Topics

[ONAP Helpdesk #61994] [linuxfoundation.org #61994] RE: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security

Michael O'Brien <frank.obrien@...>
 

Catherine,
The situation on the ground is more fluid - we may get someone to fix a CLM issue for a couple hours - then they get assigned to other work. All of us are security experts as some point. A developer may take the initiative.
Some workarounds
Move the read/write part of the wiki where any contributor can edit what is being worked on.
We can follow the rest of the security issues identified keeping us from violating our license.
Bottom line is that running this commercial software does not mix well with open source development - I recommend we use something less restrictive.
/michael

-----Original Message-----
From: Lefevre, Catherine via RT <onap-helpdesk@...>
Sent: Wednesday, October 10, 2018 7:04 AM
To: Michael O'Brien <Frank.Obrien@...>
Cc: onap-discuss@...; onap-tsc@...; Prudence Au <Prudence.Au@...>
Subject: [ONAP Helpdesk #61994] [linuxfoundation.org #61994] RE: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security

Good morning Michael, Manoop,

As previously discussed, we are not authorized to copy/paste the complete CLM report to the ONAP wiki.

What you can or can’t do - has been previously documented here:
https://wiki.onap.org/display/DW/TSC+2018-09-13?preview=/41420751/41422209/ONAP%20CLM%20License%20Version3.pdf

Nevertheless if you have identified your security expert(s) then I believe we might be able to swap them with 1-2 of your committers.
Feel free to reach Gildas to explore this possibility with the Linux Foundation.

Best regards
Catherine

From: onap-tsc@... [mailto:onap-tsc@...] On Behalf Of TALASILA, MANOOP
Sent: Tuesday, October 09, 2018 6:22 PM
To: onap-tsc@...; onap-discuss@...; OBRIEN, FRANK MICHAEL <frank.obrien@...>; helpdesk@...
Cc: AU, PRUDENCE <prudence.au@...>
Subject: Re: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security

***Security Advisory: This Message Originated Outside of AT&T *** Reference http://cso.att.com/EmailSecurity/IDSP.html for more information.
+1
The Portal team also in similar situation. The two security experts in our team are not PTL or committers, so they cannot access the CLM reports leading to delay in analyzing the impact and action on the identified vulneribilities.

Please see, if you can relax the access or at least to provide access to requested team members (in our case we need access to these IDs – “fmir@...<mailto:fmir@...>” and “arundpil@...<mailto:arundpil@...>”).

Manoop

From: <onap-tsc@...<mailto:onap-tsc@...>> on behalf of Michael O'Brien <frank.obrien@...<mailto:frank.obrien@...>>
Reply-To: "onap-tsc@...<mailto:onap-tsc@...>" <onap-tsc@...<mailto:onap-tsc@...>>
Date: Tuesday, October 9, 2018 at 11:48 AM
To: "onap-discuss@...<mailto:onap-discuss@...>" <onap-discuss@...<mailto:onap-discuss@...>>, Michael O'Brien <Frank.Obrien@...<mailto:Frank.Obrien@...>>, "onap-tsc@...<mailto:onap-tsc@...>" <onap-tsc@...<mailto:onap-tsc@...>>, "helpdesk@...<mailto:helpdesk@...>" <helpdesk@...<mailto:helpdesk@...>>
Cc: Prudence Au <Prudence.Au@...<mailto:Prudence.Au@...>>
Subject: Re: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security

Hi, I was wondering if we can get the security rules relaxed – currently I would need to copy/paste wiki content for other members of the team doing the CLM work.
Thank you
/michael

From: onap-discuss@...<mailto:onap-discuss@...> <onap-discuss@...<mailto:onap-discuss@...>> On Behalf Of Michael O'Brien
Sent: Friday, October 5, 2018 10:14 AM
To: onap-discuss@...<mailto:onap-discuss@...>; onap-tsc@...<mailto:onap-tsc@...>; helpdesk@...<mailto:helpdesk@...>
Cc: Prudence Au <Prudence.Au@...<mailto:Prudence.Au@...>>
Subject: [onap-discuss] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security

Team,
Hi, I have a request on behalf of my team and likely others.
The CLM security pages are locked down too tightly – I would like other members of the team – in particular Prudence Au (my co-PTL along with Luke Parker) to be able to view and edit pages in the wiki space

https://wiki.onap.org/display/SV/Security+Vulnerabilities+Home<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_SV_Security-2BVulnerabilities-2BHome&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=iUq2e1fcZ0ZWUCIQM8Kkn3CfYoukoHtjTFsSOQU0pLg&s=ep9iQknKUgFi9kibTREZn9VuMmQ4Jqr49fOkC1sMQHk&e=>
https://wiki.onap.org/pages/viewpage.action?pageId=43385152<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D43385152&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=iUq2e1fcZ0ZWUCIQM8Kkn3CfYoukoHtjTFsSOQU0pLg&s=VRSjVGDc4SFvxR_Pd22P5pkl-MDJ7q0njmdxbh59lJ4&e=>

The issue that we did not forsee – distribution of CLM work among the team.
Also when a PTL is out for a 1 day vacation – the delegate PTL does not have access to the site.

