > > > >> >> > > Service and the Software to ensure that You are in
> > compliance
> > > > with
> > > > >> the
> > > > >> >> > > terms of this Agreement. ... You will provide the auditor
> > with
> > > > >> access
> > > > >> >> to
> > > > >> >> > > the relevant records and facilities.
> > > > >> >> > >
> > > > >> >> > > Jon
> > > > >> >> > >
> > > > >> >> > > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <
> > > > >> zeolla@gmail.com>
> > > > >> >> > > wrote:
> > > > >> >> > >
> > > > >> >> > > > There's nothing built-in with Travis, but we could
> > install a
> > > > >> tool to
> > > > >> >> do
> > > > >> >> > > > this as part of the installation of tools on the build
> > box.
> > > > I'm
> > > > >> >> gonna
> > > > >> >> > > > reach out to people in my local circle who specialize in
> > > > secure
> > > > >> code
> > > > >> >> > > > analysis and see what all of the options are.
> > > > >> >> > > >
> > > > >> >> > > > Jon
> > > > >> >> > > >
> > > > >> >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <
> > > > nick@nickallen.org>
> > > > >> >> wrote:
> > > > >> >> > > >
> > > > >> >> > > >> I completely agree that we will need some focus on
> this.
> > > > >> >> > > >>
> > > > >> >> > > >> What could Travis do for us? I wasn't aware that they
> > > offered
> > > > >> >> > security
> > > > >> >> > > >> scanning.
> > > > >> >> > > >>
> > > > >> >> > > >> Are you aware of any security scan services that offer
> > free
> > > > >> support
> > > > >> >> to
> > > > >> >> > > >> open
> > > > >> >> > > >> source projects?
> > > > >> >> > > >>
> > > > >> >> > > >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <
> > > > >> zeolla@gmail.com
> > > > >> >> >
> > > > >> >> > > >> wrote:
> > > > >> >> > > >>
> > > > >> >> > > >> > So I've never done anything like this before in
> Travis
> > > but
> > > > I
> > > > >> have
> > > > >> >> > done
> > > > >> >> > > >> IDE
> > > > >> >> > > >> > plugins and pre prod scans in the past at large
> > companies
> > > > >> which
> > > > >> >> > worked
> > > > >> >> > > >> > well. I floated the idea past a friend working at
> > Travis
> > > > and
> > > > >> she
> > > > >> >> > said
> > > > >> >> > > >> if
> > > > >> >> > > >> > we go that route she would assist.
> > > > >> >> > > >> >
> > > > >> >> > > >> > I just think that if this is integrated from the
> > > beginning
> > > > and
> > > > >> >> fail
> > > > >> >> > > >> builds
> > > > >> >> > > >> > on critical issues (to start), this could be a big
> > > > >> differentiator,
> > > > >> >> > > >> > especially because we're talking about a security
> > > platform
> > > > >> that
> > > > >> >> > > >> centralizes
> > > > >> >> > > >> > tons of sensitive information, tries to parse almost
> > > > anything
> > > > >> >> that's
> > > > >> >> > > >> thrown
> > > > >> >> > > >> > at it (think of what's been happening to AV products
> > > > >> recently),
> > > > >> >> and
> > > > >> >> > is
> > > > >> >> > > >> open
> > > > >> >> > > >> > source for bad guys to dig into much more easily.
> > > > >> >> > > >> >
> > > > >> >> > > >> > Jon
> > > > >> >> > > >> >
> > > > >> >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <
> > > nick@nickallen.org
> > > > >
> > > > >> >> wrote:
> > > > >> >> > > >> >
> > > > >> >> > > >> > > I am not aware of any discussions around this, Jon.
> > > What
> > > > are
> > > > >> >> you
> > > > >> >> > > >> > thinking?
> > > > >> >> > > >> > >
> > > > >> >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com
> <
> > > > >> >> > zeolla@gmail.com
> > > > >> >> > > >
> > > > >> >> > > >> > > wrote:
> > > > >> >> > > >> > >
> > > > >> >> > > >> > > > I was just wondering if there is any sort of
> static
> > > (or
> > > > >> even
> > > > >> >> > > >> dynamic)
> > > > >> >> > > >> > > code
> > > > >> >> > > >> > > > analysis, or penetrating testing/vulnerability
> > > > assessment,
> > > > >> >> > > >> occurring at
> > > > >> >> > > >> > > any
> > > > >> >> > > >> > > > point on the metron code. Has there been any
> > > > discussion of
> > > > >> >> > > >> installing
> > > > >> >> > > >> > > > something along those lines on the Travis build
> > > server
> > > > >> (if it
> > > > >> >> > > isn't
> > > > >> >> > > >> > there
> > > > >> >> > > >> > > > already)? Thanks,
> > > > >> >> > > >> > > >
> > > > >> >> > > >> > > > Jon
> > > > >> >> > > >> > > > --
> > > > >> >> > > >> > > >
> > > > >> >> > > >> > > > Jon
> > > > >> >> > > >> > > >
> > > > >> >> > > >> > >
> > > > >> >> > > >> > >
> > > > >> >> > > >> > >
> > > > >> >> > > >> > > --
> > > > >> >> > > >> > > Nick Allen <ni...@nickallen.org>
> > > > >> >> > > >> > >
> > > > >> >> > > >> > --
> > > > >> >> > > >> >
> > > > >> >> > > >> > Jon
> > > > >> >> > > >> >
> > > > >> >> > > >>
> > > > >> >> > > >>
> > > > >> >> > > >>
> > > > >> >> > > >> --
> > > > >> >> > > >> Nick Allen <ni...@nickallen.org>
> > > > >> >> > > >>
> > > > >> >> > > > --
> > > > >> >> > > >
> > > > >> >> > > > Jon
> > > > >> >> > > >
> > > > >> >> > > --
> > > > >> >> > >
> > > > >> >> > > Jon
> > > > >> >> > >
> > > > >> >> >
> > > > >> >> >
> > > > >> >> >
> > > > >> >> > --
> > > > >> >> > Nick Allen <ni...@nickallen.org>
> > > > >> >> >
> > > > >> >> --
> > > > >> >>
> > > > >> >> Jon
> > > > >> >
> > > > >> > --
> > > > >> > Nick Allen <ni...@nickallen.org>
> > > > >>
> > > > >> -------------------
> > > > >> Thank you,
> > > > >>
> > > > >> James Sirota
> > > > >> PPMC- Apache Metron (Incubating)
> > > > >> jsirota AT apache DOT org
> > > > >>
> > > > >> --
> > > > >>
> > > > >> Jon
> > > > > --
> > > > >
> > > > > Jon
> > > > >
> > > > > Sent from my mobile device
> > > >
> > > > -------------------
> > > > Thank you,
> > > >
> > > > James Sirota
> > > > PPMC- Apache Metron (Incubating)
> > > > jsirota AT apache DOT org
> > > >
> > > --
> > >
> > > Jon
> > >
> >
> --
>
> Jon
>
--
Regards,
Nadir Hajiyani
Re: Secure code analysis
Posted by Nick Allen <ni...@nickallen.org>.
> 3) I have been manually making submissions dating back to 2017-02-13, but
Oh, great.
So your general impression based on those submissions is that this would
be useful for us?
I didn't realize that you had already been reviewing the output of the tool
over a period of time.
Thanks, Jon
On Dec 23, 2017 8:32 PM, "Zeolla@GMail.com" <ze...@gmail.com> wrote:
Sure, not a problem.
(1) I went to an event where a presenter from Veracode was calling out some
bugs in open source projects, and that Veracode wanted to be a part of the
solution. As such, they offered to give free analysis to open source
projects that reach out. At this point the account that I have access to
is just for the Apache Metron project, but it is possible that the
relationship could grow if it makes sense for other projects. For
instance, this <https://twitter.com/PeteChestna/status/943845893597483008>.
(2) No specific reason - in the past I looked at Coverity (see below in
this thread) but was deterred from personally setting it up due to some of
their policies about who can register new scans (i.e. I was not a committer
at the time I believe, and that level of involvement was requested). I
have used Veracode in the past, along with others (AppScan, Fortify, etc.),
and had a good experience albeit in a very different setting than this. I
would be more than happy to play around with any of these kinds of services
and no affinity to one or the other, but right now the only thing I
actually have access to is Veracode and free options like Coverity.
Veracode is a proprietary cloud-hosted platform that has dynamic and static
scan offerings, and they have various integrations
<https://community.veracode.com/s/integrations> with build systems (maven,
Jenkins, Bamboo, etc.) and IDEs (IntelliJ, Eclipse, etc.). They also
appear to have opened up their training materials
<https://community.veracode.com/s/education-and-training>, which are handy
to point to from time to time. I've worked with it in the past and things
largely seem to work as you would expect, although it has been 5 years
since I really used their products regularly.
(3) I have been manually making submissions dating back to 2017-02-13, but
because the file transfer is uploaded from my home Internet (upload speeds
of ~6Mbps), it takes quite a while and so I don't do it very frequently.
Usually just around releases.
Jon
On Sat, Dec 23, 2017 at 11:13 AM Nick Allen <ni...@nickallen.org> wrote:
> > Veracode has provided us with a 100% free portal to scan the Metron code
> with, but in order to integrate, the safest option is probably to use the
> ASF's jenkins server
>
> (1) Can you describe this more? How has this been provided? Is this for
> all Apache projects; just Metron? Was this based on a relationship you
> have within CA?
>
>
> (2) Why Veracode? Can you describe this platform more? Is it open source
> or proprietary? Why is this better than alternatives?
>
>
> (3) I have no objection to experimenting with the service to see if it
> provides actionable results, but is there no simpler way to do this? It
> doesn't seem like we should have to mess with a bunch of Apache
> infrastructure to see if the service works at a basic level. Can't we
> manually submit master and/or previous releases to Veracode to see if we
> get actionable results?
>
>
>
>
>
> On Thu, Dec 21, 2017 at 10:48 AM, Zeolla@GMail.com <ze...@gmail.com>
> wrote:
>
> > Just following up on this conversation again -
> >
> > I have discussed this ad-hoc with a few PMC members recently and wanted
> to
> > bring it up on the list. Veracode has provided us with a 100% free
> portal
> > to scan the Metron code with, but in order to integrate, the safest
> option
> > is probably to use the ASF's jenkins server (as I'm not aware of a safe
> way
> > to automatically pass API creds to Veracode from GitHub). My long-term
> > interest here would be to scan and clean up the code base generally, and
> > then to try and scan PRs for concerns (non-blocking). Perhaps at some
> > point, if we identify that these scans are actually useful and not
> > false-positive prone/onerous, we could turn this into a blocking
> > requirement for contributions. Being a security project, I feel that we
> > should be doing as much as we can to ensure that what we're providing is
> > safe.
> >
> > I looked briefly at the Veracode Jenkins integrations, and the ASF
> Jenkins
> > setup. It looks like Veracode has a Jenkins plugin
> > <https://help.veracode.com/reader/PgbNZUD7j8aY7iG~hQZWxQ/
> > _4G8gT1rhWMgVVtCI1C57A>,
> > Jenkins has a plugin for Veracode in its plugin repo
> > <https://plugins.jenkins.io/veracode-scanner> (not supported by
> Veracode),
> > the ASF supports adding plugins
> > <https://wiki.apache.org/general/Jenkins#How_do_I_
> > install_a_new_Jenkins_plugin.3F>
> > to their Jenkins servers (although I think
> > <http://What_do_Administrators_do.3F> the admins are supposed to do
> this),
> > and Metron is not yet set up <https://builds.apache.org/view/M-R/> on
> the
> > ASF Jenkins server. The ASF seems to support giving non-PMC committers
> > access <https://wiki.apache.org/general/Jenkins#How_do_I_get_an_account>
> > to
> > Jenkins, but it requires that the PMC chair do some work, and generally
> it
> > looks like they want admins
> > <https://wiki.apache.org/general/Jenkins#FAQ_For_Administrators>/PMC
> > <https://wiki.apache.org/general/Jenkins#FAQ_For_PMCs> members to be
> > involved (I also don't have access to the builds JIRA project
> > <https://issues.apache.org/jira/projects/BUILDS>, if it really exists).
> >
> > I'm happy to play around with this and see how it could be useful, but
in
> > order to do so I need to get some additional authorization. Does
anybody
> > have any concerns with delegating this access to me, or with this
general
> > approach?
> >
> > Jon
> >
> > On Fri, Dec 16, 2016 at 11:39 AM James Sirota <js...@apache.org>
> wrote:
> >
> > > That would be great. I can work with them
> > >
> > > 15.12.2016, 18:38, "Zeolla@GMail.com" <ze...@gmail.com>:
> > > > I recently discussed this topic with Veracode regarding the metron
> > > project
> > > > and they mentioned there may be interest in providing free services,
> > > > however they would need to work with an official project rep. If
> > there's
> > > > interest in pursuing this please let me know.
> > > >
> > > > On Thu, Jun 2, 2016, 21:17 Zeolla@GMail.com <ze...@gmail.com>
> wrote:
> > > >
> > > >> Per the other discussion it is possible that this conflicts with
> the
> > > >> Apache stance for vulnerability disclosure/management. I'm going
to
> > > hold
> > > >> off on any additional effort until I know more.
> > > >>
> > > >> Jon
> > > >>
> > > >> On Tue, May 31, 2016, 16:07 James Sirota <js...@apache.org>
> wrote:
> > > >>
> > > >> Jon, would it be possible for you to scan Metron from your own
> > branch?
> > > >> I'd like to know if this is useful at all. If we get value out of
> it
> > > I'll
> > > >> run this down and see how we can get it hooked up.
> > > >>
> > > >> 31.05.2016, 10:08, "Nick Allen" <ni...@nickallen.org>:
> > > >> > I connect Travis to my own personal fork of Metron so that the
CI
> > > builds
> > > >> > run on my own branches before I submit PRs. Thinking you could
do
> > the
> > > >> same
> > > >> > with this. Maybe I'm wrong.
> > > >> >
> > > >> > On Tue, May 31, 2016 at 1:06 PM, Zeolla@GMail.com <
> > zeolla@gmail.com>
> > > >> wrote:
> > > >> >
> > > >> >> To register project on Coverity Scan, you must be contributor
or
> > > >> maintainer
> > > >> >> of the project.
> > > >> >>
> > > >> >> It may also be worth mentioning that there are a ton of Apache
> > > projects
> > > >> >> already registered, including Ambari, Drill, Flume, Hadoop,
> HBase,
> > > >> NiFi,
> > > >> >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
> > > >> >> https://scan.coverity.com/projects?page=2
> > > >> >>
> > > >> >> Jon
> > > >> >>
> > > >> >> On Tue, May 31, 2016 at 12:52 PM Nick Allen <nick@nickallen.org
> >
> > > >> wrote:
> > > >> >>
> > > >> >> > You could set it up on your own fork of Metron in Github.
Then
> > you
> > > >> can
> > > >> >> > tell us if it is useful at all.
> > > >> >> >
> > > >> >> > On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <
> > > zeolla@gmail.com>
> > > >> >> > wrote:
> > > >> >> >
> > > >> >> > > So I did a bit of digging today and I found a few op
> > > >> >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so
> > > far my
> > > >> >> > > favourite is Coverity Scan <https://scan.coverity.com/
> > travis_ci
> > > >.
> > > >> >> I've
> > > >> >> > > never used this product before, so I'm not exactly sure
what
> > to
> > > >> expect,
> > > >> >> > but
> > > >> >> > > I guess anyone can kick off a scan of an open source
project
> > and
> > > >> get
> > > >> >> > > results within 48 hours. I was in the process of
registering
> > > >> Metron to
> > > >> >> > be
> > > >> >> > > scanned but I found some things in their scan user
agreement
> > > which
> > > >> I
> > > >> >> > wasn't
> > > >> >> > > sure everybody would be in line with (see below for the
> > > excerpts -
> > > >> >> note I
> > > >> >> > > did NOT read the entire document and IANAL).
> > > >> >> > >
> > > >> >> > > Here's the TL;DR of what Coverity Scan is:
> > > >> >> > >
> > > >> >> > > Coverity Scan <http://scan.coverity.com/> is a free static
> > code
> > > >> >> analysis
> > > >> >> > > tool for Java, C, C++, C# and JavaScript.
> > > >> >> > >
> > > >> >> > > This addon leverages the Travis-CI infrastructure to
> > > automatically
> > > >> run
> > > >> >> > code
> > > >> >> > > analysis on your GitHub projects.
> > > >> >> > >
> > > >> >> > > Coverity Scan is a service by which Coverity provides the
> > > results
> > > >> of
> > > >> >> > > analysis on open source coding projects to open source code
> > > >> developers
> > > >> >> > that
> > > >> >> > > have registered their products with Coverity Scan.
> > > >> >> > >
> > > >> >> > > Some examples of defects and vulnerabilities found by
> Coverity
> > > >> Quality
> > > >> >> > > Advisor include:
> > > >> >> > >
> > > >> >> > > - resources leaks
> > > >> >> > > - dereferences of NULL pointers
> > > >> >> > > - incorrect usage of APIs
> > > >> >> > > - use of uninitialized data
> > > >> >> > > - memory corruptions
> > > >> >> > > - buffer overruns
> > > >> >> > > - control flow issues
> > > >> >> > > - error handling issues
> > > >> >> > > - incorrect expressions
> > > >> >> > > - concurrency issues
> > > >> >> > > - insecure data handling
> > > >> >> > > - unsafe use of signed values
> > > >> >> > > - use of resources that have been freed
> > > >> >> > >
> > > >> >> > > Register your project with Coverity Scan by completing the
> > > project
> > > >> >> > > registration form found at scan.coverity.com. Upon your
> > > >> completion of
> > > >> >> > > project registration (including acceptance of the Scan User
> > > >> Agreement)
> > > >> >> > and
> > > >> >> > > your receipt of confirmation of registration of your
> project,
> > > you
> > > >> will
> > > >> >> be
> > > >> >> > > able to download the Software required to submit a build of
> > your
> > > >> code
> > > >> >> for
> > > >> >> > > analysis by Coverity Scan. You may then download the
> Software,
> > > >> >> complete a
> > > >> >> > > build and submit your Registered Project build for analysis
> > and
> > > >> review
> > > >> >> in
> > > >> >> > > Coverity Scan. Coverity Scan is only available for use with
> > open
> > > >> source
> > > >> >> > > projects that are registered with Coverity Scan.
> > > >> >> > > Here are some interesting snippets from their scan user
> > > agreement:
> > > >> >> > >
> > > >> >> > > Your use of our software is acceptance of our Terms
> > > >> >> > > <https://scan.coverity.com/policy>
> > > >> >> > >
> > > >> >> > > You will not disassemble, decompile, reverse engineer,
> modify
> > or
> > > >> create
> > > >> >> > > derivative works of Our Service, software products or
> > > >> documentation nor
> > > >> >> > > permit any third party to do so, except to the extent such
> > > >> restrictions
> > > >> >> > are
> > > >> >> > > prohibited by applicable mandatory local law
> > > >> >> > >
> > > >> >> > > You will not disclose to any third party any comparison of
> the
> > > >> results
> > > >> >> of
> > > >> >> > > operation of Our Service or software products with other
> > > services
> > > >> or
> > > >> >> > > products, except as expressly permitted by this Agreement
> > > >> >> > >
> > > >> >> > > You will not publish any findings regarding or resulting
> from
> > > use
> > > >> of
> > > >> >> the
> > > >> >> > > Service or the Software
> > > >> >> > >
> > > >> >> > > You agree that We may use Your name and logo (in a form
> > > approved by
> > > >> >> You)
> > > >> >> > > and Registered Product information to identify You and such
> > > >> project as
> > > >> >> a
> > > >> >> > > participant of Our Scan Program on Our website or in Our
> > > marketing
> > > >> or
> > > >> >> > > publicity materials or in any filings made in connection
> with
> > > >> state or
> > > >> >> > > federal securities laws.
> > > >> >> > >
> > > >> >> > > Additionally, upon execution of this Agreement, the parties
> > will
> > > >> use
> > > >> >> > > commercially reasonable efforts to issue mutually agreed
> upon
> > > joint
> > > >> >> press
> > > >> >> > > releases or other public communications announcing Your
> entry
> > > into
> > > >> this
> > > >> >> > > Agreement.
> > > >> >> > >
> > > >> >> > > At Our written request, You will furnish Us with (a) a
> > > >> certification
> > > >> >> > signed
> > > >> >> > > by an officer of Your company providing user or access
> > > information
> > > >> that
> > > >> >> > > identifies whether the Service and the Software is being
> used
> > in
> > > >> >> > accordance
> > > >> >> > > with the terms of this Agreement, and (b) log files from
any
> > > >> License
> > > >> >> > > Manager. Upon at least thirty (30) days prior written
> notice,
> > We
> > > >> may
> > > >> >> > > engage, at Our expense, an independent auditor to audit
Your
> > use
> > > >> of the
> > > >> >> > > Service and the Software to ensure that You are in
> compliance
> > > with
> > > >> the
> > > >> >> > > terms of this Agreement. ... You will provide the auditor
> with
> > > >> access
> > > >> >> to
> > > >> >> > > the relevant records and facilities.
> > > >> >> > >
> > > >> >> > > Jon
> > > >> >> > >
> > > >> >> > > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <
> > > >> zeolla@gmail.com>
> > > >> >> > > wrote:
> > > >> >> > >
> > > >> >> > > > There's nothing built-in with Travis, but we could
> install a
> > > >> tool to
> > > >> >> do
> > > >> >> > > > this as part of the installation of tools on the build
> box.
> > > I'm
> > > >> >> gonna
> > > >> >> > > > reach out to people in my local circle who specialize in
> > > secure
> > > >> code
> > > >> >> > > > analysis and see what all of the options are.
