Attendees:
- Thea Aldritch
- Robert Boule
- Mark Carter
- Andrew Cathrow
- Evan Cordell
- Wendy Dembowski
- Stephen Eliot
- Connor Gilbert
- Jianing Guo
- Toli Kuznets
- David Lawrence
- Sheryl Sage
- Bill Schineller
- James Sulinski
Documents:
- Slides: https://docs.google.com/presentation/d/1OH2O6sohXM5be7hkFNgRCHWVwrQof-CB2rqy1mjMuQk/edit?usp=sharing
- Strawman Design: https://drive.google.com/open?id=1m7i9CtQ-Cgx8j4tdtzwC-q2hX5z-bu1vQxgovc3f3eU
Notes:
- Discussion on the idea of a policy engine that will interpret scan reports and decide whether an image can be deployed or not.
- Should scanners know anything about policies?
- Majority consensus “no.” Keep scan and deployment logic separate.
- Forum thread to gather and discuss use cases, help direct what information needs to be in scan reports to help user makes deployment decisions.
- As we progress, there may come a point it makes sense to team up with SIG Orchestration in this area.
- Should scanners know anything about policies?
- Discussion on strawman design proposal:
- Clarification that “vulns” section would be a field present on every “component” in the BOM.
- N.B. some scan types, i.e. license scanning, may not include a “vulns” section so it is optional.
- Suggestions to include CPE (Common Platform Enumeration) values for each component.
- Suggestion to include a namespace/platform identifier from which the package was sourced, i.e. “debian”, “npm”, “pypi”, etc…
- Where appropriate, include the source package info, as a source package may be built in to many different binary packages.
- Consensus that vulns should be identified by a 1-10 scoring system.
- Services left to implement their own consistent scoring system.
- Policy Engine would need to understand scoring system being used for each report.
- When CVSS values used as score, must be clear whether it’s v2 or v3. How should that data be included in the vuln info?
- Add “remediation” section to each vuln.
- Add “url” field to vulns to point users to further detailed information.
- Where vulns are not CVEs, should we use CWEs (Common Weakness Enumeration) to catagorize vulns?
- The “notes” field on vulns should be a general string->string map in which any additional info can be included.
- Clarification that “vulns” section would be a field present on every “component” in the BOM.
- Discussion on how docker can make it easier to access docker images
- Docker will assess security of exposing containerd image storage to a container for more efficient direct access to images.
- Solution also removes need for a scanning service to have access to the image registry.
- Docker will assess security of exposing containerd image storage to a container for more efficient direct access to images.
Action Items:
- David L to put together v2 reporting format proposal based on feedback.
- All to review once available
- Next meeting scheduled for 8am PST July 10th.