If the SV space is locked down – then the bottleneck is the PTL – in my case Prudence is a go-getter and would like to fix the remaining vulnerabilities – in our case we inherited several from another project we have a dependency – they already marked that vulnerability as a red-herring and have a pom override – but without myself acting as the wiki conduit – this work is slowed down with some re-inventing the wheel occurring.

Can we make the site read/only at least for any of the following
- Committers of a project
- Ideally any committer of a project can see the pages of the other project – so one fix can be distributed among several



Thank you

/michael


“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.

“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.


“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.

Michael O'Brien <frank.obrien@...>
 

Issue closed for myself - keep as-is for the wiki security lockdown

Had a discussion with Roger just now that jogged my brain (I jogged in the forest a couple days ago) - and I completely forgot about zero-day exploits and the effect that exposing any vulnerability will play in the future - I recommend we continue to keep our vulnerabilities under wraps - (as per chained-multi-level exploit use-case https://en.wikipedia.org/wiki/Stuxnet level protection)

I also subscribe to the ACL/SecurityGroup model for AWS and Azure where we should assume a rogue pod gets in and should be defined by specific access/port/network rules for comms between microservices.

Therefore the discussion on threat access in the wiki and the tool to generate them are 2 separate issues - and we keep access to our reports locked down.

On the side - if there was a way we could run the magic word "run-sonar" on developer unmerged reviews (without having to merge the code) - this would be good - as we are going through multiple cycles of test/merge where the CLM numbers go up/down as we progress.

Thank you
/michael

-----Original Message-----
From: @djtimoney via RT <onap-helpdesk@...>
Sent: Wednesday, October 10, 2018 10:41 AM
To: Michael O'Brien <Frank.Obrien@...>
Cc: onap-discuss@...; onap-tsc@...; Prudence Au <Prudence.Au@...>
Subject: Re: [ONAP Helpdesk #61994] [linuxfoundation.org #61994] RE: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security

+1 to Michael's comments ....

As I see it, there are 2 serious issues with the current IQ tool:

1) The limitations on sharing the report places a large burden on PTLs and committers, since we're the only ones with access to the source report. We can mitigate that to some extent in many cases by things like what we're doing in odlparent - namely, enforcing standard versions for third party libraries, but it would certainly be less onerous if we could just ask developers to check the report themselves to see whether these are false positives and/or if there is some workaround that they need to do in cases where version upgrade is not an option.

2) The tool reports 2 types of security issues : public CVEs, and private "SONATYPE" issues. We're permitted to share the CVE numbers with a link to the NIST database describing the issue, but not the SONATYPE issues. The CVE issues usually are quite detailed and indicate clearly in which version the issue is resolved. The SONATYPE issues usually do not clearly specify where the issue is resolved and simply just point to the project's JIRA or Github page, which often doesn't clearly state the release when the fix was done. This makes it extremely difficult for us to provide guidance to developers on what exactly they need to do.

I'm afraid that I don't know of an alternative tool to suggest, but I think it would be good for a small subteam to do some research to see if we can find an alternative. I'd be happy to be part of such a team.

Dan


--
Dan Timoney
SDN-CP Development
ONAP Project Technical Lead : CCSDK and SDNC

Please go to D2 ECOMP Release Planning Wiki <https://wiki.web.att.com/display/DERP/D2+ECOMP+Release+Planning+Home> for D2 ECOMP Project In-take, 2016 Release Planning, Change Management, and find key Release Planning Contact Information.


On 10/10/18, 10:09 AM, "onap-tsc@... on behalf of OBRIEN, FRANK MICHAEL" <onap-tsc@... on behalf of frank.obrien@...> wrote:

Catherine,

The situation on the ground is more fluid - we may get someone to fix a CLM issue for a couple hours - then they get assigned to other work. All of us are security experts as some point. A developer may take the initiative.

Some workarounds

Move the read/write part of the wiki where any contributor can edit what is being worked on.

We can follow the rest of the security issues identified keeping us from violating our license.