> > > >> >> > > >
> > > >> >> > > > Jon
> > > >> >> > > >
> > > >> >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <
> > > nick@nickallen.org>
> > > >> >> wrote:
> > > >> >> > > >
> > > >> >> > > >> I completely agree that we will need some focus on this.
> > > >> >> > > >>
> > > >> >> > > >> What could Travis do for us? I wasn't aware that they
> > offered
> > > >> >> > security
> > > >> >> > > >> scanning.
> > > >> >> > > >>
> > > >> >> > > >> Are you aware of any security scan services that offer
> free
> > > >> support
> > > >> >> to
> > > >> >> > > >> open
> > > >> >> > > >> source projects?
> > > >> >> > > >>
> > > >> >> > > >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <
> > > >> zeolla@gmail.com
> > > >> >> >
> > > >> >> > > >> wrote:
> > > >> >> > > >>
> > > >> >> > > >> > So I've never done anything like this before in Travis
> > but
> > > I
> > > >> have
> > > >> >> > done
> > > >> >> > > >> IDE
> > > >> >> > > >> > plugins and pre prod scans in the past at large
> companies
> > > >> which
> > > >> >> > worked
> > > >> >> > > >> > well. I floated the idea past a friend working at
> Travis
> > > and
> > > >> she
> > > >> >> > said
> > > >> >> > > >> if
> > > >> >> > > >> > we go that route she would assist.
> > > >> >> > > >> >
> > > >> >> > > >> > I just think that if this is integrated from the
> > beginning
> > > and
> > > >> >> fail
> > > >> >> > > >> builds
> > > >> >> > > >> > on critical issues (to start), this could be a big
> > > >> differentiator,
> > > >> >> > > >> > especially because we're talking about a security
> > platform
> > > >> that
> > > >> >> > > >> centralizes
> > > >> >> > > >> > tons of sensitive information, tries to parse almost
> > > anything
> > > >> >> that's
> > > >> >> > > >> thrown
> > > >> >> > > >> > at it (think of what's been happening to AV products
> > > >> recently),
> > > >> >> and
> > > >> >> > is
> > > >> >> > > >> open
> > > >> >> > > >> > source for bad guys to dig into much more easily.
> > > >> >> > > >> >
> > > >> >> > > >> > Jon
> > > >> >> > > >> >
> > > >> >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <
> > nick@nickallen.org
> > > >
> > > >> >> wrote:
> > > >> >> > > >> >
> > > >> >> > > >> > > I am not aware of any discussions around this, Jon.
> > What
> > > are
> > > >> >> you
> > > >> >> > > >> > thinking?
> > > >> >> > > >> > >
> > > >> >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <
> > > >> >> > zeolla@gmail.com
> > > >> >> > > >
> > > >> >> > > >> > > wrote:
> > > >> >> > > >> > >
> > > >> >> > > >> > > > I was just wondering if there is any sort of
static
> > (or
> > > >> even
> > > >> >> > > >> dynamic)
> > > >> >> > > >> > > code
> > > >> >> > > >> > > > analysis, or penetrating testing/vulnerability
> > > assessment,
> > > >> >> > > >> occurring at
> > > >> >> > > >> > > any
> > > >> >> > > >> > > > point on the metron code. Has there been any
> > > discussion of
> > > >> >> > > >> installing
> > > >> >> > > >> > > > something along those lines on the Travis build
> > server
> > > >> (if it
> > > >> >> > > isn't
> > > >> >> > > >> > there
> > > >> >> > > >> > > > already)? Thanks,
> > > >> >> > > >> > > >
> > > >> >> > > >> > > > Jon
> > > >> >> > > >> > > > --
> > > >> >> > > >> > > >
> > > >> >> > > >> > > > Jon
> > > >> >> > > >> > > >
> > > >> >> > > >> > >
> > > >> >> > > >> > >
> > > >> >> > > >> > >
> > > >> >> > > >> > > --
> > > >> >> > > >> > > Nick Allen <ni...@nickallen.org>
> > > >> >> > > >> > >
> > > >> >> > > >> > --
> > > >> >> > > >> >
> > > >> >> > > >> > Jon
> > > >> >> > > >> >
> > > >> >> > > >>
> > > >> >> > > >>
> > > >> >> > > >>
> > > >> >> > > >> --
> > > >> >> > > >> Nick Allen <ni...@nickallen.org>
> > > >> >> > > >>
> > > >> >> > > > --
> > > >> >> > > >
> > > >> >> > > > Jon
> > > >> >> > > >
> > > >> >> > > --
> > > >> >> > >
> > > >> >> > > Jon
> > > >> >> > >
> > > >> >> >
> > > >> >> >
> > > >> >> >
> > > >> >> > --
> > > >> >> > Nick Allen <ni...@nickallen.org>
> > > >> >> >
> > > >> >> --
> > > >> >>
> > > >> >> Jon
> > > >> >
> > > >> > --
> > > >> > Nick Allen <ni...@nickallen.org>
> > > >>
> > > >> -------------------
> > > >> Thank you,
> > > >>
> > > >> James Sirota
> > > >> PPMC- Apache Metron (Incubating)
> > > >> jsirota AT apache DOT org
> > > >>
> > > >> --
> > > >>
> > > >> Jon
> > > > --
> > > >
> > > > Jon
> > > >
> > > > Sent from my mobile device
> > >
> > > -------------------
> > > Thank you,
> > >
> > > James Sirota
> > > PPMC- Apache Metron (Incubating)
> > > jsirota AT apache DOT org
> > >
> > --
> >
> > Jon
> >
>
--
Jon
Re: Secure code analysis
Posted by Nadir Hajiyani <na...@gmail.com>.
Sure, please keep exploring Veracode, I am also checking on what are their
options for seamlessly scanning directly from github. I work with Fortify
on a day to day basis and they have a command line client called
FodUploader which potentially can be integrated with a CI system if needed
and also their API has some interesting options there.
The fortify on demand has a Github integration feature as well on the
portal itself.
On Sat, Dec 23, 2017 at 7:32 PM, Zeolla@GMail.com <ze...@gmail.com> wrote:
> Sure, not a problem.
>
> (1) I went to an event where a presenter from Veracode was calling out some
> bugs in open source projects, and that Veracode wanted to be a part of the
> solution. As such, they offered to give free analysis to open source
> projects that reach out. At this point the account that I have access to
> is just for the Apache Metron project, but it is possible that the
> relationship could grow if it makes sense for other projects. For
> instance, this <https://twitter.com/PeteChestna/status/943845893597483008
> >.
>
> (2) No specific reason - in the past I looked at Coverity (see below in
> this thread) but was deterred from personally setting it up due to some of
> their policies about who can register new scans (i.e. I was not a committer
> at the time I believe, and that level of involvement was requested). I
> have used Veracode in the past, along with others (AppScan, Fortify, etc.),
> and had a good experience albeit in a very different setting than this. I
> would be more than happy to play around with any of these kinds of services
> and no affinity to one or the other, but right now the only thing I
> actually have access to is Veracode and free options like Coverity.
>
> Veracode is a proprietary cloud-hosted platform that has dynamic and static
> scan offerings, and they have various integrations
> <https://community.veracode.com/s/integrations> with build systems (maven,
> Jenkins, Bamboo, etc.) and IDEs (IntelliJ, Eclipse, etc.). They also
> appear to have opened up their training materials
> <https://community.veracode.com/s/education-and-training>, which are handy
> to point to from time to time. I've worked with it in the past and things
> largely seem to work as you would expect, although it has been 5 years
> since I really used their products regularly.
>
> (3) I have been manually making submissions dating back to 2017-02-13, but
> because the file transfer is uploaded from my home Internet (upload speeds
> of ~6Mbps), it takes quite a while and so I don't do it very frequently.
> Usually just around releases.
>
> Jon
>
> On Sat, Dec 23, 2017 at 11:13 AM Nick Allen <ni...@nickallen.org> wrote:
>
> > > Veracode has provided us with a 100% free portal to scan the Metron
> code
> > with, but in order to integrate, the safest option is probably to use the
> > ASF's jenkins server
> >
> > (1) Can you describe this more? How has this been provided? Is this
> for
> > all Apache projects; just Metron? Was this based on a relationship you
> > have within CA?
> >
> >
> > (2) Why Veracode? Can you describe this platform more? Is it open
> source
> > or proprietary? Why is this better than alternatives?
> >
> >
> > (3) I have no objection to experimenting with the service to see if it
> > provides actionable results, but is there no simpler way to do this? It
> > doesn't seem like we should have to mess with a bunch of Apache
> > infrastructure to see if the service works at a basic level. Can't we
> > manually submit master and/or previous releases to Veracode to see if we
> > get actionable results?
> >
> >
> >
> >
> >
> > On Thu, Dec 21, 2017 at 10:48 AM, Zeolla@GMail.com <ze...@gmail.com>
> > wrote:
> >
> > > Just following up on this conversation again -
> > >
> > > I have discussed this ad-hoc with a few PMC members recently and wanted
> > to
> > > bring it up on the list. Veracode has provided us with a 100% free
> > portal
> > > to scan the Metron code with, but in order to integrate, the safest
> > option
> > > is probably to use the ASF's jenkins server (as I'm not aware of a safe
> > way
> > > to automatically pass API creds to Veracode from GitHub). My long-term
> > > interest here would be to scan and clean up the code base generally,
> and
> > > then to try and scan PRs for concerns (non-blocking). Perhaps at some
> > > point, if we identify that these scans are actually useful and not
> > > false-positive prone/onerous, we could turn this into a blocking
> > > requirement for contributions. Being a security project, I feel that
> we
> > > should be doing as much as we can to ensure that what we're providing
> is
> > > safe.
> > >
> > > I looked briefly at the Veracode Jenkins integrations, and the ASF
> > Jenkins
> > > setup. It looks like Veracode has a Jenkins plugin
> > > <https://help.veracode.com/reader/PgbNZUD7j8aY7iG~hQZWxQ/
> > > _4G8gT1rhWMgVVtCI1C57A>,
> > > Jenkins has a plugin for Veracode in its plugin repo
> > > <https://plugins.jenkins.io/veracode-scanner> (not supported by
> > Veracode),
> > > the ASF supports adding plugins
> > > <https://wiki.apache.org/general/Jenkins#How_do_I_
> > > install_a_new_Jenkins_plugin.3F>
> > > to their Jenkins servers (although I think
> > > <http://What_do_Administrators_do.3F> the admins are supposed to do
> > this),
> > > and Metron is not yet set up <https://builds.apache.org/view/M-R/> on
> > the
> > > ASF Jenkins server. The ASF seems to support giving non-PMC committers
> > > access <https://wiki.apache.org/general/Jenkins#How_do_I_get_
> an_account>
> > > to
> > > Jenkins, but it requires that the PMC chair do some work, and generally
> > it
> > > looks like they want admins
> > > <https://wiki.apache.org/general/Jenkins#FAQ_For_Administrators>/PMC
> > > <https://wiki.apache.org/general/Jenkins#FAQ_For_PMCs> members to be
> > > involved (I also don't have access to the builds JIRA project
> > > <https://issues.apache.org/jira/projects/BUILDS>, if it really
> exists).
> > >
> > > I'm happy to play around with this and see how it could be useful, but
> in
> > > order to do so I need to get some additional authorization. Does
> anybody
> > > have any concerns with delegating this access to me, or with this
> general
> > > approach?
> > >
> > > Jon
> > >
> > > On Fri, Dec 16, 2016 at 11:39 AM James Sirota <js...@apache.org>
> > wrote:
> > >
> > > > That would be great. I can work with them
> > > >
> > > > 15.12.2016, 18:38, "Zeolla@GMail.com" <ze...@gmail.com>:
> > > > > I recently discussed this topic with Veracode regarding the metron
> > > > project
> > > > > and they mentioned there may be interest in providing free
> services,
> > > > > however they would need to work with an official project rep. If
> > > there's
> > > > > interest in pursuing this please let me know.
> > > > >
> > > > > On Thu, Jun 2, 2016, 21:17 Zeolla@GMail.com <ze...@gmail.com>
> > wrote:
> > > > >
> > > > >> Per the other discussion it is possible that this conflicts with
> > the
> > > > >> Apache stance for vulnerability disclosure/management. I'm going
> to
> > > > hold
> > > > >> off on any additional effort until I know more.
> > > > >>
> > > > >> Jon
> > > > >>
> > > > >> On Tue, May 31, 2016, 16:07 James Sirota <js...@apache.org>
> > wrote:
> > > > >>
> > > > >> Jon, would it be possible for you to scan Metron from your own
> > > branch?
> > > > >> I'd like to know if this is useful at all. If we get value out of
> > it
> > > > I'll
> > > > >> run this down and see how we can get it hooked up.
> > > > >>
> > > > >> 31.05.2016, 10:08, "Nick Allen" <ni...@nickallen.org>:
> > > > >> > I connect Travis to my own personal fork of Metron so that the
> CI
> > > > builds
> > > > >> > run on my own branches before I submit PRs. Thinking you could
> do
> > > the
> > > > >> same
> > > > >> > with this. Maybe I'm wrong.
> > > > >> >
> > > > >> > On Tue, May 31, 2016 at 1:06 PM, Zeolla@GMail.com <
> > > zeolla@gmail.com>
> > > > >> wrote:
> > > > >> >
> > > > >> >> To register project on Coverity Scan, you must be contributor
> or
> > > > >> maintainer
> > > > >> >> of the project.
> > > > >> >>
> > > > >> >> It may also be worth mentioning that there are a ton of Apache
> > > > projects
> > > > >> >> already registered, including Ambari, Drill, Flume, Hadoop,
> > HBase,
> > > > >> NiFi,
> > > > >> >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
> > > > >> >> https://scan.coverity.com/projects?page=2
> > > > >> >>
> > > > >> >> Jon
> > > > >> >>
> > > > >> >> On Tue, May 31, 2016 at 12:52 PM Nick Allen <
> nick@nickallen.org
> > >
> > > > >> wrote:
> > > > >> >>
> > > > >> >> > You could set it up on your own fork of Metron in Github.
> Then
> > > you
> > > > >> can
> > > > >> >> > tell us if it is useful at all.
> > > > >> >> >
> > > > >> >> > On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <
> > > > zeolla@gmail.com>
> > > > >> >> > wrote:
> > > > >> >> >
> > > > >> >> > > So I did a bit of digging today and I found a few op
> > > > >> >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but
> so
> > > > far my
> > > > >> >> > > favourite is Coverity Scan <https://scan.coverity.com/
> > > travis_ci
> > > > >.
> > > > >> >> I've
> > > > >> >> > > never used this product before, so I'm not exactly sure
> what
> > > to
> > > > >> expect,
> > > > >> >> > but
> > > > >> >> > > I guess anyone can kick off a scan of an open source
> project
> > > and
> > > > >> get
> > > > >> >> > > results within 48 hours. I was in the process of
> registering
> > > > >> Metron to
> > > > >> >> > be
> > > > >> >> > > scanned but I found some things in their scan user
> agreement
> > > > which
> > > > >> I
> > > > >> >> > wasn't
> > > > >> >> > > sure everybody would be in line with (see below for the
> > > > excerpts -
> > > > >> >> note I
> > > > >> >> > > did NOT read the entire document and IANAL).
> > > > >> >> > >
> > > > >> >> > > Here's the TL;DR of what Coverity Scan is:
> > > > >> >> > >
> > > > >> >> > > Coverity Scan <http://scan.coverity.com/> is a free
> static
> > > code
> > > > >> >> analysis
> > > > >> >> > > tool for Java, C, C++, C# and JavaScript.
> > > > >> >> > >
> > > > >> >> > > This addon leverages the Travis-CI infrastructure to
> > > > automatically
> > > > >> run
> > > > >> >> > code
> > > > >> >> > > analysis on your GitHub projects.
> > > > >> >> > >
> > > > >> >> > > Coverity Scan is a service by which Coverity provides the
> > > > results
> > > > >> of
> > > > >> >> > > analysis on open source coding projects to open source
> code
> > > > >> developers
> > > > >> >> > that
> > > > >> >> > > have registered their products with Coverity Scan.
> > > > >> >> > >
> > > > >> >> > > Some examples of defects and vulnerabilities found by
> > Coverity
> > > > >> Quality
> > > > >> >> > > Advisor include:
> > > > >> >> > >
> > > > >> >> > > - resources leaks
> > > > >> >> > > - dereferences of NULL pointers
> > > > >> >> > > - incorrect usage of APIs
> > > > >> >> > > - use of uninitialized data
> > > > >> >> > > - memory corruptions
> > > > >> >> > > - buffer overruns
> > > > >> >> > > - control flow issues
> > > > >> >> > > - error handling issues
> > > > >> >> > > - incorrect expressions
> > > > >> >> > > - concurrency issues
> > > > >> >> > > - insecure data handling
> > > > >> >> > > - unsafe use of signed values
> > > > >> >> > > - use of resources that have been freed
> > > > >> >> > >
> > > > >> >> > > Register your project with Coverity Scan by completing the
> > > > project
> > > > >> >> > > registration form found at scan.coverity.com. Upon your
> > > > >> completion of
> > > > >> >> > > project registration (including acceptance of the Scan
> User
> > > > >> Agreement)
> > > > >> >> > and
> > > > >> >> > > your receipt of confirmation of registration of your
> > project,
> > > > you
> > > > >> will
> > > > >> >> be
> > > > >> >> > > able to download the Software required to submit a build
> of
> > > your
> > > > >> code
> > > > >> >> for
> > > > >> >> > > analysis by Coverity Scan. You may then download the
> > Software,
> > > > >> >> complete a
> > > > >> >> > > build and submit your Registered Project build for
> analysis
> > > and
> > > > >> review
> > > > >> >> in
> > > > >> >> > > Coverity Scan. Coverity Scan is only available for use
> with
> > > open
> > > > >> source
> > > > >> >> > > projects that are registered with Coverity Scan.
> > > > >> >> > > Here are some interesting snippets from their scan user
> > > > agreement:
> > > > >> >> > >
> > > > >> >> > > Your use of our software is acceptance of our Terms
> > > > >> >> > > <https://scan.coverity.com/policy>
> > > > >> >> > >
> > > > >> >> > > You will not disassemble, decompile, reverse engineer,
> > modify
> > > or
> > > > >> create
> > > > >> >> > > derivative works of Our Service, software products or
> > > > >> documentation nor
> > > > >> >> > > permit any third party to do so, except to the extent such
> > > > >> restrictions
> > > > >> >> > are
> > > > >> >> > > prohibited by applicable mandatory local law
> > > > >> >> > >
> > > > >> >> > > You will not disclose to any third party any comparison of
> > the
> > > > >> results
> > > > >> >> of
> > > > >> >> > > operation of Our Service or software products with other
> > > > services
> > > > >> or
> > > > >> >> > > products, except as expressly permitted by this Agreement
> > > > >> >> > >
> > > > >> >> > > You will not publish any findings regarding or resulting
> > from
> > > > use
> > > > >> of
> > > > >> >> the
> > > > >> >> > > Service or the Software
> > > > >> >> > >
> > > > >> >> > > You agree that We may use Your name and logo (in a form
> > > > approved by
> > > > >> >> You)
> > > > >> >> > > and Registered Product information to identify You and
> such
> > > > >> project as
> > > > >> >> a
> > > > >> >> > > participant of Our Scan Program on Our website or in Our
> > > > marketing
> > > > >> or
> > > > >> >> > > publicity materials or in any filings made in connection
> > with
> > > > >> state or
> > > > >> >> > > federal securities laws.
> > > > >> >> > >
> > > > >> >> > > Additionally, upon execution of this Agreement, the
> parties
> > > will
> > > > >> use
> > > > >> >> > > commercially reasonable efforts to issue mutually agreed
> > upon
> > > > joint
> > > > >> >> press
> > > > >> >> > > releases or other public communications announcing Your
> > entry
> > > > into
> > > > >> this
> > > > >> >> > > Agreement.
> > > > >> >> > >
> > > > >> >> > > At Our written request, You will furnish Us with (a) a
> > > > >> certification
> > > > >> >> > signed
> > > > >> >> > > by an officer of Your company providing user or access
> > > > information
> > > > >> that
> > > > >> >> > > identifies whether the Service and the Software is being
> > used
> > > in
> > > > >> >> > accordance
> > > > >> >> > > with the terms of this Agreement, and (b) log files from
> any
> > > > >> License
> > > > >> >> > > Manager. Upon at least thirty (30) days prior written
> > notice,
> > > We
> > > > >> may
> > > > >> >> > > engage, at Our expense, an independent auditor to audit
> Your
> > > use
> > > > >> of the
> > > > >> >> > > Service and the Software to ensure that You are in
> > compliance
> > > > with
> > > > >> the
> > > > >> >> > > terms of this Agreement. ... You will provide the auditor
> > with
> > > > >> access
> > > > >> >> to
> > > > >> >> > > the relevant records and facilities.
> > > > >> >> > >
> > > > >> >> > > Jon
> > > > >> >> > >
> > > > >> >> > > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <
> > > > >> zeolla@gmail.com>
> > > > >> >> > > wrote:
> > > > >> >> > >
> > > > >> >> > > > There's nothing built-in with Travis, but we could
> > install a
> > > > >> tool to
> > > > >> >> do
> > > > >> >> > > > this as part of the installation of tools on the build
> > box.
> > > > I'm
> > > > >> >> gonna
> > > > >> >> > > > reach out to people in my local circle who specialize in
> > > > secure
> > > > >> code
> > > > >> >> > > > analysis and see what all of the options are.
> > > > >> >> > > >
> > > > >> >> > > > Jon
> > > > >> >> > > >
> > > > >> >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <
> > > > nick@nickallen.org>
> > > > >> >> wrote:
> > > > >> >> > > >
> > > > >> >> > > >> I completely agree that we will need some focus on
> this.
> > > > >> >> > > >>
> > > > >> >> > > >> What could Travis do for us? I wasn't aware that they
> > > offered
> > > > >> >> > security
> > > > >> >> > > >> scanning.
