2017-06-19 Meeting Notes


#1

Attendees:

  • Thea Aldritch
  • Robert Boule
  • Mark Carter
  • Andrew Cathrow
  • Evan Cordell
  • Wendy Dembowski
  • Stephen Eliot
  • Connor Gilbert
  • Jianing Guo
  • Toli Kuznets
  • David Lawrence
  • Sheryl Sage
  • Bill Schineller
  • James Sulinski

Documents:

Notes:

  • Discussion on the idea of a policy engine that will interpret scan reports and decide whether an image can be deployed or not.
    • Should scanners know anything about policies?
      • Majority consensus “no.” Keep scan and deployment logic separate.
    • Forum thread to gather and discuss use cases, help direct what information needs to be in scan reports to help user makes deployment decisions.
    • As we progress, there may come a point it makes sense to team up with SIG Orchestration in this area.
  • Discussion on strawman design proposal:
    • Clarification that “vulns” section would be a field present on every “component” in the BOM.
      • N.B. some scan types, i.e. license scanning, may not include a “vulns” section so it is optional.
    • Suggestions to include CPE (Common Platform Enumeration) values for each component.
    • Suggestion to include a namespace/platform identifier from which the package was sourced, i.e. “debian”, “npm”, “pypi”, etc…
    • Where appropriate, include the source package info, as a source package may be built in to many different binary packages.
    • Consensus that vulns should be identified by a 1-10 scoring system.
      • Services left to implement their own consistent scoring system.
      • Policy Engine would need to understand scoring system being used for each report.
      • When CVSS values used as score, must be clear whether it’s v2 or v3. How should that data be included in the vuln info?
    • Add “remediation” section to each vuln.
    • Add “url” field to vulns to point users to further detailed information.
    • Where vulns are not CVEs, should we use CWEs (Common Weakness Enumeration) to catagorize vulns?
    • The “notes” field on vulns should be a general string->string map in which any additional info can be included.
  • Discussion on how docker can make it easier to access docker images
    • Docker will assess security of exposing containerd image storage to a container for more efficient direct access to images.
      • Solution also removes need for a scanning service to have access to the image registry.

Action Items:

  • David L to put together v2 reporting format proposal based on feedback.
    • All to review once available
  • Next meeting scheduled for 8am PST July 10th.