Bottom line is that running this commercial software does not mix well with open source development - I recommend we use something less restrictive.

/michael



-----Original Message-----

From: Lefevre, Catherine via RT <onap-helpdesk@...>

Sent: Wednesday, October 10, 2018 7:04 AM

To: Michael O'Brien <Frank.Obrien@...>

Cc: onap-discuss@...; onap-tsc@...; Prudence Au <Prudence.Au@...>

Subject: [ONAP Helpdesk #61994] [linuxfoundation.org #61994] RE: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security



Good morning Michael, Manoop,



As previously discussed, we are not authorized to copy/paste the complete CLM report to the ONAP wiki.



What you can or can’t do - has been previously documented here:

https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_DW_TSC-2B2018-2D09-2D13-3Fpreview-3D_41420751_41422209_ONAP-2520CLM-2520License-2520Version3.pdf&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=GJRZDyPt7OxvhPZZf346V-fCqeLbVoz5lyyl-c5xKOs&s=0iV59QhFsRFJd7VjKcLxXjaniEgvIaibDMGR2TkGXhg&e=



Nevertheless if you have identified your security expert(s) then I believe we might be able to swap them with 1-2 of your committers.

Feel free to reach Gildas to explore this possibility with the Linux Foundation.



Best regards

Catherine



From: onap-tsc@... [mailto:onap-tsc@...] On Behalf Of TALASILA, MANOOP

Sent: Tuesday, October 09, 2018 6:22 PM

To: onap-tsc@...; onap-discuss@...; OBRIEN, FRANK MICHAEL <frank.obrien@...>; helpdesk@...

Cc: AU, PRUDENCE <prudence.au@...>

Subject: Re: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security



***Security Advisory: This Message Originated Outside of AT&T *** Reference http://cso.att.com/EmailSecurity/IDSP.html for more information.

+1

The Portal team also in similar situation. The two security experts in our team are not PTL or committers, so they cannot access the CLM reports leading to delay in analyzing the impact and action on the identified vulneribilities.



Please see, if you can relax the access or at least to provide access to requested team members (in our case we need access to these IDs – “fmir@...<mailto:fmir@...>” and “arundpil@...<mailto:arundpil@...>”).



Manoop



From: <onap-tsc@...<mailto:onap-tsc@...>> on behalf of Michael O'Brien <frank.obrien@...<mailto:frank.obrien@...>>

Reply-To: "onap-tsc@...<mailto:onap-tsc@...>" <onap-tsc@...<mailto:onap-tsc@...>>

Date: Tuesday, October 9, 2018 at 11:48 AM

To: "onap-discuss@...<mailto:onap-discuss@...>" <onap-discuss@...<mailto:onap-discuss@...>>, Michael O'Brien <Frank.Obrien@...<mailto:Frank.Obrien@...>>, "onap-tsc@...<mailto:onap-tsc@...>" <onap-tsc@...<mailto:onap-tsc@...>>, "helpdesk@...<mailto:helpdesk@...>" <helpdesk@...<mailto:helpdesk@...>>

Cc: Prudence Au <Prudence.Au@...<mailto:Prudence.Au@...>>

Subject: Re: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security



Hi, I was wondering if we can get the security rules relaxed – currently I would need to copy/paste wiki content for other members of the team doing the CLM work.

Thank you

/michael



From: onap-discuss@...<mailto:onap-discuss@...> <onap-discuss@...<mailto:onap-discuss@...>> On Behalf Of Michael O'Brien

Sent: Friday, October 5, 2018 10:14 AM

To: onap-discuss@...<mailto:onap-discuss@...>; onap-tsc@...<mailto:onap-tsc@...>; helpdesk@...<mailto:helpdesk@...>

Cc: Prudence Au <Prudence.Au@...<mailto:Prudence.Au@...>>

Subject: [onap-discuss] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security



Team,

Hi, I have a request on behalf of my team and likely others.

The CLM security pages are locked down too tightly – I would like other members of the team – in particular Prudence Au (my co-PTL along with Luke Parker) to be able to view and edit pages in the wiki space



https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_SV_Security-2BVulnerabilities-2BHome&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=GJRZDyPt7OxvhPZZf346V-fCqeLbVoz5lyyl-c5xKOs&s=yRRjlz66kNTVZFUxMTQxwp-jrxkDOYw-vYb8xVNMnrw&e=<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_SV_Security-2BVulnerabilities-2BHome&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=iUq2e1fcZ0ZWUCIQM8Kkn3CfYoukoHtjTFsSOQU0pLg&s=ep9iQknKUgFi9kibTREZn9VuMmQ4Jqr49fOkC1sMQHk&e=>

https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D43385152&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=GJRZDyPt7OxvhPZZf346V-fCqeLbVoz5lyyl-c5xKOs&s=KBxsZWXlHK19rOnsZ9SZ2XNAlnCD-11Ir8mqoR7eUjw&e=<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D43385152&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=iUq2e1fcZ0ZWUCIQM8Kkn3CfYoukoHtjTFsSOQU0pLg&s=VRSjVGDc4SFvxR_Pd22P5pkl-MDJ7q0njmdxbh59lJ4&e=>



The issue that we did not forsee – distribution of CLM work among the team.