> > > > >> >> > > >>
> > > > >> >> > > >> Are you aware of any security scan services that offer
> > free
> > > > >> support
> > > > >> >> to
> > > > >> >> > > >> open
> > > > >> >> > > >> source projects?
> > > > >> >> > > >>
> > > > >> >> > > >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <
> > > > >> zeolla@gmail.com
> > > > >> >> >
> > > > >> >> > > >> wrote:
> > > > >> >> > > >>
> > > > >> >> > > >> > So I've never done anything like this before in
> Travis
> > > but
> > > > I
> > > > >> have
> > > > >> >> > done
> > > > >> >> > > >> IDE
> > > > >> >> > > >> > plugins and pre prod scans in the past at large
> > companies
> > > > >> which
> > > > >> >> > worked
> > > > >> >> > > >> > well. I floated the idea past a friend working at
> > Travis
> > > > and
> > > > >> she
> > > > >> >> > said
> > > > >> >> > > >> if
> > > > >> >> > > >> > we go that route she would assist.
> > > > >> >> > > >> >
> > > > >> >> > > >> > I just think that if this is integrated from the
> > > beginning
> > > > and
> > > > >> >> fail
> > > > >> >> > > >> builds
> > > > >> >> > > >> > on critical issues (to start), this could be a big
> > > > >> differentiator,
> > > > >> >> > > >> > especially because we're talking about a security
> > > platform
> > > > >> that
> > > > >> >> > > >> centralizes
> > > > >> >> > > >> > tons of sensitive information, tries to parse almost
> > > > anything
> > > > >> >> that's
> > > > >> >> > > >> thrown
> > > > >> >> > > >> > at it (think of what's been happening to AV products
> > > > >> recently),
> > > > >> >> and
> > > > >> >> > is
> > > > >> >> > > >> open
> > > > >> >> > > >> > source for bad guys to dig into much more easily.
> > > > >> >> > > >> >
> > > > >> >> > > >> > Jon
> > > > >> >> > > >> >
> > > > >> >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <
> > > nick@nickallen.org
> > > > >
> > > > >> >> wrote:
> > > > >> >> > > >> >
> > > > >> >> > > >> > > I am not aware of any discussions around this, Jon.
> > > What
> > > > are
> > > > >> >> you
> > > > >> >> > > >> > thinking?
> > > > >> >> > > >> > >
> > > > >> >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com
> <
> > > > >> >> > zeolla@gmail.com
> > > > >> >> > > >
> > > > >> >> > > >> > > wrote:
> > > > >> >> > > >> > >
> > > > >> >> > > >> > > > I was just wondering if there is any sort of
> static
> > > (or
> > > > >> even
> > > > >> >> > > >> dynamic)
> > > > >> >> > > >> > > code
> > > > >> >> > > >> > > > analysis, or penetrating testing/vulnerability
> > > > assessment,
> > > > >> >> > > >> occurring at
> > > > >> >> > > >> > > any
> > > > >> >> > > >> > > > point on the metron code. Has there been any
> > > > discussion of
> > > > >> >> > > >> installing
> > > > >> >> > > >> > > > something along those lines on the Travis build
> > > server
> > > > >> (if it
> > > > >> >> > > isn't
> > > > >> >> > > >> > there
> > > > >> >> > > >> > > > already)? Thanks,
> > > > >> >> > > >> > > >
> > > > >> >> > > >> > > > Jon
> > > > >> >> > > >> > > > --
> > > > >> >> > > >> > > >
> > > > >> >> > > >> > > > Jon
> > > > >> >> > > >> > > >
> > > > >> >> > > >> > >
> > > > >> >> > > >> > >
> > > > >> >> > > >> > >
> > > > >> >> > > >> > > --
> > > > >> >> > > >> > > Nick Allen <ni...@nickallen.org>
> > > > >> >> > > >> > >
> > > > >> >> > > >> > --
> > > > >> >> > > >> >
> > > > >> >> > > >> > Jon
> > > > >> >> > > >> >
> > > > >> >> > > >>
> > > > >> >> > > >>
> > > > >> >> > > >>
> > > > >> >> > > >> --
> > > > >> >> > > >> Nick Allen <ni...@nickallen.org>
> > > > >> >> > > >>
> > > > >> >> > > > --
> > > > >> >> > > >
> > > > >> >> > > > Jon
> > > > >> >> > > >
> > > > >> >> > > --
> > > > >> >> > >
> > > > >> >> > > Jon
> > > > >> >> > >
> > > > >> >> >
> > > > >> >> >
> > > > >> >> >
> > > > >> >> > --
> > > > >> >> > Nick Allen <ni...@nickallen.org>
> > > > >> >> >
> > > > >> >> --
> > > > >> >>
> > > > >> >> Jon
> > > > >> >
> > > > >> > --
> > > > >> > Nick Allen <ni...@nickallen.org>
> > > > >>
> > > > >> -------------------
> > > > >> Thank you,
> > > > >>
> > > > >> James Sirota
> > > > >> PPMC- Apache Metron (Incubating)
> > > > >> jsirota AT apache DOT org
> > > > >>
> > > > >> --
> > > > >>
> > > > >> Jon
> > > > > --
> > > > >
> > > > > Jon
> > > > >
> > > > > Sent from my mobile device
> > > >
> > > > -------------------
> > > > Thank you,
> > > >
> > > > James Sirota
> > > > PPMC- Apache Metron (Incubating)
> > > > jsirota AT apache DOT org
> > > >
> > > --
> > >
> > > Jon
> > >
> >
> --
>
> Jon
>
--
Regards,
Nadir Hajiyani
Re: Secure code analysis
Posted by "Zeolla@GMail.com" <ze...@gmail.com>.
Sure, not a problem.
(1) I went to an event where a presenter from Veracode was calling out some
bugs in open source projects, and that Veracode wanted to be a part of the
solution. As such, they offered to give free analysis to open source
projects that reach out. At this point the account that I have access to
is just for the Apache Metron project, but it is possible that the
relationship could grow if it makes sense for other projects. For
instance, this <https://twitter.com/PeteChestna/status/943845893597483008>.
(2) No specific reason - in the past I looked at Coverity (see below in
this thread) but was deterred from personally setting it up due to some of
their policies about who can register new scans (i.e. I was not a committer
at the time I believe, and that level of involvement was requested). I
have used Veracode in the past, along with others (AppScan, Fortify, etc.),
and had a good experience albeit in a very different setting than this. I
would be more than happy to play around with any of these kinds of services
and no affinity to one or the other, but right now the only thing I
actually have access to is Veracode and free options like Coverity.
Veracode is a proprietary cloud-hosted platform that has dynamic and static
scan offerings, and they have various integrations
<https://community.veracode.com/s/integrations> with build systems (maven,
Jenkins, Bamboo, etc.) and IDEs (IntelliJ, Eclipse, etc.). They also
appear to have opened up their training materials
<https://community.veracode.com/s/education-and-training>, which are handy
to point to from time to time. I've worked with it in the past and things
largely seem to work as you would expect, although it has been 5 years
since I really used their products regularly.
(3) I have been manually making submissions dating back to 2017-02-13, but
because the file transfer is uploaded from my home Internet (upload speeds
of ~6Mbps), it takes quite a while and so I don't do it very frequently.
Usually just around releases.
Jon
On Sat, Dec 23, 2017 at 11:13 AM Nick Allen <ni...@nickallen.org> wrote:
> > Veracode has provided us with a 100% free portal to scan the Metron code
> with, but in order to integrate, the safest option is probably to use the
> ASF's jenkins server
>
> (1) Can you describe this more? How has this been provided? Is this for
> all Apache projects; just Metron? Was this based on a relationship you
> have within CA?
>
>
> (2) Why Veracode? Can you describe this platform more? Is it open source
> or proprietary? Why is this better than alternatives?
>
>
> (3) I have no objection to experimenting with the service to see if it
> provides actionable results, but is there no simpler way to do this? It
> doesn't seem like we should have to mess with a bunch of Apache
> infrastructure to see if the service works at a basic level. Can't we
> manually submit master and/or previous releases to Veracode to see if we
> get actionable results?
>
>
>
>
>
> On Thu, Dec 21, 2017 at 10:48 AM, Zeolla@GMail.com <ze...@gmail.com>
> wrote:
>
> > Just following up on this conversation again -
> >
> > I have discussed this ad-hoc with a few PMC members recently and wanted
> to
> > bring it up on the list. Veracode has provided us with a 100% free
> portal
> > to scan the Metron code with, but in order to integrate, the safest
> option
> > is probably to use the ASF's jenkins server (as I'm not aware of a safe
> way
> > to automatically pass API creds to Veracode from GitHub). My long-term
> > interest here would be to scan and clean up the code base generally, and
> > then to try and scan PRs for concerns (non-blocking). Perhaps at some
> > point, if we identify that these scans are actually useful and not
> > false-positive prone/onerous, we could turn this into a blocking
> > requirement for contributions. Being a security project, I feel that we
> > should be doing as much as we can to ensure that what we're providing is
> > safe.
> >
> > I looked briefly at the Veracode Jenkins integrations, and the ASF
> Jenkins
> > setup. It looks like Veracode has a Jenkins plugin
> > <https://help.veracode.com/reader/PgbNZUD7j8aY7iG~hQZWxQ/
> > _4G8gT1rhWMgVVtCI1C57A>,
> > Jenkins has a plugin for Veracode in its plugin repo
> > <https://plugins.jenkins.io/veracode-scanner> (not supported by
> Veracode),
> > the ASF supports adding plugins
> > <https://wiki.apache.org/general/Jenkins#How_do_I_
> > install_a_new_Jenkins_plugin.3F>
> > to their Jenkins servers (although I think
> > <http://What_do_Administrators_do.3F> the admins are supposed to do
> this),
> > and Metron is not yet set up <https://builds.apache.org/view/M-R/> on
> the
> > ASF Jenkins server. The ASF seems to support giving non-PMC committers
> > access <https://wiki.apache.org/general/Jenkins#How_do_I_get_an_account>
> > to
> > Jenkins, but it requires that the PMC chair do some work, and generally
> it
> > looks like they want admins
> > <https://wiki.apache.org/general/Jenkins#FAQ_For_Administrators>/PMC
> > <https://wiki.apache.org/general/Jenkins#FAQ_For_PMCs> members to be
> > involved (I also don't have access to the builds JIRA project
> > <https://issues.apache.org/jira/projects/BUILDS>, if it really exists).
> >
> > I'm happy to play around with this and see how it could be useful, but in
> > order to do so I need to get some additional authorization. Does anybody
> > have any concerns with delegating this access to me, or with this general
> > approach?
> >
> > Jon
> >
> > On Fri, Dec 16, 2016 at 11:39 AM James Sirota <js...@apache.org>
> wrote:
> >
> > > That would be great. I can work with them
> > >
> > > 15.12.2016, 18:38, "Zeolla@GMail.com" <ze...@gmail.com>:
> > > > I recently discussed this topic with Veracode regarding the metron
> > > project
> > > > and they mentioned there may be interest in providing free services,
> > > > however they would need to work with an official project rep. If
> > there's
> > > > interest in pursuing this please let me know.
> > > >
> > > > On Thu, Jun 2, 2016, 21:17 Zeolla@GMail.com <ze...@gmail.com>
> wrote:
> > > >
> > > >> Per the other discussion it is possible that this conflicts with
> the
> > > >> Apache stance for vulnerability disclosure/management. I'm going to
> > > hold
> > > >> off on any additional effort until I know more.
> > > >>
> > > >> Jon
> > > >>
> > > >> On Tue, May 31, 2016, 16:07 James Sirota <js...@apache.org>
> wrote:
> > > >>
> > > >> Jon, would it be possible for you to scan Metron from your own
> > branch?
> > > >> I'd like to know if this is useful at all. If we get value out of
> it
> > > I'll
> > > >> run this down and see how we can get it hooked up.
> > > >>
> > > >> 31.05.2016, 10:08, "Nick Allen" <ni...@nickallen.org>:
> > > >> > I connect Travis to my own personal fork of Metron so that the CI
> > > builds
> > > >> > run on my own branches before I submit PRs. Thinking you could do
> > the
> > > >> same
> > > >> > with this. Maybe I'm wrong.
> > > >> >
> > > >> > On Tue, May 31, 2016 at 1:06 PM, Zeolla@GMail.com <
> > zeolla@gmail.com>
> > > >> wrote:
> > > >> >
> > > >> >> To register project on Coverity Scan, you must be contributor or
> > > >> maintainer
> > > >> >> of the project.
> > > >> >>
> > > >> >> It may also be worth mentioning that there are a ton of Apache
> > > projects
> > > >> >> already registered, including Ambari, Drill, Flume, Hadoop,
> HBase,
> > > >> NiFi,
> > > >> >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
> > > >> >> https://scan.coverity.com/projects?page=2
> > > >> >>
> > > >> >> Jon
> > > >> >>
> > > >> >> On Tue, May 31, 2016 at 12:52 PM Nick Allen <nick@nickallen.org
> >
> > > >> wrote:
> > > >> >>
> > > >> >> > You could set it up on your own fork of Metron in Github. Then
> > you
> > > >> can
> > > >> >> > tell us if it is useful at all.
> > > >> >> >
> > > >> >> > On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <
> > > zeolla@gmail.com>
> > > >> >> > wrote:
> > > >> >> >
> > > >> >> > > So I did a bit of digging today and I found a few op
> > > >> >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so
> > > far my
> > > >> >> > > favourite is Coverity Scan <https://scan.coverity.com/
> > travis_ci
> > > >.
> > > >> >> I've
> > > >> >> > > never used this product before, so I'm not exactly sure what
> > to
> > > >> expect,
> > > >> >> > but
> > > >> >> > > I guess anyone can kick off a scan of an open source project
> > and
> > > >> get
> > > >> >> > > results within 48 hours. I was in the process of registering
> > > >> Metron to
> > > >> >> > be
> > > >> >> > > scanned but I found some things in their scan user agreement
> > > which
> > > >> I
> > > >> >> > wasn't
> > > >> >> > > sure everybody would be in line with (see below for the
> > > excerpts -
> > > >> >> note I
> > > >> >> > > did NOT read the entire document and IANAL).
> > > >> >> > >
> > > >> >> > > Here's the TL;DR of what Coverity Scan is:
> > > >> >> > >
> > > >> >> > > Coverity Scan <http://scan.coverity.com/> is a free static
> > code
> > > >> >> analysis
> > > >> >> > > tool for Java, C, C++, C# and JavaScript.
> > > >> >> > >
> > > >> >> > > This addon leverages the Travis-CI infrastructure to
> > > automatically
> > > >> run
> > > >> >> > code
> > > >> >> > > analysis on your GitHub projects.
> > > >> >> > >
> > > >> >> > > Coverity Scan is a service by which Coverity provides the
> > > results
> > > >> of
> > > >> >> > > analysis on open source coding projects to open source code
> > > >> developers
> > > >> >> > that
> > > >> >> > > have registered their products with Coverity Scan.
> > > >> >> > >
> > > >> >> > > Some examples of defects and vulnerabilities found by
> Coverity
> > > >> Quality
> > > >> >> > > Advisor include:
> > > >> >> > >
> > > >> >> > > - resources leaks
> > > >> >> > > - dereferences of NULL pointers
> > > >> >> > > - incorrect usage of APIs
> > > >> >> > > - use of uninitialized data
> > > >> >> > > - memory corruptions
> > > >> >> > > - buffer overruns
> > > >> >> > > - control flow issues
> > > >> >> > > - error handling issues
> > > >> >> > > - incorrect expressions
> > > >> >> > > - concurrency issues
> > > >> >> > > - insecure data handling
> > > >> >> > > - unsafe use of signed values
> > > >> >> > > - use of resources that have been freed
> > > >> >> > >
> > > >> >> > > Register your project with Coverity Scan by completing the
> > > project
> > > >> >> > > registration form found at scan.coverity.com. Upon your
> > > >> completion of
> > > >> >> > > project registration (including acceptance of the Scan User
> > > >> Agreement)
> > > >> >> > and
> > > >> >> > > your receipt of confirmation of registration of your
> project,
> > > you
> > > >> will
> > > >> >> be
> > > >> >> > > able to download the Software required to submit a build of
> > your
> > > >> code
> > > >> >> for
> > > >> >> > > analysis by Coverity Scan. You may then download the
> Software,
> > > >> >> complete a
> > > >> >> > > build and submit your Registered Project build for analysis
> > and
> > > >> review
> > > >> >> in
> > > >> >> > > Coverity Scan. Coverity Scan is only available for use with
> > open
> > > >> source
> > > >> >> > > projects that are registered with Coverity Scan.
> > > >> >> > > Here are some interesting snippets from their scan user
> > > agreement:
> > > >> >> > >
> > > >> >> > > Your use of our software is acceptance of our Terms
> > > >> >> > > <https://scan.coverity.com/policy>
> > > >> >> > >
> > > >> >> > > You will not disassemble, decompile, reverse engineer,
> modify
> > or
> > > >> create
> > > >> >> > > derivative works of Our Service, software products or
> > > >> documentation nor
> > > >> >> > > permit any third party to do so, except to the extent such
> > > >> restrictions
> > > >> >> > are
> > > >> >> > > prohibited by applicable mandatory local law
> > > >> >> > >
> > > >> >> > > You will not disclose to any third party any comparison of
> the
> > > >> results
> > > >> >> of
> > > >> >> > > operation of Our Service or software products with other
> > > services
> > > >> or
> > > >> >> > > products, except as expressly permitted by this Agreement
> > > >> >> > >
> > > >> >> > > You will not publish any findings regarding or resulting
> from
> > > use
> > > >> of
> > > >> >> the
> > > >> >> > > Service or the Software
> > > >> >> > >
> > > >> >> > > You agree that We may use Your name and logo (in a form
> > > approved by
> > > >> >> You)
> > > >> >> > > and Registered Product information to identify You and such
> > > >> project as
> > > >> >> a
> > > >> >> > > participant of Our Scan Program on Our website or in Our
> > > marketing
> > > >> or
> > > >> >> > > publicity materials or in any filings made in connection
> with
> > > >> state or
> > > >> >> > > federal securities laws.
> > > >> >> > >
> > > >> >> > > Additionally, upon execution of this Agreement, the parties
> > will
> > > >> use
> > > >> >> > > commercially reasonable efforts to issue mutually agreed
> upon
> > > joint
> > > >> >> press
> > > >> >> > > releases or other public communications announcing Your
> entry
> > > into
> > > >> this
> > > >> >> > > Agreement.
> > > >> >> > >
> > > >> >> > > At Our written request, You will furnish Us with (a) a
> > > >> certification
> > > >> >> > signed
> > > >> >> > > by an officer of Your company providing user or access
> > > information
> > > >> that
> > > >> >> > > identifies whether the Service and the Software is being
> used
> > in
> > > >> >> > accordance
> > > >> >> > > with the terms of this Agreement, and (b) log files from any
> > > >> License
> > > >> >> > > Manager. Upon at least thirty (30) days prior written
> notice,
> > We
> > > >> may
> > > >> >> > > engage, at Our expense, an independent auditor to audit Your
> > use
> > > >> of the
> > > >> >> > > Service and the Software to ensure that You are in
> compliance
> > > with
> > > >> the
> > > >> >> > > terms of this Agreement. ... You will provide the auditor
> with
> > > >> access
> > > >> >> to
> > > >> >> > > the relevant records and facilities.
> > > >> >> > >
> > > >> >> > > Jon
> > > >> >> > >
> > > >> >> > > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <
> > > >> zeolla@gmail.com>
> > > >> >> > > wrote:
> > > >> >> > >
> > > >> >> > > > There's nothing built-in with Travis, but we could
> install a
> > > >> tool to
> > > >> >> do
> > > >> >> > > > this as part of the installation of tools on the build
> box.
> > > I'm
> > > >> >> gonna
> > > >> >> > > > reach out to people in my local circle who specialize in
> > > secure
> > > >> code
> > > >> >> > > > analysis and see what all of the options are.
> > > >> >> > > >
> > > >> >> > > > Jon
> > > >> >> > > >
> > > >> >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <
> > > nick@nickallen.org>
> > > >> >> wrote:
> > > >> >> > > >
> > > >> >> > > >> I completely agree that we will need some focus on this.
> > > >> >> > > >>
> > > >> >> > > >> What could Travis do for us? I wasn't aware that they
> > offered
> > > >> >> > security
> > > >> >> > > >> scanning.
> > > >> >> > > >>
> > > >> >> > > >> Are you aware of any security scan services that offer
> free
> > > >> support
> > > >> >> to
> > > >> >> > > >> open
> > > >> >> > > >> source projects?
> > > >> >> > > >>
> > > >> >> > > >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <
> > > >> zeolla@gmail.com
> > > >> >> >
> > > >> >> > > >> wrote:
> > > >> >> > > >>
> > > >> >> > > >> > So I've never done anything like this before in Travis
> > but
> > > I
> > > >> have
> > > >> >> > done
> > > >> >> > > >> IDE
> > > >> >> > > >> > plugins and pre prod scans in the past at large
> companies
> > > >> which
> > > >> >> > worked
> > > >> >> > > >> > well. I floated the idea past a friend working at
> Travis
> > > and
> > > >> she
> > > >> >> > said
> > > >> >> > > >> if
> > > >> >> > > >> > we go that route she would assist.
> > > >> >> > > >> >
> > > >> >> > > >> > I just think that if this is integrated from the
> > beginning
> > > and
> > > >> >> fail
> > > >> >> > > >> builds
> > > >> >> > > >> > on critical issues (to start), this could be a big
> > > >> differentiator,
> > > >> >> > > >> > especially because we're talking about a security
> > platform
> > > >> that
> > > >> >> > > >> centralizes
> > > >> >> > > >> > tons of sensitive information, tries to parse almost
> > > anything
> > > >> >> that's
> > > >> >> > > >> thrown
> > > >> >> > > >> > at it (think of what's been happening to AV products
> > > >> recently),
> > > >> >> and
> > > >> >> > is
> > > >> >> > > >> open
> > > >> >> > > >> > source for bad guys to dig into much more easily.
