search

cncf / tag-security

🔐CNCF Security Technical Advisory Group -- secure access, policy control, privacy, auditing, explainability and more!
https://cncf.io/projects
Other
1.99k stars 496 forks source link

Antrea Project Security Self-Assessment - Security Pals #1190

Closed molofgarb closed 5 months ago

molofgarb commented 6 months ago

Created and added first draft for Antrea Project Security Self-Assessment.

We are still finalizing the implementation of feedback from the Antrea maintainers for a couple of sub-sections. The PR will be updated by force-pushes as we finish our revisions.

Please feel free to share your feedback on the security self-assessment!

netlify[bot] commented 6 months ago

Deploy Preview for tag-security canceled.

Name Link
Latest commit ca240f883c8e7fd3098dc5b154c997d382c88cac
Latest deploy log https://app.netlify.com/sites/tag-security/deploys/65a7fe5dc5b1c70009d61199
eddie-knight commented 6 months ago

Hi there, and thanks for your work on this self assessment!

I noticed that you included an SBOM along with the self assessment. There are two reasons that jump to the front of my mind for why this isn't needed...

  1. SBOMs should be associated with releases, as the bill of materials is only accurate and useful if it is created at build time and associated to a particular point in the code history.
  2. If you need to link to an SBOM for some reason in the self-assessment, you can just provide a link out to the latest build artifacts that contain an SBOM.

We still have plenty more to review, but as a starter— could you please remove the SBOM from this PR?

molofgarb commented 6 months ago

Hi there, and thanks for your work on this self assessment!

I noticed that you included an SBOM along with the self assessment. There are two reasons that jump to the front of my mind for why this isn't needed...

1. SBOMs should be associated with releases, as the bill of materials is only accurate and useful if it is created at build time and associated to a particular point in the code history.

2. If you need to link to an SBOM for some reason in the self-assessment, you can just provide a link out to the latest build artifacts that contain an SBOM.

We still have plenty more to review, but as a starter— could you please remove the SBOM from this PR?

Hi Eddie, thank you for your feedback! We initially included the SBOM because a section for the SBOM is present in the self-assessment template. Your points are right though and we have removed the SBOM and its section in the self-assessment from our latest force push.

antoninbas commented 6 months ago

I'm an Antrea maintainer and I just wanted to say thank you for taking the time to work on that!

molofgarb commented 6 months ago

In our previous push, we have added a table to the "Related Projects and Vendors" section to briefly compare CNI projects.

molofgarb commented 6 months ago

Thank you for your feedback @ragashreeshekar! We will work on adding your suggested changes and let you know once we have resolved them.

molofgarb commented 5 months ago

Hi @torinvdb, thank you for your suggestions! We have added your changes to our most recent push.