search

cncf / tag-security

🔐CNCF Security Technical Advisory Group -- secure access, policy control, privacy, auditing, explainability and more!
https://tag-security.cncf.io
Other
2.03k stars 509 forks source link

CubeFS Project Security Self-Assessment - Security Pals #1171

Closed avinashnarasimhan18 closed 8 months ago

avinashnarasimhan18 commented 10 months ago

Created and added the first draft of the CubeFS Project Security Self-Assessment. Please feel free to share your feedback on the security self-assessment.

netlify[bot] commented 10 months ago

Deploy Preview for tag-security canceled.

Name Link
Latest commit 8919607c26431e20f5b22742b3b9bad5bc394c74
Latest deploy log https://app.netlify.com/sites/tag-security/deploys/65a97ab3e145b40007b00ead
eddie-knight commented 9 months ago

Hi there, thanks for the work you did on this self-assessment!

I'm just now cracking this open for review, and the first thing I noticed is that you included an SBOM along with the self assessment. There are two reasons that jump to the front of my mind for why this isn't valuable...

  1. SBOMs should be associated with releases, as the bill of materials is only accurate and useful if it is created at build time and only known to be associated to a particular point in the code history.
  2. If you need to link to an SBOM for some reason in the self-assessment, you can just provide a link out to the latest build artifacts that contain an SBOM.

I still have plenty more to review, but as a starter— could you please remove the SBOM from this PR?

avinashnarasimhan18 commented 9 months ago

@eddie-knight Thank you for starting the review on the self-assessment and giving us some initial comments.

CubeFS has not made the SBOM publicly available, so our team generated one using the FOSSA CLI. Would you prefer we keep the SBOM or remove it and mention that it is not publicly available? Please let us know.

avinashnarasimhan18 commented 9 months ago

@ragashreeshekar We have started working on your review comments. Please let us know if there are any other changes to be made. We will change accordingly and push all of them in one commit.

ragashreeshekar commented 9 months ago

@ragashreeshekar We have started working on your review comments. Please let us know if there are any other changes to be made. We will change accordingly and push all of them in one commit.

Thanks for the PR @avinashnarasimhan18 and team, appreciate the efforts. I have completed first pass of review. Please feel free to reach out here or on slack for any questions and clarifications. Along with addressing the comments, kindly update the PR branch with the latest content in the repo as this branch is out-of-date with the base branch.

avinashnarasimhan18 commented 9 months ago

@ragashreeshekar We have started working on your review comments. Please let us know if there are any other changes to be made. We will change accordingly and push all of them in one commit.

Thanks for the PR @avinashnarasimhan18 and team, appreciate the efforts. I have completed first pass of review. Please feel free to reach out here or on slack for any questions and clarifications. Along with addressing the comments, kindly update the PR branch with the latest content in the repo as this branch is out-of-date with the base branch.

Thank you @ragashreeshekar. We will start working on your comments right away and update once it's done. We will ensure the branch is updated as well.

avinashnarasimhan18 commented 9 months ago

@ragashreeshekar , me and my team have addressed your and Eddie's review comments. Please take a look and let us know if there are any other changes you would like us to make.

ragashreeshekar commented 9 months ago

Thank you for the updates. Looks good to me. Tagging @eddie-knight for your review, and @JustinCappos both for your opinion on including maintainers for their ack and review of this work, followed by chair review (as applicable) and merging them to the repo.