Per the other discussion it is possible that this conflicts with the Apache stance for vulnerability disclosure/management. I'm going to hold off on any additional effort until I know more.
Jon On Tue, May 31, 2016, 16:07 James Sirota <jsir...@apache.org> wrote: > Jon, would it be possible for you to scan Metron from your own branch? > I'd like to know if this is useful at all. If we get value out of it I'll > run this down and see how we can get it hooked up. > > 31.05.2016, 10:08, "Nick Allen" <n...@nickallen.org>: > > I connect Travis to my own personal fork of Metron so that the CI builds > > run on my own branches before I submit PRs. Thinking you could do the > same > > with this. Maybe I'm wrong. > > > > On Tue, May 31, 2016 at 1:06 PM, zeo...@gmail.com <zeo...@gmail.com> > wrote: > > > >> To register project on Coverity Scan, you must be contributor or > maintainer > >> of the project. > >> > >> It may also be worth mentioning that there are a ton of Apache projects > >> already registered, including Ambari, Drill, Flume, Hadoop, HBase, > NiFi, > >> Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See > >> https://scan.coverity.com/projects?page=2 > >> > >> Jon > >> > >> On Tue, May 31, 2016 at 12:52 PM Nick Allen <n...@nickallen.org> > wrote: > >> > >> > You could set it up on your own fork of Metron in Github. Then you > can > >> > tell us if it is useful at all. > >> > > >> > On Sat, May 28, 2016 at 2:36 PM, zeo...@gmail.com <zeo...@gmail.com> > >> > wrote: > >> > > >> > > So I did a bit of digging today and I found a few op > >> > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so far my > >> > > favourite is Coverity Scan <https://scan.coverity.com/travis_ci>. > >> I've > >> > > never used this product before, so I'm not exactly sure what to > expect, > >> > but > >> > > I guess anyone can kick off a scan of an open source project and > get > >> > > results within 48 hours. I was in the process of registering > Metron to > >> > be > >> > > scanned but I found some things in their scan user agreement which > I > >> > wasn't > >> > > sure everybody would be in line with (see below for the excerpts - > >> note I > >> > > did NOT read the entire document and IANAL). > >> > > > >> > > Here's the TL;DR of what Coverity Scan is: > >> > > > >> > > Coverity Scan <http://scan.coverity.com/> is a free static code > >> analysis > >> > > tool for Java, C, C++, C# and JavaScript. > >> > > > >> > > This addon leverages the Travis-CI infrastructure to automatically > run > >> > code > >> > > analysis on your GitHub projects. > >> > > > >> > > Coverity Scan is a service by which Coverity provides the results > of > >> > > analysis on open source coding projects to open source code > developers > >> > that > >> > > have registered their products with Coverity Scan. > >> > > > >> > > Some examples of defects and vulnerabilities found by Coverity > Quality > >> > > Advisor include: > >> > > > >> > > - resources leaks > >> > > - dereferences of NULL pointers > >> > > - incorrect usage of APIs > >> > > - use of uninitialized data > >> > > - memory corruptions > >> > > - buffer overruns > >> > > - control flow issues > >> > > - error handling issues > >> > > - incorrect expressions > >> > > - concurrency issues > >> > > - insecure data handling > >> > > - unsafe use of signed values > >> > > - use of resources that have been freed > >> > > > >> > > Register your project with Coverity Scan by completing the project > >> > > registration form found at scan.coverity.com. Upon your > completion of > >> > > project registration (including acceptance of the Scan User > Agreement) > >> > and > >> > > your receipt of confirmation of registration of your project, you > will > >> be > >> > > able to download the Software required to submit a build of your > code > >> for > >> > > analysis by Coverity Scan. You may then download the Software, > >> complete a > >> > > build and submit your Registered Project build for analysis and > review > >> in > >> > > Coverity Scan. Coverity Scan is only available for use with open > source > >> > > projects that are registered with Coverity Scan. > >> > > Here are some interesting snippets from their scan user agreement: > >> > > > >> > > Your use of our software is acceptance of our Terms > >> > > <https://scan.coverity.com/policy> > >> > > > >> > > You will not disassemble, decompile, reverse engineer, modify or > create > >> > > derivative works of Our Service, software products or > documentation nor > >> > > permit any third party to do so, except to the extent such > restrictions > >> > are > >> > > prohibited by applicable mandatory local law > >> > > > >> > > You will not disclose to any third party any comparison of the > results > >> of > >> > > operation of Our Service or software products with other services > or > >> > > products, except as expressly permitted by this Agreement > >> > > > >> > > You will not publish any findings regarding or resulting from use > of > >> the > >> > > Service or the Software > >> > > > >> > > You agree that We may use