cncf / mentoring

πŸ‘©πŸΏβ€πŸŽ“πŸ‘¨πŸ½β€πŸŽ“πŸ‘©πŸ»β€πŸŽ“CNCF Mentoring: LFX Mentorship + Summer of Code
https://mentoring.cncf.io
Apache License 2.0
2.41k stars 614 forks source link

CNCF and Google Open Source Security Team GSoC Collaboration - Enhancing Security Across CNCF Ecosystem #1196

Open nate-double-u opened 8 months ago

nate-double-u commented 8 months ago

Description

This project is a collaborative effort between the CNCF and Google's Open Source Security Team to improve security practices across various CNCF projects. The focus is identifying and addressing security vulnerabilities, integrating security tools like OSS-Fuzz, and enhancing build and release security processes. The goal is to get all CNCF projects to use scorecards (focusing on graduated/incubating projects first) and to remediate some of the findings.

Expected Outcomes

Recommended Skills

Expected project size

large (~350 hour projects)

Mentors

harshal-rembhotkar commented 8 months ago

Hello @matzew @aslom @lkingland mentors i am Harshal Rembhotkar , 4th semester Engineering(Automobile) student, i excited to join your organization ,my tech stacks are Java , html, css ,version control system, springboot framework ,mysql DB and technologies that i learned are like docker ,kubernetes and i also i have little idea about other Devops tools. i am selected CNCF organization for GSOC '24. Thanks !!

AmanSarraf commented 8 months ago

hi @nate-double-u , I am intersted in working on this issue, I am new to fuzzing and related concepts and started doing some research around the same, I have some questions, Are there any guides or documents I should read? Can you recommend any resources to help me understand the project better?

AmanSarraf commented 8 months ago

@nate-double-u I just went over some basic of fuzz and oss fuzz working, do we need to write fuzz functions ourself for all the cncf projects and there entry points or is there any other way, let me know I am looking to try this on a project.

rootxrishabh commented 8 months ago

Hey @nate-double-u, I have submitted a proposal (file name ROOTXRISHABH-CNCF GOOST.pdf).

My understanding of the project is as follows -

I see a lot of discussion around the scope of the project. This is my view on the scoped items. OSSF scorecard -

  1. The scorecard can be created by the mentee for incubating and graduated projects.
  2. A lot of projects have OSSF scorecards but they don't have good scores. What we can do is to create a central issue addressing issues and remediation at a single source of truth and make that issue an action item in community meetings, tackling sub-items one by one.
  3. The mentee can also help with improving scores of certain sub-items taking help from the community as well. Also, guiding anyone interested in contributing.

OSS-Fuzz -

  1. Handling fuzz testing for each project would be out of the scope for the mentee.
  2. Fuzz testing itself is a mentorship project in many organizations. Examples - LitmusChaos
  3. I think what the mentee should do is open issues about fuzzing to make the projects aware about the process and tools required and help them out in creating the process.
  4. For example, Input would be handled by oss-fuzz. Generating the input set would be handled by the project members.
  5. Output behaviour testing could be done for example by pprof.
  6. Identify the components that would be fuzzed and document the process afterwards.

Security, signing, provenance -

  1. This step is mostly works with github workflows and software artifacts.
  2. Notary and cosign facilitate the singing of images as well as images with artifacts.
  3. Automating build would be handled by github workflows.
  4. Security of dependencies would be facilitated by integrating Snyk or kubescape in the workflow.
  5. Overall, the steps above would involve creating issues and igniting discussions on the slack channels.

I am very eager to know your opinion on the above to proceed with the proposal. Thanks : )

di commented 8 months ago

Answering some questions here:

Are there any guides or documents I should read?

The following might be helpful:

Can you recommend any resources to help me understand the project better?

I recommend reviewing the documentation at https://securityscorecards.dev/ and https://github.com/ossf/scorecard/blob/main/docs/checks.md

I am very eager to know your opinion on the above to proceed with the proposal.

I think this is an excellent interpretation of the intended scope & scale of the project, nice job!

rootxrishabh commented 8 months ago

@di I am glad you liked it!

Also, please find my proposal, provide any feedback that you might have? We still have some time left on the deadline, I can still make any changes that might be needed.

If the proposal is not accessible. I can DM it to you and Nate.

Thank you for the resources : )

Stan370 commented 8 months ago

Hi @di @nate-double-u , I am very interested at this project and just submitted my proposal. As someone deeply immersed in the world of cloud-native computing and security, I bring to the table significant experience in both Go programming and microservice. I look forward to hearing your thoughts and feedback.

kaaass commented 8 months ago

Hello @nate-double-u @di. I am a master's student in computer science, majoring in cybersecurity. I am very interested in this project! I think this project aligns closely with my research focus. I believe my experience in cloud-native security and fuzzing will be helpful for this project. Also, I am eager to apply the state-of-the-art tools developed in previous academic projects I paticipated to this project to help enhance security across the CNCF ecosystem. I have detailed these experiences and my plan in the proposal I submitted. Looking forward to hearing your feedback.

satyampsoni commented 8 months ago

Hi @di Thanks for sharing the links! They are helpful

nate-double-u commented 6 months ago

Hi, everyone. Thank you all for your interest in this project. I want to introduce @harshitasao. She was accepted to GSoC 2024 and will work with us on this collaboration. We'll use this issue as the primary public communication spot for our progress on this project.

mumong commented 3 months ago

Hello @nate-double-u @di. i'm new graduated student now working in a non-profit organization. my title is Wireless cloud platform R&D engineer. i use kubernetes, ansible, golang such tools to solve my work problems. and recently i am researching about security cloud plantform, like using virtural container, such as kata container, gvisor. and using harbor to analysize image SBOM and some other tools to making Vulnerability Scan.

This is first time i'm trying to join the project and, i might have a lot of things to learn. my free time will be at weekends.

nate-double-u commented 3 months ago

Hi @mumong, thanks so much for your interest in the project. This is specifically a Google Summer of Code project, but you bring up a good question, and that is how do we want to continue this work after the term ends in a couple weeks.

Most of our project discussion is happening over on the #cncf-gosst-gsoc-2024-collab slack channel. (*Note to folks looking to apply to GSoC, this is not the channel to discuss that process -- it's a channel to specifically discuss the improvements this project is trying to make).