> > > >> >> > > >> >
> > > >> >> > > >> > Jon
> > > >> >> > > >> >
> > > >> >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <
> > nick@nickallen.org
> > > >
> > > >> >> wrote:
> > > >> >> > > >> >
> > > >> >> > > >> > > I am not aware of any discussions around this, Jon.
> > What
> > > are
> > > >> >> you
> > > >> >> > > >> > thinking?
> > > >> >> > > >> > >
> > > >> >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <
> > > >> >> > zeolla@gmail.com
> > > >> >> > > >
> > > >> >> > > >> > > wrote:
> > > >> >> > > >> > >
> > > >> >> > > >> > > > I was just wondering if there is any sort of static
> > (or
> > > >> even
> > > >> >> > > >> dynamic)
> > > >> >> > > >> > > code
> > > >> >> > > >> > > > analysis, or penetrating testing/vulnerability
> > > assessment,
> > > >> >> > > >> occurring at
> > > >> >> > > >> > > any
> > > >> >> > > >> > > > point on the metron code. Has there been any
> > > discussion of
> > > >> >> > > >> installing
> > > >> >> > > >> > > > something along those lines on the Travis build
> > server
> > > >> (if it
> > > >> >> > > isn't
> > > >> >> > > >> > there
> > > >> >> > > >> > > > already)? Thanks,
> > > >> >> > > >> > > >
> > > >> >> > > >> > > > Jon
> > > >> >> > > >> > > > --
> > > >> >> > > >> > > >
> > > >> >> > > >> > > > Jon
> > > >> >> > > >> > > >
> > > >> >> > > >> > >
> > > >> >> > > >> > >
> > > >> >> > > >> > >
> > > >> >> > > >> > > --
> > > >> >> > > >> > > Nick Allen <ni...@nickallen.org>
> > > >> >> > > >> > >
> > > >> >> > > >> > --
> > > >> >> > > >> >
> > > >> >> > > >> > Jon
> > > >> >> > > >> >
> > > >> >> > > >>
> > > >> >> > > >>
> > > >> >> > > >>
> > > >> >> > > >> --
> > > >> >> > > >> Nick Allen <ni...@nickallen.org>
> > > >> >> > > >>
> > > >> >> > > > --
> > > >> >> > > >
> > > >> >> > > > Jon
> > > >> >> > > >
> > > >> >> > > --
> > > >> >> > >
> > > >> >> > > Jon
> > > >> >> > >
> > > >> >> >
> > > >> >> >
> > > >> >> >
> > > >> >> > --
> > > >> >> > Nick Allen <ni...@nickallen.org>
> > > >> >> >
> > > >> >> --
> > > >> >>
> > > >> >> Jon
> > > >> >
> > > >> > --
> > > >> > Nick Allen <ni...@nickallen.org>
> > > >>
> > > >> -------------------
> > > >> Thank you,
> > > >>
> > > >> James Sirota
> > > >> PPMC- Apache Metron (Incubating)
> > > >> jsirota AT apache DOT org
> > > >>
> > > >> --
> > > >>
> > > >> Jon
> > > > --
> > > >
> > > > Jon
> > > >
> > > > Sent from my mobile device
> > >
> > > -------------------
> > > Thank you,
> > >
> > > James Sirota
> > > PPMC- Apache Metron (Incubating)
> > > jsirota AT apache DOT org
> > >
> > --
> >
> > Jon
> >
>
--
Jon
Re: Secure code analysis
Posted by Nick Allen <ni...@nickallen.org>.
> Veracode has provided us with a 100% free portal to scan the Metron code
with, but in order to integrate, the safest option is probably to use the
ASF's jenkins server
(1) Can you describe this more? How has this been provided? Is this for
all Apache projects; just Metron? Was this based on a relationship you
have within CA?
(2) Why Veracode? Can you describe this platform more? Is it open source
or proprietary? Why is this better than alternatives?
(3) I have no objection to experimenting with the service to see if it
provides actionable results, but is there no simpler way to do this? It
doesn't seem like we should have to mess with a bunch of Apache
infrastructure to see if the service works at a basic level. Can't we
manually submit master and/or previous releases to Veracode to see if we
get actionable results?
On Thu, Dec 21, 2017 at 10:48 AM, Zeolla@GMail.com <ze...@gmail.com> wrote:
> Just following up on this conversation again -
>
> I have discussed this ad-hoc with a few PMC members recently and wanted to
> bring it up on the list. Veracode has provided us with a 100% free portal
> to scan the Metron code with, but in order to integrate, the safest option
> is probably to use the ASF's jenkins server (as I'm not aware of a safe way
> to automatically pass API creds to Veracode from GitHub). My long-term
> interest here would be to scan and clean up the code base generally, and
> then to try and scan PRs for concerns (non-blocking). Perhaps at some
> point, if we identify that these scans are actually useful and not
> false-positive prone/onerous, we could turn this into a blocking
> requirement for contributions. Being a security project, I feel that we
> should be doing as much as we can to ensure that what we're providing is
> safe.
>
> I looked briefly at the Veracode Jenkins integrations, and the ASF Jenkins
> setup. It looks like Veracode has a Jenkins plugin
> <https://help.veracode.com/reader/PgbNZUD7j8aY7iG~hQZWxQ/
> _4G8gT1rhWMgVVtCI1C57A>,
> Jenkins has a plugin for Veracode in its plugin repo
> <https://plugins.jenkins.io/veracode-scanner> (not supported by Veracode),
> the ASF supports adding plugins
> <https://wiki.apache.org/general/Jenkins#How_do_I_
> install_a_new_Jenkins_plugin.3F>
> to their Jenkins servers (although I think
> <http://What_do_Administrators_do.3F> the admins are supposed to do this),
> and Metron is not yet set up <https://builds.apache.org/view/M-R/> on the
> ASF Jenkins server. The ASF seems to support giving non-PMC committers
> access <https://wiki.apache.org/general/Jenkins#How_do_I_get_an_account>
> to
> Jenkins, but it requires that the PMC chair do some work, and generally it
> looks like they want admins
> <https://wiki.apache.org/general/Jenkins#FAQ_For_Administrators>/PMC
> <https://wiki.apache.org/general/Jenkins#FAQ_For_PMCs> members to be
> involved (I also don't have access to the builds JIRA project
> <https://issues.apache.org/jira/projects/BUILDS>, if it really exists).
>
> I'm happy to play around with this and see how it could be useful, but in
> order to do so I need to get some additional authorization. Does anybody
> have any concerns with delegating this access to me, or with this general
> approach?
>
> Jon
>
> On Fri, Dec 16, 2016 at 11:39 AM James Sirota <js...@apache.org> wrote:
>
> > That would be great. I can work with them
> >
> > 15.12.2016, 18:38, "Zeolla@GMail.com" <ze...@gmail.com>:
> > > I recently discussed this topic with Veracode regarding the metron
> > project
> > > and they mentioned there may be interest in providing free services,
> > > however they would need to work with an official project rep. If
> there's
> > > interest in pursuing this please let me know.
> > >
> > > On Thu, Jun 2, 2016, 21:17 Zeolla@GMail.com <ze...@gmail.com> wrote:
> > >
> > >> Per the other discussion it is possible that this conflicts with the
> > >> Apache stance for vulnerability disclosure/management. I'm going to
> > hold
> > >> off on any additional effort until I know more.
> > >>
> > >> Jon
> > >>
> > >> On Tue, May 31, 2016, 16:07 James Sirota <js...@apache.org> wrote:
> > >>
> > >> Jon, would it be possible for you to scan Metron from your own
> branch?
> > >> I'd like to know if this is useful at all. If we get value out of it
> > I'll
> > >> run this down and see how we can get it hooked up.
> > >>
> > >> 31.05.2016, 10:08, "Nick Allen" <ni...@nickallen.org>:
> > >> > I connect Travis to my own personal fork of Metron so that the CI
> > builds
> > >> > run on my own branches before I submit PRs. Thinking you could do
> the
> > >> same
> > >> > with this. Maybe I'm wrong.
> > >> >
> > >> > On Tue, May 31, 2016 at 1:06 PM, Zeolla@GMail.com <
> zeolla@gmail.com>
> > >> wrote:
> > >> >
> > >> >> To register project on Coverity Scan, you must be contributor or
> > >> maintainer
> > >> >> of the project.
> > >> >>
> > >> >> It may also be worth mentioning that there are a ton of Apache
> > projects
> > >> >> already registered, including Ambari, Drill, Flume, Hadoop, HBase,
> > >> NiFi,
> > >> >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
> > >> >> https://scan.coverity.com/projects?page=2
> > >> >>
> > >> >> Jon
> > >> >>
> > >> >> On Tue, May 31, 2016 at 12:52 PM Nick Allen <ni...@nickallen.org>
> > >> wrote:
> > >> >>
> > >> >> > You could set it up on your own fork of Metron in Github. Then
> you
> > >> can
> > >> >> > tell us if it is useful at all.
> > >> >> >
> > >> >> > On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <
> > zeolla@gmail.com>
> > >> >> > wrote:
> > >> >> >
> > >> >> > > So I did a bit of digging today and I found a few op
> > >> >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so
> > far my
> > >> >> > > favourite is Coverity Scan <https://scan.coverity.com/
> travis_ci
> > >.
> > >> >> I've
> > >> >> > > never used this product before, so I'm not exactly sure what
> to
> > >> expect,
> > >> >> > but
> > >> >> > > I guess anyone can kick off a scan of an open source project
> and
> > >> get
> > >> >> > > results within 48 hours. I was in the process of registering
> > >> Metron to
> > >> >> > be
> > >> >> > > scanned but I found some things in their scan user agreement
> > which
> > >> I
> > >> >> > wasn't
> > >> >> > > sure everybody would be in line with (see below for the
> > excerpts -
> > >> >> note I
> > >> >> > > did NOT read the entire document and IANAL).
> > >> >> > >
> > >> >> > > Here's the TL;DR of what Coverity Scan is:
> > >> >> > >
> > >> >> > > Coverity Scan <http://scan.coverity.com/> is a free static
> code
> > >> >> analysis
> > >> >> > > tool for Java, C, C++, C# and JavaScript.
> > >> >> > >
> > >> >> > > This addon leverages the Travis-CI infrastructure to
> > automatically
> > >> run
> > >> >> > code
> > >> >> > > analysis on your GitHub projects.
> > >> >> > >
> > >> >> > > Coverity Scan is a service by which Coverity provides the
> > results
> > >> of
> > >> >> > > analysis on open source coding projects to open source code
> > >> developers
> > >> >> > that
> > >> >> > > have registered their products with Coverity Scan.
> > >> >> > >
> > >> >> > > Some examples of defects and vulnerabilities found by Coverity
> > >> Quality
> > >> >> > > Advisor include:
> > >> >> > >
> > >> >> > > - resources leaks
> > >> >> > > - dereferences of NULL pointers
> > >> >> > > - incorrect usage of APIs
> > >> >> > > - use of uninitialized data
> > >> >> > > - memory corruptions
> > >> >> > > - buffer overruns
> > >> >> > > - control flow issues
> > >> >> > > - error handling issues
> > >> >> > > - incorrect expressions
> > >> >> > > - concurrency issues
> > >> >> > > - insecure data handling
> > >> >> > > - unsafe use of signed values
> > >> >> > > - use of resources that have been freed
> > >> >> > >
> > >> >> > > Register your project with Coverity Scan by completing the
> > project
> > >> >> > > registration form found at scan.coverity.com. Upon your
> > >> completion of
> > >> >> > > project registration (including acceptance of the Scan User
> > >> Agreement)
> > >> >> > and
> > >> >> > > your receipt of confirmation of registration of your project,
> > you
> > >> will
> > >> >> be
> > >> >> > > able to download the Software required to submit a build of
> your
> > >> code
> > >> >> for
> > >> >> > > analysis by Coverity Scan. You may then download the Software,
> > >> >> complete a
> > >> >> > > build and submit your Registered Project build for analysis
> and
> > >> review
> > >> >> in
> > >> >> > > Coverity Scan. Coverity Scan is only available for use with
> open
> > >> source
> > >> >> > > projects that are registered with Coverity Scan.
> > >> >> > > Here are some interesting snippets from their scan user
> > agreement:
> > >> >> > >
> > >> >> > > Your use of our software is acceptance of our Terms
> > >> >> > > <https://scan.coverity.com/policy>
> > >> >> > >
> > >> >> > > You will not disassemble, decompile, reverse engineer, modify
> or
> > >> create
> > >> >> > > derivative works of Our Service, software products or
> > >> documentation nor
> > >> >> > > permit any third party to do so, except to the extent such
> > >> restrictions
> > >> >> > are
> > >> >> > > prohibited by applicable mandatory local law
> > >> >> > >
> > >> >> > > You will not disclose to any third party any comparison of the
> > >> results
> > >> >> of
> > >> >> > > operation of Our Service or software products with other
> > services
> > >> or
> > >> >> > > products, except as expressly permitted by this Agreement
> > >> >> > >
> > >> >> > > You will not publish any findings regarding or resulting from
> > use
> > >> of
> > >> >> the
> > >> >> > > Service or the Software
> > >> >> > >
> > >> >> > > You agree that We may use Your name and logo (in a form
> > approved by
> > >> >> You)
> > >> >> > > and Registered Product information to identify You and such
> > >> project as
> > >> >> a
> > >> >> > > participant of Our Scan Program on Our website or in Our
> > marketing
> > >> or
> > >> >> > > publicity materials or in any filings made in connection with
> > >> state or
> > >> >> > > federal securities laws.
> > >> >> > >
> > >> >> > > Additionally, upon execution of this Agreement, the parties
> will
> > >> use
> > >> >> > > commercially reasonable efforts to issue mutually agreed upon
> > joint
> > >> >> press
> > >> >> > > releases or other public communications announcing Your entry
> > into
> > >> this
> > >> >> > > Agreement.
> > >> >> > >
> > >> >> > > At Our written request, You will furnish Us with (a) a
> > >> certification
> > >> >> > signed
> > >> >> > > by an officer of Your company providing user or access
> > information
> > >> that
> > >> >> > > identifies whether the Service and the Software is being used
> in
> > >> >> > accordance
> > >> >> > > with the terms of this Agreement, and (b) log files from any
> > >> License
> > >> >> > > Manager. Upon at least thirty (30) days prior written notice,
> We
> > >> may
> > >> >> > > engage, at Our expense, an independent auditor to audit Your
> use
> > >> of the
> > >> >> > > Service and the Software to ensure that You are in compliance
> > with
> > >> the
> > >> >> > > terms of this Agreement. ... You will provide the auditor with
> > >> access
> > >> >> to
> > >> >> > > the relevant records and facilities.
> > >> >> > >
> > >> >> > > Jon
> > >> >> > >
> > >> >> > > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <
> > >> zeolla@gmail.com>
> > >> >> > > wrote:
> > >> >> > >
> > >> >> > > > There's nothing built-in with Travis, but we could install a
> > >> tool to
> > >> >> do
> > >> >> > > > this as part of the installation of tools on the build box.
> > I'm
> > >> >> gonna
> > >> >> > > > reach out to people in my local circle who specialize in
> > secure
> > >> code
> > >> >> > > > analysis and see what all of the options are.
> > >> >> > > >
> > >> >> > > > Jon
> > >> >> > > >
> > >> >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <
> > nick@nickallen.org>
> > >> >> wrote:
> > >> >> > > >
> > >> >> > > >> I completely agree that we will need some focus on this.
> > >> >> > > >>
> > >> >> > > >> What could Travis do for us? I wasn't aware that they
> offered
> > >> >> > security
> > >> >> > > >> scanning.
> > >> >> > > >>
> > >> >> > > >> Are you aware of any security scan services that offer free
> > >> support
> > >> >> to
> > >> >> > > >> open
> > >> >> > > >> source projects?
> > >> >> > > >>
> > >> >> > > >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <
> > >> zeolla@gmail.com
> > >> >> >
> > >> >> > > >> wrote:
> > >> >> > > >>
> > >> >> > > >> > So I've never done anything like this before in Travis
> but
> > I
> > >> have
> > >> >> > done
> > >> >> > > >> IDE
> > >> >> > > >> > plugins and pre prod scans in the past at large companies
> > >> which
> > >> >> > worked
> > >> >> > > >> > well. I floated the idea past a friend working at Travis
> > and
> > >> she
> > >> >> > said
> > >> >> > > >> if
> > >> >> > > >> > we go that route she would assist.
> > >> >> > > >> >
> > >> >> > > >> > I just think that if this is integrated from the
> beginning
> > and
> > >> >> fail
> > >> >> > > >> builds
> > >> >> > > >> > on critical issues (to start), this could be a big
> > >> differentiator,
> > >> >> > > >> > especially because we're talking about a security
> platform
> > >> that
> > >> >> > > >> centralizes
> > >> >> > > >> > tons of sensitive information, tries to parse almost
> > anything
> > >> >> that's
> > >> >> > > >> thrown
> > >> >> > > >> > at it (think of what's been happening to AV products
> > >> recently),
> > >> >> and
> > >> >> > is
> > >> >> > > >> open
> > >> >> > > >> > source for bad guys to dig into much more easily.
> > >> >> > > >> >
> > >> >> > > >> > Jon
> > >> >> > > >> >
> > >> >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <
> nick@nickallen.org
> > >
> > >> >> wrote:
> > >> >> > > >> >
> > >> >> > > >> > > I am not aware of any discussions around this, Jon.
> What
> > are
> > >> >> you
> > >> >> > > >> > thinking?
> > >> >> > > >> > >
> > >> >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <
> > >> >> > zeolla@gmail.com
> > >> >> > > >
> > >> >> > > >> > > wrote:
> > >> >> > > >> > >
> > >> >> > > >> > > > I was just wondering if there is any sort of static
> (or
> > >> even
> > >> >> > > >> dynamic)
> > >> >> > > >> > > code
> > >> >> > > >> > > > analysis, or penetrating testing/vulnerability
> > assessment,
> > >> >> > > >> occurring at
> > >> >> > > >> > > any
> > >> >> > > >> > > > point on the metron code. Has there been any
> > discussion of
> > >> >> > > >> installing
> > >> >> > > >> > > > something along those lines on the Travis build
> server
> > >> (if it
> > >> >> > > isn't
> > >> >> > > >> > there
> > >> >> > > >> > > > already)? Thanks,
> > >> >> > > >> > > >
> > >> >> > > >> > > > Jon
> > >> >> > > >> > > > --
> > >> >> > > >> > > >
> > >> >> > > >> > > > Jon
> > >> >> > > >> > > >
> > >> >> > > >> > >
> > >> >> > > >> > >
> > >> >> > > >> > >
> > >> >> > > >> > > --
> > >> >> > > >> > > Nick Allen <ni...@nickallen.org>
> > >> >> > > >> > >
> > >> >> > > >> > --
> > >> >> > > >> >
> > >> >> > > >> > Jon
> > >> >> > > >> >
> > >> >> > > >>
> > >> >> > > >>
> > >> >> > > >>
> > >> >> > > >> --
> > >> >> > > >> Nick Allen <ni...@nickallen.org>
> > >> >> > > >>
> > >> >> > > > --
> > >> >> > > >
> > >> >> > > > Jon
> > >> >> > > >
> > >> >> > > --
> > >> >> > >
> > >> >> > > Jon
> > >> >> > >
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > --
> > >> >> > Nick Allen <ni...@nickallen.org>
> > >> >> >
> > >> >> --
> > >> >>
> > >> >> Jon
> > >> >
> > >> > --
> > >> > Nick Allen <ni...@nickallen.org>
> > >>
> > >> -------------------
> > >> Thank you,
> > >>
> > >> James Sirota
> > >> PPMC- Apache Metron (Incubating)
> > >> jsirota AT apache DOT org
> > >>
> > >> --
> > >>
> > >> Jon
> > > --
> > >
> > > Jon
> > >
> > > Sent from my mobile device
> >
> > -------------------
> > Thank you,
> >
> > James Sirota
> > PPMC- Apache Metron (Incubating)
> > jsirota AT apache DOT org
> >
> --
>
> Jon
>
Re: Secure code analysis
Posted by "Zeolla@GMail.com" <ze...@gmail.com>.
Just following up on this conversation again -
I have discussed this ad-hoc with a few PMC members recently and wanted to
bring it up on the list. Veracode has provided us with a 100% free portal
to scan the Metron code with, but in order to integrate, the safest option
is probably to use the ASF's jenkins server (as I'm not aware of a safe way
to automatically pass API creds to Veracode from GitHub). My long-term
interest here would be to scan and clean up the code base generally, and
then to try and scan PRs for concerns (non-blocking). Perhaps at some
point, if we identify that these scans are actually useful and not
false-positive prone/onerous, we could turn this into a blocking
requirement for contributions. Being a security project, I feel that we
should be doing as much as we can to ensure that what we're providing is
safe.
I looked briefly at the Veracode Jenkins integrations, and the ASF Jenkins
setup. It looks like Veracode has a Jenkins plugin
<https://help.veracode.com/reader/PgbNZUD7j8aY7iG~hQZWxQ/_4G8gT1rhWMgVVtCI1C57A>,
Jenkins has a plugin for Veracode in its plugin repo
<https://plugins.jenkins.io/veracode-scanner> (not supported by Veracode),
the ASF supports adding plugins
<https://wiki.apache.org/general/Jenkins#How_do_I_install_a_new_Jenkins_plugin.3F>
to their Jenkins servers (although I think
<http://What_do_Administrators_do.3F> the admins are supposed to do this),
and Metron is not yet set up <https://builds.apache.org/view/M-R/> on the
ASF Jenkins server. The ASF seems to support giving non-PMC committers
access <https://wiki.apache.org/general/Jenkins#How_do_I_get_an_account> to
Jenkins, but it requires that the PMC chair do some work, and generally it
looks like they want admins
<https://wiki.apache.org/general/Jenkins#FAQ_For_Administrators>/PMC
<https://wiki.apache.org/general/Jenkins#FAQ_For_PMCs> members to be
involved (I also don't have access to the builds JIRA project
<https://issues.apache.org/jira/projects/BUILDS>, if it really exists).