Your name and logo (in a form approved by > >> You) > >> > > and Registered Product information to identify You and such > project as > >> a > >> > > participant of Our Scan Program on Our website or in Our marketing > or > >> > > publicity materials or in any filings made in connection with > state or > >> > > federal securities laws. > >> > > > >> > > Additionally, upon execution of this Agreement, the parties will > use > >> > > commercially reasonable efforts to issue mutually agreed upon joint > >> press > >> > > releases or other public communications announcing Your entry into > this > >> > > Agreement. > >> > > > >> > > At Our written request, You will furnish Us with (a) a > certification > >> > signed > >> > > by an officer of Your company providing user or access information > that > >> > > identifies whether the Service and the Software is being used in > >> > accordance > >> > > with the terms of this Agreement, and (b) log files from any > License > >> > > Manager. Upon at least thirty (30) days prior written notice, We > may > >> > > engage, at Our expense, an independent auditor to audit Your use > of the > >> > > Service and the Software to ensure that You are in compliance with > the > >> > > terms of this Agreement. ... You will provide the auditor with > access > >> to > >> > > the relevant records and facilities. > >> > > > >> > > Jon > >> > > > >> > > On Fri, May 27, 2016 at 11:14 AM zeo...@gmail.com < > zeo...@gmail.com> > >> > > wrote: > >> > > > >> > > > There's nothing built-in with Travis, but we could install a > tool to > >> do > >> > > > this as part of the installation of tools on the build box. I'm > >> gonna > >> > > > reach out to people in my local circle who specialize in secure > code > >> > > > analysis and see what all of the options are. > >> > > > > >> > > > Jon > >> > > > > >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <n...@nickallen.org> > >> wrote: > >> > > > > >> > > >> I completely agree that we will need some focus on this. > >> > > >> > >> > > >> What could Travis do for us? I wasn't aware that they offered > >> > security > >> > > >> scanning. > >> > > >> > >> > > >> Are you aware of any security scan services that offer free > support > >> to > >> > > >> open > >> > > >> source projects? > >> > > >> > >> > > >> On Fri, May 27, 2016 at 9:42 AM, zeo...@gmail.com < > zeo...@gmail.com > >> > > >> > > >> wrote: > >> > > >> > >> > > >> > So I've never done anything like this before in Travis but I > have > >> > done > >> > > >> IDE > >> > > >> > plugins and pre prod scans in the past at large companies > which > >> > worked > >> > > >> > well. I floated the idea past a friend working at Travis and > she > >> > said > >> > > >> if > >> > > >> > we go that route she would assist. > >> > > >> > > >> > > >> > I just think that if this is integrated from the beginning and > >> fail > >> > > >> builds > >> > > >> > on critical issues (to start), this could be a big > differentiator, > >> > > >> > especially because we're talking about a security platform > that > >> > > >> centralizes > >> > > >> > tons of sensitive information, tries to parse almost anything > >> that's > >> > > >> thrown > >> > > >> > at it (think of what's been happening to AV products > recently), > >> and > >> > is > >> > > >> open > >> > > >> > source for bad guys to dig into much more easily. > >> > > >> > > >> > > >> > Jon > >> > > >> > > >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <n...@nickallen.org> > >> wrote: > >> > > >> > > >> > > >> > > I am not aware of any discussions around this, Jon. What are > >> you > >> > > >> > thinking? > >> > > >> > > > >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, zeo...@gmail.com < > >> > zeo...@gmail.com > >> > > > > >> > > >> > > wrote: > >> > > >> > > > >> > > >> > > > I was just wondering if there is any sort of static (or > even > >> > > >> dynamic) > >> > > >> > > code > >> > > >> > > > analysis, or penetrating testing/vulnerability assessment, > >> > > >> occurring at > >> > > >> > > any > >> > > >> > > > point on the metron code. Has there been any discussion of > >> > > >> installing > >> > > >> > > > something along those lines on the Travis build server > (if it > >> > > isn't > >> > > >> > there > >> > > >> > > > already)? Thanks, > >> > > >> > > > > >> > > >> > > > Jon > >> > > >> > > > -- > >> > > >> > > > > >> > > >> > > > Jon > >> > > >> > > > > >> > > >> > > > >> > > >> > > > >> > > >> > > > >> > > >> > > -- > >> > > >> > > Nick Allen <n...@nickallen.org> > >> > > >> > > > >> > > >> > -- > >> > > >> > > >> > > >> > Jon > >> > > >> > > >> > > >> > >> > > >> > >> > > >> > >> > > >> -- > >> > > >> Nick Allen <n...@nickallen.org> > >> > > >> > >> > > > -- > >> > > > > >> > > > Jon > >> > > > > >> > > -- > >> > > > >> > > Jon > >> > > > >> > > >> > > >> > > >> > -- > >> > Nick Allen <n...@nickallen.org> > >> > > >> -- > >> > >> Jon > > > > -- > > Nick Allen <n...@nickallen.org> > > ------------------- > Thank you, > > James Sirota > PPMC- Apache Metron (Incubating) > jsirota AT apache DOT org > -- Jon