Also when a PTL is out for a 1 day vacation – the delegate PTL does not have access to the site.



If the SV space is locked down – then the bottleneck is the PTL – in my case Prudence is a go-getter and would like to fix the remaining vulnerabilities – in our case we inherited several from another project we have a dependency – they already marked that vulnerability as a red-herring and have a pom override – but without myself acting as the wiki conduit – this work is slowed down with some re-inventing the wheel occurring.



Can we make the site read/only at least for any of the following

- Committers of a project

- Ideally any committer of a project can see the pages of the other project – so one fix can be distributed among several







Thank you



/michael





“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.



“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.





“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.








“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.

Jimmy Forsyth
 

+1 on being able to scan a commit rather than having to go through whole merge process - if that is possible, it would allow a committer to work these issues without having to wait for Non-author code reviews.

Thanks,
jimmy

On 10/10/18, 2:36 PM, "onap-tsc@... on behalf of OBRIEN, FRANK MICHAEL" <onap-tsc@... on behalf of frank.obrien@...> wrote:

Issue closed for myself - keep as-is for the wiki security lockdown



Had a discussion with Roger just now that jogged my brain (I jogged in the forest a couple days ago) - and I completely forgot about zero-day exploits and the effect that exposing any vulnerability will play in the future - I recommend we continue to keep our vulnerabilities under wraps - (as per chained-multi-level exploit use-case https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_Stuxnet&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=92rRSC9G5w05T9qgx8OSmeWWGBBO0EupCMD8F9Tx0p0&m=OtG_IyEf4hDx5OnyWv-3fKHDAERC5EG8xhPPJSlvQBM&s=kMBVxF51fTvjxiq85Ytnj7_cLCMq6mdS7cjwz3yJixo&e= level protection)



I also subscribe to the ACL/SecurityGroup model for AWS and Azure where we should assume a rogue pod gets in and should be defined by specific access/port/network rules for comms between microservices.



Therefore the discussion on threat access in the wiki and the tool to generate them are 2 separate issues - and we keep access to our reports locked down.



On the side - if there was a way we could run the magic word "run-sonar" on developer unmerged reviews (without having to merge the code) - this would be good - as we are going through multiple cycles of test/merge where the CLM numbers go up/down as we progress.



Thank you

/michael



-----Original Message-----

From: @djtimoney via RT <onap-helpdesk@...>

Sent: Wednesday, October 10, 2018 10:41 AM

To: Michael O'Brien <Frank.Obrien@...>

Cc: onap-discuss@...; onap-tsc@...; Prudence Au <Prudence.Au@...>

Subject: Re: [ONAP Helpdesk #61994] [linuxfoundation.org #61994] RE: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security



+1 to Michael's comments ....



As I see it, there are 2 serious issues with the current IQ tool:



1) The limitations on sharing the report places a large burden on PTLs and committers, since we're the only ones with access to the source report. We can mitigate that to some extent in many cases by things like what we're doing in odlparent - namely, enforcing standard versions for third party libraries, but it would certainly be less onerous if we could just ask developers to check the report themselves to see whether these are false positives and/or if there is some workaround that they need to do in cases where version upgrade is not an option.



2) The tool reports 2 types of security issues : public CVEs, and private "SONATYPE" issues. We're permitted to share the CVE numbers with a link to the NIST database describing the issue, but not the SONATYPE issues. The CVE issues usually are quite detailed and indicate clearly in which version the issue is resolved. The SONATYPE issues usually do not clearly specify where the issue is resolved and simply just point to the project's JIRA or Github page, which often doesn't clearly state the release when the fix was done. This makes it extremely difficult for us to provide guidance to developers on what exactly they need to do.



I'm afraid that I don't know of an alternative tool to suggest, but I think it would be good for a small subteam to do some research to see if we can find an alternative. I'd be happy to be part of such a team.