I'm happy to play around with this and see how it could be useful, but in
order to do so I need to get some additional authorization. Does anybody
have any concerns with delegating this access to me, or with this general
approach?
Jon
On Fri, Dec 16, 2016 at 11:39 AM James Sirota <js...@apache.org> wrote:
> That would be great. I can work with them
>
> 15.12.2016, 18:38, "Zeolla@GMail.com" <ze...@gmail.com>:
> > I recently discussed this topic with Veracode regarding the metron
> project
> > and they mentioned there may be interest in providing free services,
> > however they would need to work with an official project rep. If there's
> > interest in pursuing this please let me know.
> >
> > On Thu, Jun 2, 2016, 21:17 Zeolla@GMail.com <ze...@gmail.com> wrote:
> >
> >> Per the other discussion it is possible that this conflicts with the
> >> Apache stance for vulnerability disclosure/management. I'm going to
> hold
> >> off on any additional effort until I know more.
> >>
> >> Jon
> >>
> >> On Tue, May 31, 2016, 16:07 James Sirota <js...@apache.org> wrote:
> >>
> >> Jon, would it be possible for you to scan Metron from your own branch?
> >> I'd like to know if this is useful at all. If we get value out of it
> I'll
> >> run this down and see how we can get it hooked up.
> >>
> >> 31.05.2016, 10:08, "Nick Allen" <ni...@nickallen.org>:
> >> > I connect Travis to my own personal fork of Metron so that the CI
> builds
> >> > run on my own branches before I submit PRs. Thinking you could do the
> >> same
> >> > with this. Maybe I'm wrong.
> >> >
> >> > On Tue, May 31, 2016 at 1:06 PM, Zeolla@GMail.com <ze...@gmail.com>
> >> wrote:
> >> >
> >> >> To register project on Coverity Scan, you must be contributor or
> >> maintainer
> >> >> of the project.
> >> >>
> >> >> It may also be worth mentioning that there are a ton of Apache
> projects
> >> >> already registered, including Ambari, Drill, Flume, Hadoop, HBase,
> >> NiFi,
> >> >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
> >> >> https://scan.coverity.com/projects?page=2
> >> >>
> >> >> Jon
> >> >>
> >> >> On Tue, May 31, 2016 at 12:52 PM Nick Allen <ni...@nickallen.org>
> >> wrote:
> >> >>
> >> >> > You could set it up on your own fork of Metron in Github. Then you
> >> can
> >> >> > tell us if it is useful at all.
> >> >> >
> >> >> > On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <
> zeolla@gmail.com>
> >> >> > wrote:
> >> >> >
> >> >> > > So I did a bit of digging today and I found a few op
> >> >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so
> far my
> >> >> > > favourite is Coverity Scan <https://scan.coverity.com/travis_ci
> >.
> >> >> I've
> >> >> > > never used this product before, so I'm not exactly sure what to
> >> expect,
> >> >> > but
> >> >> > > I guess anyone can kick off a scan of an open source project and
> >> get
> >> >> > > results within 48 hours. I was in the process of registering
> >> Metron to
> >> >> > be
> >> >> > > scanned but I found some things in their scan user agreement
> which
> >> I
> >> >> > wasn't
> >> >> > > sure everybody would be in line with (see below for the
> excerpts -
> >> >> note I
> >> >> > > did NOT read the entire document and IANAL).
> >> >> > >
> >> >> > > Here's the TL;DR of what Coverity Scan is:
> >> >> > >
> >> >> > > Coverity Scan <http://scan.coverity.com/> is a free static code
> >> >> analysis
> >> >> > > tool for Java, C, C++, C# and JavaScript.
> >> >> > >
> >> >> > > This addon leverages the Travis-CI infrastructure to
> automatically
> >> run
> >> >> > code
> >> >> > > analysis on your GitHub projects.
> >> >> > >
> >> >> > > Coverity Scan is a service by which Coverity provides the
> results
> >> of
> >> >> > > analysis on open source coding projects to open source code
> >> developers
> >> >> > that
> >> >> > > have registered their products with Coverity Scan.
> >> >> > >
> >> >> > > Some examples of defects and vulnerabilities found by Coverity
> >> Quality
> >> >> > > Advisor include:
> >> >> > >
> >> >> > > - resources leaks
> >> >> > > - dereferences of NULL pointers
> >> >> > > - incorrect usage of APIs
> >> >> > > - use of uninitialized data
> >> >> > > - memory corruptions
> >> >> > > - buffer overruns
> >> >> > > - control flow issues
> >> >> > > - error handling issues
> >> >> > > - incorrect expressions
> >> >> > > - concurrency issues
> >> >> > > - insecure data handling
> >> >> > > - unsafe use of signed values
> >> >> > > - use of resources that have been freed
> >> >> > >
> >> >> > > Register your project with Coverity Scan by completing the
> project
> >> >> > > registration form found at scan.coverity.com. Upon your
> >> completion of
> >> >> > > project registration (including acceptance of the Scan User
> >> Agreement)
> >> >> > and
> >> >> > > your receipt of confirmation of registration of your project,
> you
> >> will
> >> >> be
> >> >> > > able to download the Software required to submit a build of your
> >> code
> >> >> for
> >> >> > > analysis by Coverity Scan. You may then download the Software,
> >> >> complete a
> >> >> > > build and submit your Registered Project build for analysis and
> >> review
> >> >> in
> >> >> > > Coverity Scan. Coverity Scan is only available for use with open
> >> source
> >> >> > > projects that are registered with Coverity Scan.
> >> >> > > Here are some interesting snippets from their scan user
> agreement:
> >> >> > >
> >> >> > > Your use of our software is acceptance of our Terms
> >> >> > > <https://scan.coverity.com/policy>
> >> >> > >
> >> >> > > You will not disassemble, decompile, reverse engineer, modify or
> >> create
> >> >> > > derivative works of Our Service, software products or
> >> documentation nor
> >> >> > > permit any third party to do so, except to the extent such
> >> restrictions
> >> >> > are
> >> >> > > prohibited by applicable mandatory local law
> >> >> > >
> >> >> > > You will not disclose to any third party any comparison of the
> >> results
> >> >> of
> >> >> > > operation of Our Service or software products with other
> services
> >> or
> >> >> > > products, except as expressly permitted by this Agreement
> >> >> > >
> >> >> > > You will not publish any findings regarding or resulting from
> use
> >> of
> >> >> the
> >> >> > > Service or the Software
> >> >> > >
> >> >> > > You agree that We may use Your name and logo (in a form
> approved by
> >> >> You)
> >> >> > > and Registered Product information to identify You and such
> >> project as
> >> >> a
> >> >> > > participant of Our Scan Program on Our website or in Our
> marketing
> >> or
> >> >> > > publicity materials or in any filings made in connection with
> >> state or
> >> >> > > federal securities laws.
> >> >> > >
> >> >> > > Additionally, upon execution of this Agreement, the parties will
> >> use
> >> >> > > commercially reasonable efforts to issue mutually agreed upon
> joint
> >> >> press
> >> >> > > releases or other public communications announcing Your entry
> into
> >> this
> >> >> > > Agreement.
> >> >> > >
> >> >> > > At Our written request, You will furnish Us with (a) a
> >> certification
> >> >> > signed
> >> >> > > by an officer of Your company providing user or access
> information
> >> that
> >> >> > > identifies whether the Service and the Software is being used in
> >> >> > accordance
> >> >> > > with the terms of this Agreement, and (b) log files from any
> >> License
> >> >> > > Manager. Upon at least thirty (30) days prior written notice, We
> >> may
> >> >> > > engage, at Our expense, an independent auditor to audit Your use
> >> of the
> >> >> > > Service and the Software to ensure that You are in compliance
> with
> >> the
> >> >> > > terms of this Agreement. ... You will provide the auditor with
> >> access
> >> >> to
> >> >> > > the relevant records and facilities.
> >> >> > >
> >> >> > > Jon
> >> >> > >
> >> >> > > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <
> >> zeolla@gmail.com>
> >> >> > > wrote:
> >> >> > >
> >> >> > > > There's nothing built-in with Travis, but we could install a
> >> tool to
> >> >> do
> >> >> > > > this as part of the installation of tools on the build box.
> I'm
> >> >> gonna
> >> >> > > > reach out to people in my local circle who specialize in
> secure
> >> code
> >> >> > > > analysis and see what all of the options are.
> >> >> > > >
> >> >> > > > Jon
> >> >> > > >
> >> >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <
> nick@nickallen.org>
> >> >> wrote:
> >> >> > > >
> >> >> > > >> I completely agree that we will need some focus on this.
> >> >> > > >>
> >> >> > > >> What could Travis do for us? I wasn't aware that they offered
> >> >> > security
> >> >> > > >> scanning.
> >> >> > > >>
> >> >> > > >> Are you aware of any security scan services that offer free
> >> support
> >> >> to
> >> >> > > >> open
> >> >> > > >> source projects?
> >> >> > > >>
> >> >> > > >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <
> >> zeolla@gmail.com
> >> >> >
> >> >> > > >> wrote:
> >> >> > > >>
> >> >> > > >> > So I've never done anything like this before in Travis but
> I
> >> have
> >> >> > done
> >> >> > > >> IDE
> >> >> > > >> > plugins and pre prod scans in the past at large companies
> >> which
> >> >> > worked
> >> >> > > >> > well. I floated the idea past a friend working at Travis
> and
> >> she
> >> >> > said
> >> >> > > >> if
> >> >> > > >> > we go that route she would assist.
> >> >> > > >> >
> >> >> > > >> > I just think that if this is integrated from the beginning
> and
> >> >> fail
> >> >> > > >> builds
> >> >> > > >> > on critical issues (to start), this could be a big
> >> differentiator,
> >> >> > > >> > especially because we're talking about a security platform
> >> that
> >> >> > > >> centralizes
> >> >> > > >> > tons of sensitive information, tries to parse almost
> anything
> >> >> that's
> >> >> > > >> thrown
> >> >> > > >> > at it (think of what's been happening to AV products
> >> recently),
> >> >> and
> >> >> > is
> >> >> > > >> open
> >> >> > > >> > source for bad guys to dig into much more easily.
> >> >> > > >> >
> >> >> > > >> > Jon
> >> >> > > >> >
> >> >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <nick@nickallen.org
> >
> >> >> wrote:
> >> >> > > >> >
> >> >> > > >> > > I am not aware of any discussions around this, Jon. What
> are
> >> >> you
> >> >> > > >> > thinking?
> >> >> > > >> > >
> >> >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <
> >> >> > zeolla@gmail.com
> >> >> > > >
> >> >> > > >> > > wrote:
> >> >> > > >> > >
> >> >> > > >> > > > I was just wondering if there is any sort of static (or
> >> even
> >> >> > > >> dynamic)
> >> >> > > >> > > code
> >> >> > > >> > > > analysis, or penetrating testing/vulnerability
> assessment,
> >> >> > > >> occurring at
> >> >> > > >> > > any
> >> >> > > >> > > > point on the metron code. Has there been any
> discussion of
> >> >> > > >> installing
> >> >> > > >> > > > something along those lines on the Travis build server
> >> (if it
> >> >> > > isn't
> >> >> > > >> > there
> >> >> > > >> > > > already)? Thanks,
> >> >> > > >> > > >
> >> >> > > >> > > > Jon
> >> >> > > >> > > > --
> >> >> > > >> > > >
> >> >> > > >> > > > Jon
> >> >> > > >> > > >
> >> >> > > >> > >
> >> >> > > >> > >
> >> >> > > >> > >
> >> >> > > >> > > --
> >> >> > > >> > > Nick Allen <ni...@nickallen.org>
> >> >> > > >> > >
> >> >> > > >> > --
> >> >> > > >> >
> >> >> > > >> > Jon
> >> >> > > >> >
> >> >> > > >>
> >> >> > > >>
> >> >> > > >>
> >> >> > > >> --
> >> >> > > >> Nick Allen <ni...@nickallen.org>
> >> >> > > >>
> >> >> > > > --
> >> >> > > >
> >> >> > > > Jon
> >> >> > > >
> >> >> > > --
> >> >> > >
> >> >> > > Jon
> >> >> > >
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Nick Allen <ni...@nickallen.org>
> >> >> >
> >> >> --
> >> >>
> >> >> Jon
> >> >
> >> > --
> >> > Nick Allen <ni...@nickallen.org>
> >>
> >> -------------------
> >> Thank you,
> >>
> >> James Sirota
> >> PPMC- Apache Metron (Incubating)
> >> jsirota AT apache DOT org
> >>
> >> --
> >>
> >> Jon
> > --
> >
> > Jon
> >
> > Sent from my mobile device
>
> -------------------
> Thank you,
>
> James Sirota
> PPMC- Apache Metron (Incubating)
> jsirota AT apache DOT org
>
--
Jon
Re: Secure code analysis
Posted by James Sirota <js...@apache.org>.
That would be great. I can work with them
15.12.2016, 18:38, "Zeolla@GMail.com" <ze...@gmail.com>:
> I recently discussed this topic with Veracode regarding the metron project
> and they mentioned there may be interest in providing free services,
> however they would need to work with an official project rep. If there's
> interest in pursuing this please let me know.
>
> On Thu, Jun 2, 2016, 21:17 Zeolla@GMail.com <ze...@gmail.com> wrote:
>
>> �Per the other discussion it is possible that this conflicts with the
>> �Apache stance for vulnerability disclosure/management. I'm going to hold
>> �off on any additional effort until I know more.
>>
>> �Jon
>>
>> �On Tue, May 31, 2016, 16:07 James Sirota <js...@apache.org> wrote:
>>
>> �Jon, would it be possible for you to scan Metron from your own branch?
>> �I'd like to know if this is useful at all. If we get value out of it I'll
>> �run this down and see how we can get it hooked up.
>>
>> �31.05.2016, 10:08, "Nick Allen" <ni...@nickallen.org>:
>> �> I connect Travis to my own personal fork of Metron so that the CI builds
>> �> run on my own branches before I submit PRs. Thinking you could do the
>> �same
>> �> with this. Maybe I'm wrong.
>> �>
>> �> On Tue, May 31, 2016 at 1:06 PM, Zeolla@GMail.com <ze...@gmail.com>
>> �wrote:
>> �>
>> �>> To register project on Coverity Scan, you must be contributor or
>> �maintainer
>> �>> of the project.
>> �>>
>> �>> It may also be worth mentioning that there are a ton of Apache projects
>> �>> already registered, including Ambari, Drill, Flume, Hadoop, HBase,
>> �NiFi,
>> �>> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
>> �>> https://scan.coverity.com/projects?page=2
>> �>>
>> �>> Jon
>> �>>
>> �>> On Tue, May 31, 2016 at 12:52 PM Nick Allen <ni...@nickallen.org>
>> �wrote:
>> �>>
>> �>> > You could set it up on your own fork of Metron in Github. Then you
>> �can
>> �>> > tell us if it is useful at all.
>> �>> >
>> �>> > On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <ze...@gmail.com>
>> �>> > wrote:
>> �>> >
>> �>> > > So I did a bit of digging today and I found a few op
>> �>> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so far my
>> �>> > > favourite is Coverity Scan <https://scan.coverity.com/travis_ci>.
>> �>> I've
>> �>> > > never used this product before, so I'm not exactly sure what to
>> �expect,
>> �>> > but
>> �>> > > I guess anyone can kick off a scan of an open source project and
>> �get
>> �>> > > results within 48 hours. I was in the process of registering
>> �Metron to
>> �>> > be
>> �>> > > scanned but I found some things in their scan user agreement which
>> �I
>> �>> > wasn't
>> �>> > > sure everybody would be in line with (see below for the excerpts -
>> �>> note I
>> �>> > > did NOT read the entire document and IANAL).
>> �>> > >
>> �>> > > Here's the TL;DR of what Coverity Scan is:
>> �>> > >
>> �>> > > Coverity Scan <http://scan.coverity.com/> is a free static code
>> �>> analysis
>> �>> > > tool for Java, C, C++, C# and JavaScript.
>> �>> > >
>> �>> > > This addon leverages the Travis-CI infrastructure to automatically
>> �run
>> �>> > code
>> �>> > > analysis on your GitHub projects.
>> �>> > >
>> �>> > > Coverity Scan is a service by which Coverity provides the results
>> �of
>> �>> > > analysis on open source coding projects to open source code
>> �developers
>> �>> > that
>> �>> > > have registered their products with Coverity Scan.
>> �>> > >
>> �>> > > Some examples of defects and vulnerabilities found by Coverity
>> �Quality
>> �>> > > Advisor include:
>> �>> > >
>> �>> > > - resources leaks
>> �>> > > - dereferences of NULL pointers
>> �>> > > - incorrect usage of APIs
>> �>> > > - use of uninitialized data
>> �>> > > - memory corruptions
>> �>> > > - buffer overruns
>> �>> > > - control flow issues
>> �>> > > - error handling issues
>> �>> > > - incorrect expressions
>> �>> > > - concurrency issues
>> �>> > > - insecure data handling
>> �>> > > - unsafe use of signed values
>> �>> > > - use of resources that have been freed
>> �>> > >
>> �>> > > Register your project with Coverity Scan by completing the project
>> �>> > > registration form found at scan.coverity.com. Upon your
>> �completion of
>> �>> > > project registration (including acceptance of the Scan User
>> �Agreement)
>> �>> > and
>> �>> > > your receipt of confirmation of registration of your project, you
>> �will
>> �>> be
>> �>> > > able to download the Software required to submit a build of your
>> �code
>> �>> for
>> �>> > > analysis by Coverity Scan. You may then download the Software,
>> �>> complete a
>> �>> > > build and submit your Registered Project build for analysis and
>> �review
>> �>> in
>> �>> > > Coverity Scan. Coverity Scan is only available for use with open
>> �source
>> �>> > > projects that are registered with Coverity Scan.
>> �>> > > Here are some interesting snippets from their scan user agreement:
>> �>> > >
>> �>> > > Your use of our software is acceptance of our Terms
>> �>> > > <https://scan.coverity.com/policy>
>> �>> > >
>> �>> > > You will not disassemble, decompile, reverse engineer, modify or
>> �create
>> �>> > > derivative works of Our Service, software products or
>> �documentation nor
>> �>> > > permit any third party to do so, except to the extent such
>> �restrictions
>> �>> > are
>> �>> > > prohibited by applicable mandatory local law
>> �>> > >
>> �>> > > You will not disclose to any third party any comparison of the
>> �results
>> �>> of
>> �>> > > operation of Our Service or software products with other services
>> �or
>> �>> > > products, except as expressly permitted by this Agreement
>> �>> > >
>> �>> > > You will not publish any findings regarding or resulting from use
>> �of
>> �>> the
>> �>> > > Service or the Software
>> �>> > >
>> �>> > > You agree that We may use Your name and logo (in a form approved by
>> �>> You)
>> �>> > > and Registered Product information to identify You and such
>> �project as
>> �>> a
>> �>> > > participant of Our Scan Program on Our website or in Our marketing
>> �or
>> �>> > > publicity materials or in any filings made in connection with
>> �state or
>> �>> > > federal securities laws.
>> �>> > >
>> �>> > > Additionally, upon execution of this Agreement, the parties will
>> �use
>> �>> > > commercially reasonable efforts to issue mutually agreed upon joint
>> �>> press
>> �>> > > releases or other public communications announcing Your entry into
>> �this
>> �>> > > Agreement.
>> �>> > >
>> �>> > > At Our written request, You will furnish Us with (a) a
>> �certification
>> �>> > signed
>> �>> > > by an officer of Your company providing user or access information
>> �that
>> �>> > > identifies whether the Service and the Software is being used in
>> �>> > accordance
>> �>> > > with the terms of this Agreement, and (b) log files from any
>> �License
>> �>> > > Manager. Upon at least thirty (30) days prior written notice, We
>> �may
>> �>> > > engage, at Our expense, an independent auditor to audit Your use
>> �of the
>> �>> > > Service and the Software to ensure that You are in compliance with
>> �the
>> �>> > > terms of this Agreement. ... You will provide the auditor with
>> �access
>> �>> to
>> �>> > > the relevant records and facilities.
>> �>> > >
>> �>> > > Jon
>> �>> > >
>> �>> > > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <
>> �zeolla@gmail.com>
>> �>> > > wrote:
>> �>> > >
>> �>> > > > There's nothing built-in with Travis, but we could install a
>> �tool to
>> �>> do
>> �>> > > > this as part of the installation of tools on the build box. I'm
>> �>> gonna
>> �>> > > > reach out to people in my local circle who specialize in secure
>> �code
>> �>> > > > analysis and see what all of the options are.
>> �>> > > >
>> �>> > > > Jon
>> �>> > > >
>> �>> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <ni...@nickallen.org>
>> �>> wrote:
>> �>> > > >
>> �>> > > >> I completely agree that we will need some focus on this.
>> �>> > > >>
>> �>> > > >> What could Travis do for us? I wasn't aware that they offered
>> �>> > security
>> �>> > > >> scanning.
>> �>> > > >>
>> �>> > > >> Are you aware of any security scan services that offer free
>> �support
>> �>> to
>> �>> > > >> open
>> �>> > > >> source projects?
