Open nate-double-u opened 8 months ago
Hello @matzew @aslom @lkingland mentors i am Harshal Rembhotkar , 4th semester Engineering(Automobile) student, i excited to join your organization ,my tech stacks are Java , html, css ,version control system, springboot framework ,mysql DB and technologies that i learned are like docker ,kubernetes and i also i have little idea about other Devops tools. i am selected CNCF organization for GSOC '24. Thanks !!
hi @nate-double-u , I am intersted in working on this issue, I am new to fuzzing and related concepts and started doing some research around the same, I have some questions, Are there any guides or documents I should read? Can you recommend any resources to help me understand the project better?
@nate-double-u I just went over some basic of fuzz and oss fuzz working, do we need to write fuzz functions ourself for all the cncf projects and there entry points or is there any other way, let me know I am looking to try this on a project.
Hey @nate-double-u, I have submitted a proposal (file name ROOTXRISHABH-CNCF GOOST.pdf).
My understanding of the project is as follows -
I see a lot of discussion around the scope of the project. This is my view on the scoped items. OSSF scorecard -
OSS-Fuzz -
Security, signing, provenance -
I am very eager to know your opinion on the above to proceed with the proposal. Thanks : )
Answering some questions here:
Are there any guides or documents I should read?
The following might be helpful:
Can you recommend any resources to help me understand the project better?
I recommend reviewing the documentation at https://securityscorecards.dev/ and https://github.com/ossf/scorecard/blob/main/docs/checks.md
I am very eager to know your opinion on the above to proceed with the proposal.
I think this is an excellent interpretation of the intended scope & scale of the project, nice job!
@di I am glad you liked it!
Also, please find my proposal, provide any feedback that you might have? We still have some time left on the deadline, I can still make any changes that might be needed.
If the proposal is not accessible. I can DM it to you and Nate.
Thank you for the resources : )
Hi @di @nate-double-u , I am very interested at this project and just submitted my proposal. As someone deeply immersed in the world of cloud-native computing and security, I bring to the table significant experience in both Go programming and microservice. I look forward to hearing your thoughts and feedback.
Hello @nate-double-u @di. I am a master's student in computer science, majoring in cybersecurity. I am very interested in this project! I think this project aligns closely with my research focus. I believe my experience in cloud-native security and fuzzing will be helpful for this project. Also, I am eager to apply the state-of-the-art tools developed in previous academic projects I paticipated to this project to help enhance security across the CNCF ecosystem. I have detailed these experiences and my plan in the proposal I submitted. Looking forward to hearing your feedback.
Hi @di Thanks for sharing the links! They are helpful
Hi, everyone. Thank you all for your interest in this project. I want to introduce @harshitasao. She was accepted to GSoC 2024 and will work with us on this collaboration. We'll use this issue as the primary public communication spot for our progress on this project.
Hello @nate-double-u @di. i'm new graduated student now working in a non-profit organization. my title is Wireless cloud platform R&D engineer. i use kubernetes, ansible, golang such tools to solve my work problems. and recently i am researching about security cloud plantform, like using virtural container, such as kata container, gvisor. and using harbor to analysize image SBOM and some other tools to making Vulnerability Scan.
This is first time i'm trying to join the project and, i might have a lot of things to learn. my free time will be at weekends.
Hi @mumong, thanks so much for your interest in the project. This is specifically a Google Summer of Code project, but you bring up a good question, and that is how do we want to continue this work after the term ends in a couple weeks.
Most of our project discussion is happening over on the #cncf-gosst-gsoc-2024-collab slack channel. (*Note to folks looking to apply to GSoC, this is not the channel to discuss that process -- it's a channel to specifically discuss the improvements this project is trying to make).
Description
This project is a collaborative effort between the CNCF and Google's Open Source Security Team to improve security practices across various CNCF projects. The focus is identifying and addressing security vulnerabilities, integrating security tools like OSS-Fuzz, and enhancing build and release security processes. The goal is to get all CNCF projects to use scorecards (focusing on graduated/incubating projects first) and to remediate some of the findings.
Expected Outcomes
Recommended Skills
Expected project size
large (~350 hour projects)
Mentors