Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Volcano Project Security Self-Assessment - Security Pals #1184

Closed
wants to merge 67 commits into from
Closed

Volcano Project Security Self-Assessment - Security Pals #1184

wants to merge 67 commits into from

Conversation

mayank-ramnani
Copy link
Contributor

Created and added first draft of the Volcano Project Security Self-Assessment.
Please feel free to share any thoughts on the self-assessment.

mayank-ramnani and others added 27 commits November 23, 2023 13:56
@mayank-ramnani
Volcano: First commit for self-assessment
00450c3
@mayank-ramnani
Volcano: Fix self-assessment template
2fb69be
@mayank-ramnani
add-sbom-and-update-metadata-in-self-assessment
ee40543
@mayank-ramnani
fix formatting for security links
c42a118
@mayank-ramnani
fix formatting for security links 2
2832140
@mayank-ramnani
fix formatting
c5a6ca9
@mayank-ramnani
commit self assessment draft 1
b6f73ac
@mayank-ramnani
remove redundant text
83cbfc2
@mayank-ramnani
Update README.md
38c504f 
Signed-off-by: Mayank R <[email protected]>
@mayank-ramnani
improve self assessment draft
9e0d807
@mayank-ramnani
Merge branch 'main' of github.com:mayank-ramnani/tag-security
4288b1d
@mayank-ramnani
add some case studies
d835436
@mayank-ramnani
add lightweight threat modelling, add temporary action items at the e…
aed3687 
…nd, other improvements
@mayank-ramnani
fix typo
39e589e
@mayank-ramnani
fix typo
72ba469
@fgd238
markdown list
b049b27 
Signed-off-by: Francis Delamerced <[email protected]>
@fgd238
non-goals small addition
72e91a6 
Signed-off-by: Francis Delamerced <[email protected]>
@fgd238
CLII/OpenSSF discussion
aedc8dd 
Signed-off-by: Francis Delamerced <[email protected]>
@mayank-ramnani
minor improvements
16b1da4
@mayank-ramnani
add authors
d359ff7
@mayank-ramnani
Merge pull request #1 from fgd238/patch-1
014ed44 
markdown list
@mayank-ramnani
Merge pull request #2 from fgd238/patch-2
ff897f9 
non-goals small addition
@mayank-ramnani
Merge pull request #3 from fgd238/patch-3
78910ef 
CLII/OpenSSF discussion
@mayank-ramnani
improve appendix
57140c6
@mayank-ramnani
improve action items
a4ce16c
@mayank-ramnani
improve heading
112436d
@mayank-ramnani
Merge branch 'cncf:main' into main
580432e
@eddie-knight
Copy link
Collaborator

Hi there! I'm just getting started looking at your pull request, and I noticed the DCO check is failing.

You can look at the checks section of the PR (I believe it should always be below the last comment) and look for a red X highlighting the failed check. In this case, you can click Details for more information about how to get that check passing.
Screenshot 2023-12-08 at 8 35 18 AM

@eddie-knight
Copy link
Collaborator

I noticed that you included an SBOM along with the self assessment. There are two reasons that jump to the front of my mind for why this isn't needed...

SBOMs should be associated with releases, as the bill of materials is only accurate and useful if it is created at build time and associated to a particular point in the code history.
If you need to link to an SBOM for some reason in the self-assessment, you can just provide a link out to the latest build artifacts that contain an SBOM.
We still have plenty more to review, but as a starter— could you please remove the SBOM from this PR?

@ragashreeshekar
Copy link
Contributor

I noticed that you included an Open and Secure book along with the self assessment. This is already part of the repository and isn't necessary to include in the self assessment.

To keep the PR/Repo up to date, light and avoid duplication, I would suggest updating the branch by pulling the latest state of the repo for this PR and removing the book.

@mayank-ramnani
Copy link
Contributor Author

Hi there! I'm just getting started looking at your pull request, and I noticed the DCO check is failing.

You can look at the checks section of the PR (I believe it should always be below the last comment) and look for a red X highlighting the failed check. In this case, you can click Details for more information about how to get that check passing. Screenshot 2023-12-08 at 8 35 18 AM

Hi Eddie! Thank you for working on reviewing the PR. We appreciate your feedback and are looking to improve it and learn in the process as much as possible.
Regarding the DCO point, I had already tried following the steps to sign-off all the commits, and it worked. But it had the side effect of having 2 copies of each commit, one with the sign-off and one without.
I am trying to figure out how we can fix that and remove the commits which don't have the signoff.

@mayank-ramnani
Copy link
Contributor Author

I noticed that you included an Open and Secure book along with the self assessment. This is already part of the repository and isn't necessary to include in the self assessment.

To keep the PR/Repo up to date, light and avoid duplication, I would suggest updating the branch by pulling the latest state of the repo for this PR and removing the book.

Hi Ragashree! Thank you for working on reviewing the PR, we appreciate all the feedback!
I agree with your point, we should keep the PR as light as possible. That book had been added as a mistake, I've removed it now in the latest commit.

@mayank-ramnani
remove sbom
dc515a2 
Signed-off-by: mayank-ramnani <[email protected]>
@mayank-ramnani
Copy link
Contributor Author

I noticed that you included an SBOM along with the self assessment. There are two reasons that jump to the front of my mind for why this isn't needed...

SBOMs should be associated with releases, as the bill of materials is only accurate and useful if it is created at build time and associated to a particular point in the code history. If you need to link to an SBOM for some reason in the self-assessment, you can just provide a link out to the latest build artifacts that contain an SBOM. We still have plenty more to review, but as a starter— could you please remove the SBOM from this PR?

I agree with your point that an SBOM should be associated with a release, however Volcano does not contain a proper SBOM in its build artifacts. It contains go.mod and go.sum files in its releases but from my understanding, they are insufficient as an SBOM on their own. That is the reason I had initially generated one manually using the Github tool.

I've removed the SBOM from this PR currently.

I had generated it from the latest code at that point, would you recommend it be regenerated by going back to the tag of the last release and then we mention the release version in the self-asssessment document?

@mayank-ramnani mayank-ramnani reopened this Dec 9, 2023
ragashreeshekar
ragashreeshekar suggested changes Dec 9, 2023
View reviewed changes
Copy link
Contributor

@ragashreeshekar ragashreeshekar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @mayank-ramnani and team, appreciate the efforts.
I have completed first pass of review. Please feel free to reach out here or on slack for any questions and clarifications.

Along with addressing the comments, kindly update the PR branch with the latest content in the repo as this branch is out-of-date with the base branch.

assessments/projects/volcano/self-assessment.md Outdated Show resolved Hide resolved
assessments/projects/volcano/self-assessment.md Outdated Show resolved Hide resolved
assessments/projects/volcano/self-assessment.md Show resolved Hide resolved
assessments/projects/volcano/self-assessment.md Outdated Show resolved Hide resolved
@mayank-nyu mayank-nyu mentioned this pull request Dec 11, 2023
Merged
@mayank-ramnani
Copy link
Contributor Author

Closing this PR due to Git merging and DCO issues.
Tracked in new PR: #1205

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Rana-KV Rana-KV Rana-KV left review comments

@ragashreeshekar ragashreeshekar ragashreeshekar requested changes

@PushkarJ PushkarJ Awaiting requested review from PushkarJ

@TheFoxAtWork TheFoxAtWork Awaiting requested review from TheFoxAtWork

@anvega anvega Awaiting requested review from anvega

@JustinCappos JustinCappos Awaiting requested review from JustinCappos

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@mayank-ramnani @eddie-knight @ragashreeshekar @Rana-KV @fgd238 @anvega @PushkarJ