>> �>> > > >>
>> �>> > > >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <
>> �zeolla@gmail.com
>> �>> >
>> �>> > > >> wrote:
>> �>> > > >>
>> �>> > > >> > So I've never done anything like this before in Travis but I
>> �have
>> �>> > done
>> �>> > > >> IDE
>> �>> > > >> > plugins and pre prod scans in the past at large companies
>> �which
>> �>> > worked
>> �>> > > >> > well. I floated the idea past a friend working at Travis and
>> �she
>> �>> > said
>> �>> > > >> if
>> �>> > > >> > we go that route she would assist.
>> �>> > > >> >
>> �>> > > >> > I just think that if this is integrated from the beginning and
>> �>> fail
>> �>> > > >> builds
>> �>> > > >> > on critical issues (to start), this could be a big
>> �differentiator,
>> �>> > > >> > especially because we're talking about a security platform
>> �that
>> �>> > > >> centralizes
>> �>> > > >> > tons of sensitive information, tries to parse almost anything
>> �>> that's
>> �>> > > >> thrown
>> �>> > > >> > at it (think of what's been happening to AV products
>> �recently),
>> �>> and
>> �>> > is
>> �>> > > >> open
>> �>> > > >> > source for bad guys to dig into much more easily.
>> �>> > > >> >
>> �>> > > >> > Jon
>> �>> > > >> >
>> �>> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <ni...@nickallen.org>
>> �>> wrote:
>> �>> > > >> >
>> �>> > > >> > > I am not aware of any discussions around this, Jon. What are
>> �>> you
>> �>> > > >> > thinking?
>> �>> > > >> > >
>> �>> > > >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <
>> �>> > zeolla@gmail.com
>> �>> > > >
>> �>> > > >> > > wrote:
>> �>> > > >> > >
>> �>> > > >> > > > I was just wondering if there is any sort of static (or
>> �even
>> �>> > > >> dynamic)
>> �>> > > >> > > code
>> �>> > > >> > > > analysis, or penetrating testing/vulnerability assessment,
>> �>> > > >> occurring at
>> �>> > > >> > > any
>> �>> > > >> > > > point on the metron code. Has there been any discussion of
>> �>> > > >> installing
>> �>> > > >> > > > something along those lines on the Travis build server
>> �(if it
>> �>> > > isn't
>> �>> > > >> > there
>> �>> > > >> > > > already)? Thanks,
>> �>> > > >> > > >
>> �>> > > >> > > > Jon
>> �>> > > >> > > > --
>> �>> > > >> > > >
>> �>> > > >> > > > Jon
>> �>> > > >> > > >
>> �>> > > >> > >
>> �>> > > >> > >
>> �>> > > >> > >
>> �>> > > >> > > --
>> �>> > > >> > > Nick Allen <ni...@nickallen.org>
>> �>> > > >> > >
>> �>> > > >> > --
>> �>> > > >> >
>> �>> > > >> > Jon
>> �>> > > >> >
>> �>> > > >>
>> �>> > > >>
>> �>> > > >>
>> �>> > > >> --
>> �>> > > >> Nick Allen <ni...@nickallen.org>
>> �>> > > >>
>> �>> > > > --
>> �>> > > >
>> �>> > > > Jon
>> �>> > > >
>> �>> > > --
>> �>> > >
>> �>> > > Jon
>> �>> > >
>> �>> >
>> �>> >
>> �>> >
>> �>> > --
>> �>> > Nick Allen <ni...@nickallen.org>
>> �>> >
>> �>> --
>> �>>
>> �>> Jon
>> �>
>> �> --
>> �> Nick Allen <ni...@nickallen.org>
>>
>> �-------------------
>> �Thank you,
>>
>> �James Sirota
>> �PPMC- Apache Metron (Incubating)
>> �jsirota AT apache DOT org
>>
>> �--
>>
>> �Jon
> --
>
> Jon
>
> Sent from my mobile device
-------------------�
Thank you,
James Sirota
PPMC- Apache Metron (Incubating)
jsirota AT apache DOT org
Re: Secure code analysis
Posted by "Zeolla@GMail.com" <ze...@gmail.com>.
I recently discussed this topic with Veracode regarding the metron project
and they mentioned there may be interest in providing free services,
however they would need to work with an official project rep. If there's
interest in pursuing this please let me know.
On Thu, Jun 2, 2016, 21:17 Zeolla@GMail.com <ze...@gmail.com> wrote:
> Per the other discussion it is possible that this conflicts with the
> Apache stance for vulnerability disclosure/management. I'm going to hold
> off on any additional effort until I know more.
>
> Jon
>
> On Tue, May 31, 2016, 16:07 James Sirota <js...@apache.org> wrote:
>
> Jon, would it be possible for you to scan Metron from your own branch?
> I'd like to know if this is useful at all. If we get value out of it I'll
> run this down and see how we can get it hooked up.
>
> 31.05.2016, 10:08, "Nick Allen" <ni...@nickallen.org>:
> > I connect Travis to my own personal fork of Metron so that the CI builds
> > run on my own branches before I submit PRs. Thinking you could do the
> same
> > with this. Maybe I'm wrong.
> >
> > On Tue, May 31, 2016 at 1:06 PM, Zeolla@GMail.com <ze...@gmail.com>
> wrote:
> >
> >> To register project on Coverity Scan, you must be contributor or
> maintainer
> >> of the project.
> >>
> >> It may also be worth mentioning that there are a ton of Apache projects
> >> already registered, including Ambari, Drill, Flume, Hadoop, HBase,
> NiFi,
> >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
> >> https://scan.coverity.com/projects?page=2
> >>
> >> Jon
> >>
> >> On Tue, May 31, 2016 at 12:52 PM Nick Allen <ni...@nickallen.org>
> wrote:
> >>
> >> > You could set it up on your own fork of Metron in Github. Then you
> can
> >> > tell us if it is useful at all.
> >> >
> >> > On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <ze...@gmail.com>
> >> > wrote:
> >> >
> >> > > So I did a bit of digging today and I found a few op
> >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so far my
> >> > > favourite is Coverity Scan <https://scan.coverity.com/travis_ci>.
> >> I've
> >> > > never used this product before, so I'm not exactly sure what to
> expect,
> >> > but
> >> > > I guess anyone can kick off a scan of an open source project and
> get
> >> > > results within 48 hours. I was in the process of registering
> Metron to
> >> > be
> >> > > scanned but I found some things in their scan user agreement which
> I
> >> > wasn't
> >> > > sure everybody would be in line with (see below for the excerpts -
> >> note I
> >> > > did NOT read the entire document and IANAL).
> >> > >
> >> > > Here's the TL;DR of what Coverity Scan is:
> >> > >
> >> > > Coverity Scan <http://scan.coverity.com/> is a free static code
> >> analysis
> >> > > tool for Java, C, C++, C# and JavaScript.
> >> > >
> >> > > This addon leverages the Travis-CI infrastructure to automatically
> run
> >> > code
> >> > > analysis on your GitHub projects.
> >> > >
> >> > > Coverity Scan is a service by which Coverity provides the results
> of
> >> > > analysis on open source coding projects to open source code
> developers
> >> > that
> >> > > have registered their products with Coverity Scan.
> >> > >
> >> > > Some examples of defects and vulnerabilities found by Coverity
> Quality
> >> > > Advisor include:
> >> > >
> >> > > - resources leaks
> >> > > - dereferences of NULL pointers
> >> > > - incorrect usage of APIs
> >> > > - use of uninitialized data
> >> > > - memory corruptions
> >> > > - buffer overruns
> >> > > - control flow issues
> >> > > - error handling issues
> >> > > - incorrect expressions
> >> > > - concurrency issues
> >> > > - insecure data handling
> >> > > - unsafe use of signed values
> >> > > - use of resources that have been freed
> >> > >
> >> > > Register your project with Coverity Scan by completing the project
> >> > > registration form found at scan.coverity.com. Upon your
> completion of
> >> > > project registration (including acceptance of the Scan User
> Agreement)
> >> > and
> >> > > your receipt of confirmation of registration of your project, you
> will
> >> be
> >> > > able to download the Software required to submit a build of your
> code
> >> for
> >> > > analysis by Coverity Scan. You may then download the Software,
> >> complete a
> >> > > build and submit your Registered Project build for analysis and
> review
> >> in
> >> > > Coverity Scan. Coverity Scan is only available for use with open
> source
> >> > > projects that are registered with Coverity Scan.
> >> > > Here are some interesting snippets from their scan user agreement:
> >> > >
> >> > > Your use of our software is acceptance of our Terms
> >> > > <https://scan.coverity.com/policy>
> >> > >
> >> > > You will not disassemble, decompile, reverse engineer, modify or
> create
> >> > > derivative works of Our Service, software products or
> documentation nor
> >> > > permit any third party to do so, except to the extent such
> restrictions
> >> > are
> >> > > prohibited by applicable mandatory local law
> >> > >
> >> > > You will not disclose to any third party any comparison of the
> results
> >> of
> >> > > operation of Our Service or software products with other services
> or
> >> > > products, except as expressly permitted by this Agreement
> >> > >
> >> > > You will not publish any findings regarding or resulting from use
> of
> >> the
> >> > > Service or the Software
> >> > >
> >> > > You agree that We may use Your name and logo (in a form approved by
> >> You)
> >> > > and Registered Product information to identify You and such
> project as
> >> a
> >> > > participant of Our Scan Program on Our website or in Our marketing
> or
> >> > > publicity materials or in any filings made in connection with
> state or
> >> > > federal securities laws.
> >> > >
> >> > > Additionally, upon execution of this Agreement, the parties will
> use
> >> > > commercially reasonable efforts to issue mutually agreed upon joint
> >> press
> >> > > releases or other public communications announcing Your entry into
> this
> >> > > Agreement.
> >> > >
> >> > > At Our written request, You will furnish Us with (a) a
> certification
> >> > signed
> >> > > by an officer of Your company providing user or access information
> that
> >> > > identifies whether the Service and the Software is being used in
> >> > accordance
> >> > > with the terms of this Agreement, and (b) log files from any
> License
> >> > > Manager. Upon at least thirty (30) days prior written notice, We
> may
> >> > > engage, at Our expense, an independent auditor to audit Your use
> of the
> >> > > Service and the Software to ensure that You are in compliance with
> the
> >> > > terms of this Agreement. ... You will provide the auditor with
> access
> >> to
> >> > > the relevant records and facilities.
> >> > >
> >> > > Jon
> >> > >
> >> > > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <
> zeolla@gmail.com>
> >> > > wrote:
> >> > >
> >> > > > There's nothing built-in with Travis, but we could install a
> tool to
> >> do
> >> > > > this as part of the installation of tools on the build box. I'm
> >> gonna
> >> > > > reach out to people in my local circle who specialize in secure
> code
> >> > > > analysis and see what all of the options are.
> >> > > >
> >> > > > Jon
> >> > > >
> >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <ni...@nickallen.org>
> >> wrote:
> >> > > >
> >> > > >> I completely agree that we will need some focus on this.
> >> > > >>
> >> > > >> What could Travis do for us? I wasn't aware that they offered
> >> > security
> >> > > >> scanning.
> >> > > >>
> >> > > >> Are you aware of any security scan services that offer free
> support
> >> to
> >> > > >> open
> >> > > >> source projects?
> >> > > >>
> >> > > >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <
> zeolla@gmail.com
> >> >
> >> > > >> wrote:
> >> > > >>
> >> > > >> > So I've never done anything like this before in Travis but I
> have
> >> > done
> >> > > >> IDE
> >> > > >> > plugins and pre prod scans in the past at large companies
> which
> >> > worked
> >> > > >> > well. I floated the idea past a friend working at Travis and
> she
> >> > said
> >> > > >> if
> >> > > >> > we go that route she would assist.
> >> > > >> >
> >> > > >> > I just think that if this is integrated from the beginning and
> >> fail
> >> > > >> builds
> >> > > >> > on critical issues (to start), this could be a big
> differentiator,
> >> > > >> > especially because we're talking about a security platform
> that
> >> > > >> centralizes
> >> > > >> > tons of sensitive information, tries to parse almost anything
> >> that's
> >> > > >> thrown
> >> > > >> > at it (think of what's been happening to AV products
> recently),
> >> and
> >> > is
> >> > > >> open
> >> > > >> > source for bad guys to dig into much more easily.
> >> > > >> >
> >> > > >> > Jon
> >> > > >> >
> >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <ni...@nickallen.org>
> >> wrote:
> >> > > >> >
> >> > > >> > > I am not aware of any discussions around this, Jon. What are
> >> you
> >> > > >> > thinking?
> >> > > >> > >
> >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <
> >> > zeolla@gmail.com
> >> > > >
> >> > > >> > > wrote:
> >> > > >> > >
> >> > > >> > > > I was just wondering if there is any sort of static (or
> even
> >> > > >> dynamic)
> >> > > >> > > code
> >> > > >> > > > analysis, or penetrating testing/vulnerability assessment,
> >> > > >> occurring at
> >> > > >> > > any
> >> > > >> > > > point on the metron code. Has there been any discussion of
> >> > > >> installing
> >> > > >> > > > something along those lines on the Travis build server
> (if it
> >> > > isn't
> >> > > >> > there
> >> > > >> > > > already)? Thanks,
> >> > > >> > > >
> >> > > >> > > > Jon
> >> > > >> > > > --
> >> > > >> > > >
> >> > > >> > > > Jon
> >> > > >> > > >
> >> > > >> > >
> >> > > >> > >
> >> > > >> > >
> >> > > >> > > --
> >> > > >> > > Nick Allen <ni...@nickallen.org>
> >> > > >> > >
> >> > > >> > --
> >> > > >> >
> >> > > >> > Jon
> >> > > >> >
> >> > > >>
> >> > > >>
> >> > > >>
> >> > > >> --
> >> > > >> Nick Allen <ni...@nickallen.org>
> >> > > >>
> >> > > > --
> >> > > >
> >> > > > Jon
> >> > > >
> >> > > --
> >> > >
> >> > > Jon
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> > Nick Allen <ni...@nickallen.org>
> >> >
> >> --
> >>
> >> Jon
> >
> > --
> > Nick Allen <ni...@nickallen.org>
>
> -------------------
> Thank you,
>
> James Sirota
> PPMC- Apache Metron (Incubating)
> jsirota AT apache DOT org
>
> --
>
> Jon
>
--
Jon
Sent from my mobile device
Re: Secure code analysis
Posted by "Zeolla@GMail.com" <ze...@gmail.com>.
Per the other discussion it is possible that this conflicts with the Apache
stance for vulnerability disclosure/management. I'm going to hold off on
any additional effort until I know more.
Jon
On Tue, May 31, 2016, 16:07 James Sirota <js...@apache.org> wrote:
> Jon, would it be possible for you to scan Metron from your own branch?
> I'd like to know if this is useful at all. If we get value out of it I'll
> run this down and see how we can get it hooked up.
>
> 31.05.2016, 10:08, "Nick Allen" <ni...@nickallen.org>:
> > I connect Travis to my own personal fork of Metron so that the CI builds
> > run on my own branches before I submit PRs. Thinking you could do the
> same
> > with this. Maybe I'm wrong.
> >
> > On Tue, May 31, 2016 at 1:06 PM, Zeolla@GMail.com <ze...@gmail.com>
> wrote:
> >
> >> To register project on Coverity Scan, you must be contributor or
> maintainer
> >> of the project.
> >>
> >> It may also be worth mentioning that there are a ton of Apache projects
> >> already registered, including Ambari, Drill, Flume, Hadoop, HBase,
> NiFi,
> >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
> >> https://scan.coverity.com/projects?page=2
> >>
> >> Jon
> >>
> >> On Tue, May 31, 2016 at 12:52 PM Nick Allen <ni...@nickallen.org>
> wrote:
> >>
> >> > You could set it up on your own fork of Metron in Github. Then you
> can
> >> > tell us if it is useful at all.
> >> >
> >> > On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <ze...@gmail.com>
> >> > wrote:
> >> >
> >> > > So I did a bit of digging today and I found a few op
> >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so far my
> >> > > favourite is Coverity Scan <https://scan.coverity.com/travis_ci>.
> >> I've
> >> > > never used this product before, so I'm not exactly sure what to
> expect,
> >> > but
> >> > > I guess anyone can kick off a scan of an open source project and
> get
> >> > > results within 48 hours. I was in the process of registering
> Metron to
> >> > be
> >> > > scanned but I found some things in their scan user agreement which
> I
> >> > wasn't
> >> > > sure everybody would be in line with (see below for the excerpts -
> >> note I
> >> > > did NOT read the entire document and IANAL).
> >> > >
> >> > > Here's the TL;DR of what Coverity Scan is:
> >> > >
> >> > > Coverity Scan <http://scan.coverity.com/> is a free static code
> >> analysis
> >> > > tool for Java, C, C++, C# and JavaScript.
> >> > >
> >> > > This addon leverages the Travis-CI infrastructure to automatically
> run
> >> > code
> >> > > analysis on your GitHub projects.
> >> > >
> >> > > Coverity Scan is a service by which Coverity provides the results
> of
> >> > > analysis on open source coding projects to open source code
> developers
> >> > that
> >> > > have registered their products with Coverity Scan.
> >> > >
> >> > > Some examples of defects and vulnerabilities found by Coverity
> Quality
> >> > > Advisor include:
> >> > >
> >> > > - resources leaks
> >> > > - dereferences of NULL pointers
> >> > > - incorrect usage of APIs
> >> > > - use of uninitialized data
> >> > > - memory corruptions
> >> > > - buffer overruns
> >> > > - control flow issues
> >> > > - error handling issues
> >> > > - incorrect expressions
> >> > > - concurrency issues
> >> > > - insecure data handling
> >> > > - unsafe use of signed values
> >> > > - use of resources that have been freed
> >> > >
> >> > > Register your project with Coverity Scan by completing the project
> >> > > registration form found at scan.coverity.com. Upon your
> completion of
> >> > > project registration (including acceptance of the Scan User
> Agreement)
> >> > and
> >> > > your receipt of confirmation of registration of your project, you
> will
> >> be
> >> > > able to download the Software required to submit a build of your
> code
> >> for
> >> > > analysis by Coverity Scan. You may then download the Software,
> >> complete a
> >> > > build and submit your Registered Project build for analysis and
> review
> >> in
> >> > > Coverity Scan. Coverity Scan is only available for use with open
> source
> >> > > projects that are registered with Coverity Scan.
> >> > > Here are some interesting snippets from their scan user agreement:
> >> > >
> >> > > Your use of our software is acceptance of our Terms
> >> > > <https://scan.coverity.com/policy>
> >> > >
> >> > > You will not disassemble, decompile, reverse engineer, modify or
> create
> >> > > derivative works of Our Service, software products or
> documentation nor
> >> > > permit any third party to do so, except to the extent such
> restrictions
> >> > are
> >> > > prohibited by applicable mandatory local law
> >> > >
> >> > > You will not disclose to any third party any comparison of the
> results
> >> of
> >> > > operation of Our Service or software products with other services
> or
> >> > > products, except as expressly permitted by this Agreement
> >> > >
> >> > > You will not publish any findings regarding or resulting from use
> of
> >> the
> >> > > Service or the Software
> >> > >
> >> > > You agree that We may use Your name and logo (in a form approved by
> >> You)
> >> > > and Registered Product information to identify You and such
> project as
> >> a
> >> > > participant of Our Scan Program on Our website or in Our marketing
> or
> >> > > publicity materials or in any filings made in connection with
> state or
> >> > > federal securities laws.
> >> > >
> >> > > Additionally, upon execution of this Agreement, the parties will
> use
> >> > > commercially reasonable efforts to issue mutually agreed upon joint
> >> press
> >> > > releases or other public communications announcing Your entry into
> this
> >> > > Agreement.
> >> > >
> >> > > At Our written request, You will furnish Us with (a) a
> certification
> >> > signed
> >> > > by an officer of Your company providing user or access information
> that
> >> > > identifies whether the Service and the Software is being used in
> >> > accordance
> >> > > with the terms of this Agreement, and (b) log files from any
> License
> >> > > Manager. Upon at least thirty (30) days prior written notice, We
> may
> >> > > engage, at Our expense, an independent auditor to audit Your use
> of the
> >> > > Service and the Software to ensure that You are in compliance with
> the
> >> > > terms of this Agreement. ... You will provide the auditor with
> access
> >> to
> >> > > the relevant records and facilities.
> >> > >
> >> > > Jon
> >> > >
> >> > > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <
> zeolla@gmail.com>
> >> > > wrote:
> >> > >
> >> > > > There's nothing built-in with Travis, but we could install a
> tool to
> >> do
> >> > > > this as part of the installation of tools on the build box. I'm
> >> gonna
> >> > > > reach out to people in my local circle who specialize in secure
> code
> >> > > > analysis and see what all of the options are.
> >> > > >
> >> > > > Jon
> >> > > >
> >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <ni...@nickallen.org>
> >> wrote:
> >> > > >
> >> > > >> I completely agree that we will need some focus on this.
> >> > > >>
> >> > > >> What could Travis do for us? I wasn't aware that they offered
> >> > security
> >> > > >> scanning.
> >> > > >>
> >> > > >> Are you aware of any security scan services that offer free
> support
> >> to
> >> > > >> open
> >> > > >> source projects?
> >> > > >>
> >> > > >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <
> zeolla@gmail.com
> >> >
> >> > > >> wrote:
> >> > > >>
> >> > > >> > So I've never done anything like this before in Travis but I
> have
> >> > done
> >> > > >> IDE
> >> > > >> > plugins and pre prod scans in the past at large companies
> which
> >> > worked
> >> > > >> > well. I floated the idea past a friend working at Travis and
> she
> >> > said
> >> > > >> if
> >> > > >> > we go that route she would assist.
