Apologies for the delayed notes, I was out of action for much of the last week. Discourse still considers me a “new” user and will only let me include 2 links in a post, hence why the GH repos below aren’t linked
The recording can be found here: https://docker.zoom.us/recording/play/3aC96B5qJ5Jq35m_lIT00GRxUjimCKrifLGxF4mFyv9nkRcmpIu0Dy3KRevK9pRb (meeting starts at about 14:30, I’ll use the manual recording feature next time to capture the right time slice)
- William Cox talked on CVEs and CVSS scoring. Some key points:
- CVSSv3 scores attempt to incorporate more logic around how one can take advantage of a CVE and/or chain multiple CVEs together.
- CVSS scores change over the lifetime of a CVE.
- Some vendors provide their own scores which take in to account the context of their platform.
- Process of issuing a CVE can lack transparency for reporter. DWF (GitHub: distributedweaknessfiling/) is a project aiming to automate and increase transparency of reporting CVEs.
- Liz Rice presented Manifesto (GitHub:aquasecurity/manifesto) a tool for storing image metadata in the registry beside images.
- Basic functionality in place to set and get data.
- Uses a single special tag within the image repository to hold a mapping of all other tags to their metadata.
Next meeting scheduled for August 21
Subsequent meeting after that will be at Moby Summit on September 14th in LA (https://www.eventbrite.com/e/moby-summit-los-angeles-tickets-35930560273). I’m currently uncertain of whether we will have access to video conferencing or sufficiently clear wifi.