> >> > > >> >
> >> > > >> > I just think that if this is integrated from the beginning and
> >> fail
> >> > > >> builds
> >> > > >> > on critical issues (to start), this could be a big
> differentiator,
> >> > > >> > especially because we're talking about a security platform
> that
> >> > > >> centralizes
> >> > > >> > tons of sensitive information, tries to parse almost anything
> >> that's
> >> > > >> thrown
> >> > > >> > at it (think of what's been happening to AV products
> recently),
> >> and
> >> > is
> >> > > >> open
> >> > > >> > source for bad guys to dig into much more easily.
> >> > > >> >
> >> > > >> > Jon
> >> > > >> >
> >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <ni...@nickallen.org>
> >> wrote:
> >> > > >> >
> >> > > >> > > I am not aware of any discussions around this, Jon. What are
> >> you
> >> > > >> > thinking?
> >> > > >> > >
> >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <
> >> > zeolla@gmail.com
> >> > > >
> >> > > >> > > wrote:
> >> > > >> > >
> >> > > >> > > > I was just wondering if there is any sort of static (or
> even
> >> > > >> dynamic)
> >> > > >> > > code
> >> > > >> > > > analysis, or penetrating testing/vulnerability assessment,
> >> > > >> occurring at
> >> > > >> > > any
> >> > > >> > > > point on the metron code. Has there been any discussion of
> >> > > >> installing
> >> > > >> > > > something along those lines on the Travis build server
> (if it
> >> > > isn't
> >> > > >> > there
> >> > > >> > > > already)? Thanks,
> >> > > >> > > >
> >> > > >> > > > Jon
> >> > > >> > > > --
> >> > > >> > > >
> >> > > >> > > > Jon
> >> > > >> > > >
> >> > > >> > >
> >> > > >> > >
> >> > > >> > >
> >> > > >> > > --
> >> > > >> > > Nick Allen <ni...@nickallen.org>
> >> > > >> > >
> >> > > >> > --
> >> > > >> >
> >> > > >> > Jon
> >> > > >> >
> >> > > >>
> >> > > >>
> >> > > >>
> >> > > >> --
> >> > > >> Nick Allen <ni...@nickallen.org>
> >> > > >>
> >> > > > --
> >> > > >
> >> > > > Jon
> >> > > >
> >> > > --
> >> > >
> >> > > Jon
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> > Nick Allen <ni...@nickallen.org>
> >> >
> >> --
> >>
> >> Jon
> >
> > --
> > Nick Allen <ni...@nickallen.org>
>
> -------------------
> Thank you,
>
> James Sirota
> PPMC- Apache Metron (Incubating)
> jsirota AT apache DOT org
>
--
Jon
Re: Secure code analysis
Posted by James Sirota <js...@apache.org>.
Jon, would it be possible for you to scan Metron from your own branch? I'd like to know if this is useful at all. If we get value out of it I'll run this down and see how we can get it hooked up.
31.05.2016, 10:08, "Nick Allen" <ni...@nickallen.org>:
> I connect Travis to my own personal fork of Metron so that the CI builds
> run on my own branches before I submit PRs. Thinking you could do the same
> with this. Maybe I'm wrong.
>
> On Tue, May 31, 2016 at 1:06 PM, Zeolla@GMail.com <ze...@gmail.com> wrote:
>
>> To register project on Coverity Scan, you must be contributor or maintainer
>> of the project.
>>
>> It may also be worth mentioning that there are a ton of Apache projects
>> already registered, including Ambari, Drill, Flume, Hadoop, HBase, NiFi,
>> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
>> https://scan.coverity.com/projects?page=2
>>
>> Jon
>>
>> On Tue, May 31, 2016 at 12:52 PM Nick Allen <ni...@nickallen.org> wrote:
>>
>> > You could set it up on your own fork of Metron in Github. Then you can
>> > tell us if it is useful at all.
>> >
>> > On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <ze...@gmail.com>
>> > wrote:
>> >
>> > > So I did a bit of digging today and I found a few op
>> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so far my
>> > > favourite is Coverity Scan <https://scan.coverity.com/travis_ci>.
>> I've
>> > > never used this product before, so I'm not exactly sure what to expect,
>> > but
>> > > I guess anyone can kick off a scan of an open source project and get
>> > > results within 48 hours. I was in the process of registering Metron to
>> > be
>> > > scanned but I found some things in their scan user agreement which I
>> > wasn't
>> > > sure everybody would be in line with (see below for the excerpts -
>> note I
>> > > did NOT read the entire document and IANAL).
>> > >
>> > > Here's the TL;DR of what Coverity Scan is:
>> > >
>> > > Coverity Scan <http://scan.coverity.com/> is a free static code
>> analysis
>> > > tool for Java, C, C++, C# and JavaScript.
>> > >
>> > > This addon leverages the Travis-CI infrastructure to automatically run
>> > code
>> > > analysis on your GitHub projects.
>> > >
>> > > Coverity Scan is a service by which Coverity provides the results of
>> > > analysis on open source coding projects to open source code developers
>> > that
>> > > have registered their products with Coverity Scan.
>> > >
>> > > Some examples of defects and vulnerabilities found by Coverity Quality
>> > > Advisor include:
>> > >
>> > > - resources leaks
>> > > - dereferences of NULL pointers
>> > > - incorrect usage of APIs
>> > > - use of uninitialized data
>> > > - memory corruptions
>> > > - buffer overruns
>> > > - control flow issues
>> > > - error handling issues
>> > > - incorrect expressions
>> > > - concurrency issues
>> > > - insecure data handling
>> > > - unsafe use of signed values
>> > > - use of resources that have been freed
>> > >
>> > > Register your project with Coverity Scan by completing the project
>> > > registration form found at scan.coverity.com. Upon your completion of
>> > > project registration (including acceptance of the Scan User Agreement)
>> > and
>> > > your receipt of confirmation of registration of your project, you will
>> be
>> > > able to download the Software required to submit a build of your code
>> for
>> > > analysis by Coverity Scan. You may then download the Software,
>> complete a
>> > > build and submit your Registered Project build for analysis and review
>> in
>> > > Coverity Scan. Coverity Scan is only available for use with open source
>> > > projects that are registered with Coverity Scan.
>> > > Here are some interesting snippets from their scan user agreement:
>> > >
>> > > Your use of our software is acceptance of our Terms
>> > > <https://scan.coverity.com/policy>
>> > >
>> > > You will not disassemble, decompile, reverse engineer, modify or create
>> > > derivative works of Our Service, software products or documentation nor
>> > > permit any third party to do so, except to the extent such restrictions
>> > are
>> > > prohibited by applicable mandatory local law
>> > >
>> > > You will not disclose to any third party any comparison of the results
>> of
>> > > operation of Our Service or software products with other services or
>> > > products, except as expressly permitted by this Agreement
>> > >
>> > > You will not publish any findings regarding or resulting from use of
>> the
>> > > Service or the Software
>> > >
>> > > You agree that We may use Your name and logo (in a form approved by
>> You)
>> > > and Registered Product information to identify You and such project as
>> a
>> > > participant of Our Scan Program on Our website or in Our marketing or
>> > > publicity materials or in any filings made in connection with state or
>> > > federal securities laws.
>> > >
>> > > Additionally, upon execution of this Agreement, the parties will use
>> > > commercially reasonable efforts to issue mutually agreed upon joint
>> press
>> > > releases or other public communications announcing Your entry into this
>> > > Agreement.
>> > >
>> > > At Our written request, You will furnish Us with (a) a certification
>> > signed
>> > > by an officer of Your company providing user or access information that
>> > > identifies whether the Service and the Software is being used in
>> > accordance
>> > > with the terms of this Agreement, and (b) log files from any License
>> > > Manager. Upon at least thirty (30) days prior written notice, We may
>> > > engage, at Our expense, an independent auditor to audit Your use of the
>> > > Service and the Software to ensure that You are in compliance with the
>> > > terms of this Agreement. ... You will provide the auditor with access
>> to
>> > > the relevant records and facilities.
>> > >
>> > > Jon
>> > >
>> > > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <ze...@gmail.com>
>> > > wrote:
>> > >
>> > > > There's nothing built-in with Travis, but we could install a tool to
>> do
>> > > > this as part of the installation of tools on the build box. I'm
>> gonna
>> > > > reach out to people in my local circle who specialize in secure code
>> > > > analysis and see what all of the options are.
>> > > >
>> > > > Jon
>> > > >
>> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <ni...@nickallen.org>
>> wrote:
>> > > >
>> > > >> I completely agree that we will need some focus on this.
>> > > >>
>> > > >> What could Travis do for us? I wasn't aware that they offered
>> > security
>> > > >> scanning.
>> > > >>
>> > > >> Are you aware of any security scan services that offer free support
>> to
>> > > >> open
>> > > >> source projects?
>> > > >>
>> > > >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <zeolla@gmail.com
>> >
>> > > >> wrote:
>> > > >>
>> > > >> > So I've never done anything like this before in Travis but I have
>> > done
>> > > >> IDE
>> > > >> > plugins and pre prod scans in the past at large companies which
>> > worked
>> > > >> > well. I floated the idea past a friend working at Travis and she
>> > said
>> > > >> if
>> > > >> > we go that route she would assist.
>> > > >> >
>> > > >> > I just think that if this is integrated from the beginning and
>> fail
>> > > >> builds
>> > > >> > on critical issues (to start), this could be a big differentiator,
>> > > >> > especially because we're talking about a security platform that
>> > > >> centralizes
>> > > >> > tons of sensitive information, tries to parse almost anything
>> that's
>> > > >> thrown
>> > > >> > at it (think of what's been happening to AV products recently),
>> and
>> > is
>> > > >> open
>> > > >> > source for bad guys to dig into much more easily.
>> > > >> >
>> > > >> > Jon
>> > > >> >
>> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <ni...@nickallen.org>
>> wrote:
>> > > >> >
>> > > >> > > I am not aware of any discussions around this, Jon. What are
>> you
>> > > >> > thinking?
>> > > >> > >
>> > > >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <
>> > zeolla@gmail.com
>> > > >
>> > > >> > > wrote:
>> > > >> > >
>> > > >> > > > I was just wondering if there is any sort of static (or even
>> > > >> dynamic)
>> > > >> > > code
>> > > >> > > > analysis, or penetrating testing/vulnerability assessment,
>> > > >> occurring at
>> > > >> > > any
>> > > >> > > > point on the metron code. Has there been any discussion of
>> > > >> installing
>> > > >> > > > something along those lines on the Travis build server (if it
>> > > isn't
>> > > >> > there
>> > > >> > > > already)? Thanks,
>> > > >> > > >
>> > > >> > > > Jon
>> > > >> > > > --
>> > > >> > > >
>> > > >> > > > Jon
>> > > >> > > >
>> > > >> > >
>> > > >> > >
>> > > >> > >
>> > > >> > > --
>> > > >> > > Nick Allen <ni...@nickallen.org>
>> > > >> > >
>> > > >> > --
>> > > >> >
>> > > >> > Jon
>> > > >> >
>> > > >>
>> > > >>
>> > > >>
>> > > >> --
>> > > >> Nick Allen <ni...@nickallen.org>
>> > > >>
>> > > > --
>> > > >
>> > > > Jon
>> > > >
>> > > --
>> > >
>> > > Jon
>> > >
>> >
>> >
>> >
>> > --
>> > Nick Allen <ni...@nickallen.org>
>> >
>> --
>>
>> Jon
>
> --
> Nick Allen <ni...@nickallen.org>
-------------------
Thank you,
James Sirota
PPMC- Apache Metron (Incubating)
jsirota AT apache DOT org
Re: Secure code analysis
Posted by Nick Allen <ni...@nickallen.org>.
I connect Travis to my own personal fork of Metron so that the CI builds
run on my own branches before I submit PRs. Thinking you could do the same
with this. Maybe I'm wrong.
On Tue, May 31, 2016 at 1:06 PM, Zeolla@GMail.com <ze...@gmail.com> wrote:
> To register project on Coverity Scan, you must be contributor or maintainer
> of the project.
>
> It may also be worth mentioning that there are a ton of Apache projects
> already registered, including Ambari, Drill, Flume, Hadoop, HBase, NiFi,
> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
> https://scan.coverity.com/projects?page=2
>
> Jon
>
> On Tue, May 31, 2016 at 12:52 PM Nick Allen <ni...@nickallen.org> wrote:
>
> > You could set it up on your own fork of Metron in Github. Then you can
> > tell us if it is useful at all.
> >
> > On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <ze...@gmail.com>
> > wrote:
> >
> > > So I did a bit of digging today and I found a few op
> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so far my
> > > favourite is Coverity Scan <https://scan.coverity.com/travis_ci>.
> I've
> > > never used this product before, so I'm not exactly sure what to expect,
> > but
> > > I guess anyone can kick off a scan of an open source project and get
> > > results within 48 hours. I was in the process of registering Metron to
> > be
> > > scanned but I found some things in their scan user agreement which I
> > wasn't
> > > sure everybody would be in line with (see below for the excerpts -
> note I
> > > did NOT read the entire document and IANAL).
> > >
> > > Here's the TL;DR of what Coverity Scan is:
> > >
> > > Coverity Scan <http://scan.coverity.com/> is a free static code
> analysis
> > > tool for Java, C, C++, C# and JavaScript.
> > >
> > > This addon leverages the Travis-CI infrastructure to automatically run
> > code
> > > analysis on your GitHub projects.
> > >
> > > Coverity Scan is a service by which Coverity provides the results of
> > > analysis on open source coding projects to open source code developers
> > that
> > > have registered their products with Coverity Scan.
> > >
> > > Some examples of defects and vulnerabilities found by Coverity Quality
> > > Advisor include:
> > >
> > > - resources leaks
> > > - dereferences of NULL pointers
> > > - incorrect usage of APIs
> > > - use of uninitialized data
> > > - memory corruptions
> > > - buffer overruns
> > > - control flow issues
> > > - error handling issues
> > > - incorrect expressions
> > > - concurrency issues
> > > - insecure data handling
> > > - unsafe use of signed values
> > > - use of resources that have been freed
> > >
> > > Register your project with Coverity Scan by completing the project
> > > registration form found at scan.coverity.com. Upon your completion of
> > > project registration (including acceptance of the Scan User Agreement)
> > and
> > > your receipt of confirmation of registration of your project, you will
> be
> > > able to download the Software required to submit a build of your code
> for
> > > analysis by Coverity Scan. You may then download the Software,
> complete a
> > > build and submit your Registered Project build for analysis and review
> in
> > > Coverity Scan. Coverity Scan is only available for use with open source
> > > projects that are registered with Coverity Scan.
> > > Here are some interesting snippets from their scan user agreement:
> > >
> > > Your use of our software is acceptance of our Terms
> > > <https://scan.coverity.com/policy>
> > >
> > > You will not disassemble, decompile, reverse engineer, modify or create
> > > derivative works of Our Service, software products or documentation nor
> > > permit any third party to do so, except to the extent such restrictions
> > are
> > > prohibited by applicable mandatory local law
> > >
> > > You will not disclose to any third party any comparison of the results
> of
> > > operation of Our Service or software products with other services or
> > > products, except as expressly permitted by this Agreement
> > >
> > > You will not publish any findings regarding or resulting from use of
> the
> > > Service or the Software
> > >
> > > You agree that We may use Your name and logo (in a form approved by
> You)
> > > and Registered Product information to identify You and such project as
> a
> > > participant of Our Scan Program on Our website or in Our marketing or
> > > publicity materials or in any filings made in connection with state or
> > > federal securities laws.
> > >
> > > Additionally, upon execution of this Agreement, the parties will use
> > > commercially reasonable efforts to issue mutually agreed upon joint
> press
> > > releases or other public communications announcing Your entry into this
> > > Agreement.
> > >
> > > At Our written request, You will furnish Us with (a) a certification
> > signed
> > > by an officer of Your company providing user or access information that
> > > identifies whether the Service and the Software is being used in
> > accordance
> > > with the terms of this Agreement, and (b) log files from any License
> > > Manager. Upon at least thirty (30) days prior written notice, We may
> > > engage, at Our expense, an independent auditor to audit Your use of the
> > > Service and the Software to ensure that You are in compliance with the
> > > terms of this Agreement. ... You will provide the auditor with access
> to
> > > the relevant records and facilities.
> > >
> > > Jon
> > >
> > > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <ze...@gmail.com>
> > > wrote:
> > >
> > > > There's nothing built-in with Travis, but we could install a tool to
> do
> > > > this as part of the installation of tools on the build box. I'm
> gonna
> > > > reach out to people in my local circle who specialize in secure code
> > > > analysis and see what all of the options are.
> > > >
> > > > Jon
> > > >
> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <ni...@nickallen.org>
> wrote:
> > > >
> > > >> I completely agree that we will need some focus on this.
> > > >>
> > > >> What could Travis do for us? I wasn't aware that they offered
> > security
> > > >> scanning.
> > > >>
> > > >> Are you aware of any security scan services that offer free support
> to
> > > >> open
> > > >> source projects?
> > > >>
> > > >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <zeolla@gmail.com
> >
> > > >> wrote:
> > > >>
> > > >> > So I've never done anything like this before in Travis but I have
> > done
> > > >> IDE
> > > >> > plugins and pre prod scans in the past at large companies which
> > worked
> > > >> > well. I floated the idea past a friend working at Travis and she
> > said
> > > >> if
> > > >> > we go that route she would assist.
> > > >> >
> > > >> > I just think that if this is integrated from the beginning and
> fail
> > > >> builds
> > > >> > on critical issues (to start), this could be a big differentiator,
> > > >> > especially because we're talking about a security platform that
> > > >> centralizes
> > > >> > tons of sensitive information, tries to parse almost anything
> that's
> > > >> thrown
> > > >> > at it (think of what's been happening to AV products recently),
> and
> > is
> > > >> open
> > > >> > source for bad guys to dig into much more easily.
> > > >> >
> > > >> > Jon
> > > >> >
> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <ni...@nickallen.org>
> wrote:
> > > >> >
> > > >> > > I am not aware of any discussions around this, Jon. What are
> you
> > > >> > thinking?
> > > >> > >
> > > >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <
> > zeolla@gmail.com
> > > >
> > > >> > > wrote:
> > > >> > >
> > > >> > > > I was just wondering if there is any sort of static (or even
> > > >> dynamic)
> > > >> > > code
> > > >> > > > analysis, or penetrating testing/vulnerability assessment,
> > > >> occurring at
> > > >> > > any
> > > >> > > > point on the metron code. Has there been any discussion of
> > > >> installing
> > > >> > > > something along those lines on the Travis build server (if it
> > > isn't
> > > >> > there
> > > >> > > > already)? Thanks,
> > > >> > > >
> > > >> > > > Jon
> > > >> > > > --
> > > >> > > >
> > > >> > > > Jon
> > > >> > > >
> > > >> > >
> > > >> > >
> > > >> > >
> > > >> > > --
> > > >> > > Nick Allen <ni...@nickallen.org>
> > > >> > >
> > > >> > --
> > > >> >
> > > >> > Jon
> > > >> >
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Nick Allen <ni...@nickallen.org>
> > > >>
> > > > --
> > > >
> > > > Jon
> > > >
> > > --
> > >
> > > Jon
> > >
> >
> >
> >
> > --
> > Nick Allen <ni...@nickallen.org>
> >
> --
>
> Jon
>
--
Nick Allen <ni...@nickallen.org>
Re: Secure code analysis
Posted by "Zeolla@GMail.com" <ze...@gmail.com>.
To register project on Coverity Scan, you must be contributor or maintainer
of the project.
It may also be worth mentioning that there are a ton of Apache projects
already registered, including Ambari, Drill, Flume, Hadoop, HBase, NiFi,
Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See
https://scan.coverity.com/projects?page=2
Jon
On Tue, May 31, 2016 at 12:52 PM Nick Allen <ni...@nickallen.org> wrote:
> You could set it up on your own fork of Metron in Github. Then you can
> tell us if it is useful at all.
>
> On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <ze...@gmail.com>
> wrote:
>
> > So I did a bit of digging today and I found a few op
> > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so far my
> > favourite is Coverity Scan <https://scan.coverity.com/travis_ci>. I've
> > never used this product before, so I'm not exactly sure what to expect,
> but
> > I guess anyone can kick off a scan of an open source project and get
> > results within 48 hours. I was in the process of registering Metron to
> be
> > scanned but I found some things in their scan user agreement which I
> wasn't
> > sure everybody would be in line with (see below for the excerpts - note I
> > did NOT read the entire document and IANAL).
> >
> > Here's the TL;DR of what Coverity Scan is:
> >
> > Coverity Scan <http://scan.coverity.com/> is a free static code analysis
> > tool for Java, C, C++, C# and JavaScript.
> >
> > This addon leverages the Travis-CI infrastructure to automatically run
> code
> > analysis on your GitHub projects.
> >
> > Coverity Scan is a service by which Coverity provides the results of
> > analysis on open source coding projects to open source code developers
> that
> > have registered their products with Coverity Scan.
> >
> > Some examples of defects and vulnerabilities found by Coverity Quality
> > Advisor include:
> >
> > - resources leaks
> > - dereferences of NULL pointers
> > - incorrect usage of APIs
> > - use of uninitialized data
> > - memory corruptions
> > - buffer overruns
> > - control flow issues
> > - error handling issues
> > - incorrect expressions
> > - concurrency issues
> > - insecure data handling
> > - unsafe use of signed values
> > - use of resources that have been freed
> >
> > Register your project with Coverity Scan by completing the project
> > registration form found at scan.coverity.com. Upon your completion of
> > project registration (including acceptance of the Scan User Agreement)
> and
> > your receipt of confirmation of registration of your project, you will be
> > able to download the Software required to submit a build of your code for
> > analysis by Coverity Scan. You may then download the Software, complete a
> > build and submit your Registered Project build for analysis and review in
> > Coverity Scan. Coverity Scan is only available for use with open source
> > projects that are registered with Coverity Scan.
> > Here are some interesting snippets from their scan user agreement:
> >
> > Your use of our software is acceptance of our Terms
> > <https://scan.coverity.com/policy>
> >
> > You will not disassemble, decompile, reverse engineer, modify or create
> > derivative works of Our Service, software products or documentation nor
> > permit any third party to do so, except to the extent such restrictions
> are
> > prohibited by applicable mandatory local law
> >
> > You will not disclose to any third party any comparison of the results of
> > operation of Our Service or software products with other services or
> > products, except as expressly permitted by this Agreement
> >
> > You will not publish any findings regarding or resulting from use of the
> > Service or the Software
> >
> > You agree that We may use Your name and logo (in a form approved by You)
> > and Registered Product information to identify You and such project as a
> > participant of Our Scan Program on Our website or in Our marketing or
> > publicity materials or in any filings made in connection with state or
> > federal securities laws.
> >
> > Additionally, upon execution of this Agreement, the parties will use
> > commercially reasonable efforts to issue mutually agreed upon joint press
> > releases or other public communications announcing Your entry into this
> > Agreement.
> >
> > At Our written request, You will furnish Us with (a) a certification
> signed
> > by an officer of Your company providing user or access information that
> > identifies whether the Service and the Software is being used in
> accordance
> > with the terms of this Agreement, and (b) log files from any License
> > Manager. Upon at least thirty (30) days prior written notice, We may
> > engage, at Our expense, an independent auditor to audit Your use of the
> > Service and the Software to ensure that You are in compliance with the
> > terms of this Agreement. ... You will provide the auditor with access to
> > the relevant records and facilities.
> >
> > Jon
> >
> > On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <ze...@gmail.com>
> > wrote:
> >
> > > There's nothing built-in with Travis, but we could install a tool to do
> > > this as part of the installation of tools on the build box. I'm gonna
> > > reach out to people in my local circle who specialize in secure code
> > > analysis and see what all of the options are.
> > >
> > > Jon
> > >
> > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <ni...@nickallen.org> wrote:
> > >
> > >> I completely agree that we will need some focus on this.
> > >>
> > >> What could Travis do for us? I wasn't aware that they offered
> security
> > >> scanning.
> > >>
> > >> Are you aware of any security scan services that offer free support to
> > >> open
> > >> source projects?
> > >>
> > >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <ze...@gmail.com>
> > >> wrote:
> > >>
> > >> > So I've never done anything like this before in Travis but I have
> done
> > >> IDE
> > >> > plugins and pre prod scans in the past at large companies which
> worked
> > >> > well. I floated the idea past a friend working at Travis and she
> said
> > >> if
> > >> > we go that route she would assist.
> > >> >
> > >> > I just think that if this is integrated from the beginning and fail
> > >> builds
> > >> > on critical issues (to start), this could be a big differentiator,
> > >> > especially because we're talking about a security platform that
> > >> centralizes
> > >> > tons of sensitive information, tries to parse almost anything that's
> > >> thrown
> > >> > at it (think of what's been happening to AV products recently), and
> is
> > >> open
> > >> > source for bad guys to dig into much more easily.
> > >> >
> > >> > Jon
> > >> >
> > >> > On Fri, May 27, 2016, 09:34 Nick Allen <ni...@nickallen.org> wrote:
> > >> >
> > >> > > I am not aware of any discussions around this, Jon. What are you
> > >> > thinking?
> > >> > >
> > >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <
> zeolla@gmail.com
> > >
> > >> > > wrote:
> > >> > >
> > >> > > > I was just wondering if there is any sort of static (or even
> > >> dynamic)
> > >> > > code
> > >> > > > analysis, or penetrating testing/vulnerability assessment,
> > >> occurring at
> > >> > > any
> > >> > > > point on the metron code. Has there been any discussion of
> > >> installing
> > >> > > > something along those lines on the Travis build server (if it
> > isn't
> > >> > there
> > >> > > > already)? Thanks,
> > >> > > >
> > >> > > > Jon
> > >> > > > --
> > >> > > >
> > >> > > > Jon
> > >> > > >
> > >> > >
> > >> > >
> > >> > >
> > >> > > --
> > >> > > Nick Allen <ni...@nickallen.org>
> > >> > >
> > >> > --
> > >> >
> > >> > Jon
> > >> >
> > >>
> > >>
> > >>
> > >> --
> > >> Nick Allen <ni...@nickallen.org>
> > >>
> > > --
> > >
> > > Jon
> > >
> > --
> >
> > Jon
> >
>
>
>
> --
> Nick Allen <ni...@nickallen.org>
>
--
Jon
Re: Secure code analysis
Posted by Nick Allen <ni...@nickallen.org>.
You could set it up on your own fork of Metron in Github. Then you can
tell us if it is useful at all.
On Sat, May 28, 2016 at 2:36 PM, Zeolla@GMail.com <ze...@gmail.com> wrote:
> So I did a bit of digging today and I found a few op
> <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so far my
> favourite is Coverity Scan <https://scan.coverity.com/travis_ci>. I've
> never used this product before, so I'm not exactly sure what to expect, but
> I guess anyone can kick off a scan of an open source project and get
> results within 48 hours. I was in the process of registering Metron to be
> scanned but I found some things in their scan user agreement which I wasn't
> sure everybody would be in line with (see below for the excerpts - note I
> did NOT read the entire document and IANAL).
>
> Here's the TL;DR of what Coverity Scan is:
>
> Coverity Scan <http://scan.coverity.com/> is a free static code analysis
> tool for Java, C, C++, C# and JavaScript.
>
> This addon leverages the Travis-CI infrastructure to automatically run code
> analysis on your GitHub projects.
>
> Coverity Scan is a service by which Coverity provides the results of
> analysis on open source coding projects to open source code developers that
> have registered their products with Coverity Scan.
>
> Some examples of defects and vulnerabilities found by Coverity Quality
> Advisor include:
>
> - resources leaks
> - dereferences of NULL pointers
> - incorrect usage of APIs
> - use of uninitialized data
> - memory corruptions
> - buffer overruns
> - control flow issues
> - error handling issues
> - incorrect expressions
> - concurrency issues
> - insecure data handling
> - unsafe use of signed values
> - use of resources that have been freed
>
> Register your project with Coverity Scan by completing the project
> registration form found at scan.coverity.com. Upon your completion of
> project registration (including acceptance of the Scan User Agreement) and
> your receipt of confirmation of registration of your project, you will be
> able to download the Software required to submit a build of your code for
> analysis by Coverity Scan. You may then download the Software, complete a
> build and submit your Registered Project build for analysis and review in
> Coverity Scan. Coverity Scan is only available for use with open source
> projects that are registered with Coverity Scan.
> Here are some interesting snippets from their scan user agreement:
>
> Your use of our software is acceptance of our Terms
> <https://scan.coverity.com/policy>
>
> You will not disassemble, decompile, reverse engineer, modify or create
> derivative works of Our Service, software products or documentation nor
> permit any third party to do so, except to the extent such restrictions are
> prohibited by applicable mandatory local law
>
> You will not disclose to any third party any comparison of the results of
> operation of Our Service or software products with other services or
> products, except as expressly permitted by this Agreement
>
> You will not publish any findings regarding or resulting from use of the
> Service or the Software
>
> You agree that We may use Your name and logo (in a form approved by You)
> and Registered Product information to identify You and such project as a
> participant of Our Scan Program on Our website or in Our marketing or
> publicity materials or in any filings made in connection with state or
> federal securities laws.
>
> Additionally, upon execution of this Agreement, the parties will use
> commercially reasonable efforts to issue mutually agreed upon joint press
> releases or other public communications announcing Your entry into this
> Agreement.
>
> At Our written request, You will furnish Us with (a) a certification signed
> by an officer of Your company providing user or access information that
> identifies whether the Service and the Software is being used in accordance
> with the terms of this Agreement, and (b) log files from any License
> Manager. Upon at least thirty (30) days prior written notice, We may
> engage, at Our expense, an independent auditor to audit Your use of the
> Service and the Software to ensure that You are in compliance with the
> terms of this Agreement. ... You will provide the auditor with access to
> the relevant records and facilities.
>
> Jon
>
> On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <ze...@gmail.com>
> wrote:
>
> > There's nothing built-in with Travis, but we could install a tool to do
> > this as part of the installation of tools on the build box. I'm gonna
> > reach out to people in my local circle who specialize in secure code
> > analysis and see what all of the options are.
> >
> > Jon
> >
> > On Fri, May 27, 2016 at 9:50 AM Nick Allen <ni...@nickallen.org> wrote:
> >
> >> I completely agree that we will need some focus on this.
> >>
> >> What could Travis do for us? I wasn't aware that they offered security
> >> scanning.
> >>
> >> Are you aware of any security scan services that offer free support to
> >> open
> >> source projects?
> >>
> >> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <ze...@gmail.com>
> >> wrote:
> >>
> >> > So I've never done anything like this before in Travis but I have done
> >> IDE
> >> > plugins and pre prod scans in the past at large companies which worked
> >> > well. I floated the idea past a friend working at Travis and she said
> >> if
> >> > we go that route she would assist.
> >> >
> >> > I just think that if this is integrated from the beginning and fail
> >> builds
> >> > on critical issues (to start), this could be a big differentiator,
> >> > especially because we're talking about a security platform that
> >> centralizes
> >> > tons of sensitive information, tries to parse almost anything that's
> >> thrown
> >> > at it (think of what's been happening to AV products recently), and is
> >> open
> >> > source for bad guys to dig into much more easily.
> >> >
> >> > Jon
> >> >
> >> > On Fri, May 27, 2016, 09:34 Nick Allen <ni...@nickallen.org> wrote:
> >> >
> >> > > I am not aware of any discussions around this, Jon. What are you
> >> > thinking?
> >> > >
> >> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <zeolla@gmail.com
> >
> >> > > wrote:
> >> > >
> >> > > > I was just wondering if there is any sort of static (or even
> >> dynamic)
> >> > > code
> >> > > > analysis, or penetrating testing/vulnerability assessment,
> >> occurring at
> >> > > any
> >> > > > point on the metron code. Has there been any discussion of
> >> installing
> >> > > > something along those lines on the Travis build server (if it
> isn't
> >> > there
> >> > > > already)? Thanks,
> >> > > >
> >> > > > Jon
> >> > > > --
> >> > > >
> >> > > > Jon
> >> > > >
> >> > >
> >> > >
> >> > >
> >> > > --
> >> > > Nick Allen <ni...@nickallen.org>
> >> > >
> >> > --
> >> >
> >> > Jon
> >> >
> >>
> >>
> >>
> >> --
> >> Nick Allen <ni...@nickallen.org>
> >>
> > --
> >
> > Jon
> >
> --
>
> Jon
>
--
Nick Allen <ni...@nickallen.org>
Re: Secure code analysis
Posted by "Zeolla@GMail.com" <ze...@gmail.com>.
So I did a bit of digging today and I found a few op
<https://en.wikipedia.org/wiki/PMD_(software)>tions, but so far my
favourite is Coverity Scan <https://scan.coverity.com/travis_ci>. I've
never used this product before, so I'm not exactly sure what to expect, but
I guess anyone can kick off a scan of an open source project and get
results within 48 hours. I was in the process of registering Metron to be
scanned but I found some things in their scan user agreement which I wasn't
sure everybody would be in line with (see below for the excerpts - note I
did NOT read the entire document and IANAL).
Here's the TL;DR of what Coverity Scan is:
Coverity Scan <http://scan.coverity.com/> is a free static code analysis
tool for Java, C, C++, C# and JavaScript.
This addon leverages the Travis-CI infrastructure to automatically run code
analysis on your GitHub projects.
Coverity Scan is a service by which Coverity provides the results of
analysis on open source coding projects to open source code developers that
have registered their products with Coverity Scan.
Some examples of defects and vulnerabilities found by Coverity Quality
Advisor include:
- resources leaks
- dereferences of NULL pointers
- incorrect usage of APIs
- use of uninitialized data
- memory corruptions
- buffer overruns
- control flow issues
- error handling issues
- incorrect expressions
- concurrency issues
- insecure data handling
- unsafe use of signed values
- use of resources that have been freed
Register your project with Coverity Scan by completing the project
registration form found at scan.coverity.com. Upon your completion of
project registration (including acceptance of the Scan User Agreement) and
your receipt of confirmation of registration of your project, you will be
able to download the Software required to submit a build of your code for
analysis by Coverity Scan. You may then download the Software, complete a
build and submit your Registered Project build for analysis and review in
Coverity Scan. Coverity Scan is only available for use with open source
projects that are registered with Coverity Scan.
Here are some interesting snippets from their scan user agreement:
Your use of our software is acceptance of our Terms
<https://scan.coverity.com/policy>
You will not disassemble, decompile, reverse engineer, modify or create
derivative works of Our Service, software products or documentation nor
permit any third party to do so, except to the extent such restrictions are
prohibited by applicable mandatory local law
You will not disclose to any third party any comparison of the results of
operation of Our Service or software products with other services or
products, except as expressly permitted by this Agreement
You will not publish any findings regarding or resulting from use of the
Service or the Software
You agree that We may use Your name and logo (in a form approved by You)
and Registered Product information to identify You and such project as a
participant of Our Scan Program on Our website or in Our marketing or
publicity materials or in any filings made in connection with state or
federal securities laws.
Additionally, upon execution of this Agreement, the parties will use
commercially reasonable efforts to issue mutually agreed upon joint press
releases or other public communications announcing Your entry into this
Agreement.
At Our written request, You will furnish Us with (a) a certification signed
by an officer of Your company providing user or access information that
identifies whether the Service and the Software is being used in accordance
with the terms of this Agreement, and (b) log files from any License
Manager. Upon at least thirty (30) days prior written notice, We may
engage, at Our expense, an independent auditor to audit Your use of the
Service and the Software to ensure that You are in compliance with the
terms of this Agreement. ... You will provide the auditor with access to
the relevant records and facilities.
Jon
On Fri, May 27, 2016 at 11:14 AM Zeolla@GMail.com <ze...@gmail.com> wrote:
> There's nothing built-in with Travis, but we could install a tool to do
> this as part of the installation of tools on the build box. I'm gonna
> reach out to people in my local circle who specialize in secure code
> analysis and see what all of the options are.
>
> Jon
>
> On Fri, May 27, 2016 at 9:50 AM Nick Allen <ni...@nickallen.org> wrote:
>
>> I completely agree that we will need some focus on this.
>>
>> What could Travis do for us? I wasn't aware that they offered security
>> scanning.
>>
>> Are you aware of any security scan services that offer free support to
>> open
>> source projects?
>>
>> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <ze...@gmail.com>
>> wrote:
>>
>> > So I've never done anything like this before in Travis but I have done
>> IDE
>> > plugins and pre prod scans in the past at large companies which worked
>> > well. I floated the idea past a friend working at Travis and she said
>> if
>> > we go that route she would assist.
>> >
>> > I just think that if this is integrated from the beginning and fail
>> builds
>> > on critical issues (to start), this could be a big differentiator,
>> > especially because we're talking about a security platform that
>> centralizes
>> > tons of sensitive information, tries to parse almost anything that's
>> thrown
>> > at it (think of what's been happening to AV products recently), and is
>> open
>> > source for bad guys to dig into much more easily.
>> >
>> > Jon
>> >
>> > On Fri, May 27, 2016, 09:34 Nick Allen <ni...@nickallen.org> wrote:
>> >
>> > > I am not aware of any discussions around this, Jon. What are you
>> > thinking?
>> > >
>> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <ze...@gmail.com>
>> > > wrote:
>> > >
>> > > > I was just wondering if there is any sort of static (or even
>> dynamic)
>> > > code
>> > > > analysis, or penetrating testing/vulnerability assessment,
>> occurring at
>> > > any
>> > > > point on the metron code. Has there been any discussion of
>> installing
>> > > > something along those lines on the Travis build server (if it isn't
>> > there
>> > > > already)? Thanks,
>> > > >
>> > > > Jon
>> > > > --
>> > > >
>> > > > Jon
>> > > >
>> > >
>> > >
>> > >
>> > > --
>> > > Nick Allen <ni...@nickallen.org>
>> > >
>> > --
>> >
>> > Jon
>> >
>>
>>
>>
>> --
>> Nick Allen <ni...@nickallen.org>
>>
> --
>
> Jon
>
--
Jon
Re: Secure code analysis
Posted by "Zeolla@GMail.com" <ze...@gmail.com>.
There's nothing built-in with Travis, but we could install a tool to do
this as part of the installation of tools on the build box. I'm gonna
reach out to people in my local circle who specialize in secure code
analysis and see what all of the options are.
Jon
On Fri, May 27, 2016 at 9:50 AM Nick Allen <ni...@nickallen.org> wrote:
> I completely agree that we will need some focus on this.
>
> What could Travis do for us? I wasn't aware that they offered security
> scanning.
>
> Are you aware of any security scan services that offer free support to open
> source projects?
>
> On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <ze...@gmail.com>
> wrote:
>
> > So I've never done anything like this before in Travis but I have done
> IDE
> > plugins and pre prod scans in the past at large companies which worked
> > well. I floated the idea past a friend working at Travis and she said if
> > we go that route she would assist.
> >
> > I just think that if this is integrated from the beginning and fail
> builds
> > on critical issues (to start), this could be a big differentiator,
> > especially because we're talking about a security platform that
> centralizes
> > tons of sensitive information, tries to parse almost anything that's
> thrown
> > at it (think of what's been happening to AV products recently), and is
> open
> > source for bad guys to dig into much more easily.
> >
> > Jon
> >
> > On Fri, May 27, 2016, 09:34 Nick Allen <ni...@nickallen.org> wrote:
> >
> > > I am not aware of any discussions around this, Jon. What are you
> > thinking?
> > >
> > > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <ze...@gmail.com>
> > > wrote:
> > >
> > > > I was just wondering if there is any sort of static (or even dynamic)
> > > code
> > > > analysis, or penetrating testing/vulnerability assessment, occurring
> at
> > > any
> > > > point on the metron code. Has there been any discussion of
> installing
> > > > something along those lines on the Travis build server (if it isn't
> > there
> > > > already)? Thanks,
> > > >
> > > > Jon
> > > > --
> > > >
> > > > Jon
> > > >
> > >
> > >
> > >
> > > --
> > > Nick Allen <ni...@nickallen.org>
> > >
> > --
> >
> > Jon
> >
>
>
>
> --
> Nick Allen <ni...@nickallen.org>
>
--
Jon
Re: Secure code analysis
Posted by Nick Allen <ni...@nickallen.org>.
I completely agree that we will need some focus on this.
What could Travis do for us? I wasn't aware that they offered security
scanning.
Are you aware of any security scan services that offer free support to open
source projects?
On Fri, May 27, 2016 at 9:42 AM, Zeolla@GMail.com <ze...@gmail.com> wrote:
> So I've never done anything like this before in Travis but I have done IDE
> plugins and pre prod scans in the past at large companies which worked
> well. I floated the idea past a friend working at Travis and she said if
> we go that route she would assist.
>
> I just think that if this is integrated from the beginning and fail builds
> on critical issues (to start), this could be a big differentiator,
> especially because we're talking about a security platform that centralizes
> tons of sensitive information, tries to parse almost anything that's thrown
> at it (think of what's been happening to AV products recently), and is open
> source for bad guys to dig into much more easily.
>
> Jon
>
> On Fri, May 27, 2016, 09:34 Nick Allen <ni...@nickallen.org> wrote:
>
> > I am not aware of any discussions around this, Jon. What are you
> thinking?
> >
> > On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <ze...@gmail.com>
> > wrote:
> >
> > > I was just wondering if there is any sort of static (or even dynamic)
> > code
> > > analysis, or penetrating testing/vulnerability assessment, occurring at
> > any
> > > point on the metron code. Has there been any discussion of installing
> > > something along those lines on the Travis build server (if it isn't
> there
> > > already)? Thanks,
> > >
> > > Jon
> > > --
> > >
> > > Jon
> > >
> >
> >
> >
> > --
> > Nick Allen <ni...@nickallen.org>
> >
> --
>
> Jon
>
--
Nick Allen <ni...@nickallen.org>
Re: Secure code analysis
Posted by "Zeolla@GMail.com" <ze...@gmail.com>.
So I've never done anything like this before in Travis but I have done IDE
plugins and pre prod scans in the past at large companies which worked
well. I floated the idea past a friend working at Travis and she said if
we go that route she would assist.
I just think that if this is integrated from the beginning and fail builds
on critical issues (to start), this could be a big differentiator,
especially because we're talking about a security platform that centralizes
tons of sensitive information, tries to parse almost anything that's thrown
at it (think of what's been happening to AV products recently), and is open
source for bad guys to dig into much more easily.
Jon
On Fri, May 27, 2016, 09:34 Nick Allen <ni...@nickallen.org> wrote:
> I am not aware of any discussions around this, Jon. What are you thinking?
>
> On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <ze...@gmail.com>
> wrote:
>
> > I was just wondering if there is any sort of static (or even dynamic)
> code
> > analysis, or penetrating testing/vulnerability assessment, occurring at
> any
> > point on the metron code. Has there been any discussion of installing
> > something along those lines on the Travis build server (if it isn't there
> > already)? Thanks,
> >
> > Jon
> > --
> >
> > Jon
> >
>
>
>
> --
> Nick Allen <ni...@nickallen.org>
>
--
Jon
Re: Secure code analysis
Posted by Nick Allen <ni...@nickallen.org>.
I am not aware of any discussions around this, Jon. What are you thinking?
On Thu, May 26, 2016 at 4:35 PM, Zeolla@GMail.com <ze...@gmail.com> wrote:
> I was just wondering if there is any sort of static (or even dynamic) code
> analysis, or penetrating testing/vulnerability assessment, occurring at any
> point on the metron code. Has there been any discussion of installing
> something along those lines on the Travis build server (if it isn't there
> already)? Thanks,
>
> Jon
> --
>
> Jon
>
--
Nick Allen <ni...@nickallen.org>