Dan





--

Dan Timoney

SDN-CP Development

ONAP Project Technical Lead : CCSDK and SDNC



Please go to D2 ECOMP Release Planning Wiki <https://wiki.web.att.com/display/DERP/D2+ECOMP+Release+Planning+Home> for D2 ECOMP Project In-take, 2016 Release Planning, Change Management, and find key Release Planning Contact Information.





On 10/10/18, 10:09 AM, "onap-tsc@... on behalf of OBRIEN, FRANK MICHAEL" <onap-tsc@... on behalf of frank.obrien@...> wrote:



Catherine,



The situation on the ground is more fluid - we may get someone to fix a CLM issue for a couple hours - then they get assigned to other work. All of us are security experts as some point. A developer may take the initiative.



Some workarounds



Move the read/write part of the wiki where any contributor can edit what is being worked on.



We can follow the rest of the security issues identified keeping us from violating our license.



Bottom line is that running this commercial software does not mix well with open source development - I recommend we use something less restrictive.



/michael







-----Original Message-----



From: Lefevre, Catherine via RT <onap-helpdesk@...>



Sent: Wednesday, October 10, 2018 7:04 AM



To: Michael O'Brien <Frank.Obrien@...>



Cc: onap-discuss@...; onap-tsc@...; Prudence Au <Prudence.Au@...>



Subject: [ONAP Helpdesk #61994] [linuxfoundation.org #61994] RE: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security







Good morning Michael, Manoop,







As previously discussed, we are not authorized to copy/paste the complete CLM report to the ONAP wiki.







What you can or can’t do - has been previously documented here:



https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_DW_TSC-2B2018-2D09-2D13-3Fpreview-3D_41420751_41422209_ONAP-2520CLM-2520License-2520Version3.pdf&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=GJRZDyPt7OxvhPZZf346V-fCqeLbVoz5lyyl-c5xKOs&s=0iV59QhFsRFJd7VjKcLxXjaniEgvIaibDMGR2TkGXhg&e=







Nevertheless if you have identified your security expert(s) then I believe we might be able to swap them with 1-2 of your committers.



Feel free to reach Gildas to explore this possibility with the Linux Foundation.







Best regards



Catherine







From: onap-tsc@... [mailto:onap-tsc@...] On Behalf Of TALASILA, MANOOP



Sent: Tuesday, October 09, 2018 6:22 PM



To: onap-tsc@...; onap-discuss@...; OBRIEN, FRANK MICHAEL <frank.obrien@...>; helpdesk@...



Cc: AU, PRUDENCE <prudence.au@...>



Subject: Re: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security







***Security Advisory: This Message Originated Outside of AT&T *** Reference http://cso.att.com/EmailSecurity/IDSP.html for more information.



+1



The Portal team also in similar situation. The two security experts in our team are not PTL or committers, so they cannot access the CLM reports leading to delay in analyzing the impact and action on the identified vulneribilities.







Please see, if you can relax the access or at least to provide access to requested team members (in our case we need access to these IDs – “fmir@...<mailto:fmir@...>” and “arundpil@...<mailto:arundpil@...>”).







Manoop







From: <onap-tsc@...<mailto:onap-tsc@...>> on behalf of Michael O'Brien <frank.obrien@...<mailto:frank.obrien@...>>



Reply-To: "onap-tsc@...<mailto:onap-tsc@...>" <onap-tsc@...<mailto:onap-tsc@...>>



Date: Tuesday, October 9, 2018 at 11:48 AM



To: "onap-discuss@...<mailto:onap-discuss@...>" <onap-discuss@...<mailto:onap-discuss@...>>, Michael O'Brien <Frank.Obrien@...<mailto:Frank.Obrien@...>>, "onap-tsc@...<mailto:onap-tsc@...>" <onap-tsc@...<mailto:onap-tsc@...>>, "helpdesk@...<mailto:helpdesk@...>" <helpdesk@...<mailto:helpdesk@...>>



Cc: Prudence Au <Prudence.Au@...<mailto:Prudence.Au@...>>



Subject: Re: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security







Hi, I was wondering if we can get the security rules relaxed – currently I would need to copy/paste wiki content for other members of the team doing the CLM work.



Thank you



/michael







From: onap-discuss@...<mailto:onap-discuss@...> <onap-discuss@...<mailto:onap-discuss@...>> On Behalf Of Michael O'Brien



Sent: Friday, October 5, 2018 10:14 AM



To: onap-discuss@...<mailto:onap-discuss@...>; onap-tsc@...<mailto:onap-tsc@...>; helpdesk@...<mailto:helpdesk@...>



Cc: Prudence Au <Prudence.Au@...<mailto:Prudence.Au@...>>



Subject: [onap-discuss] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security







Team,



Hi, I have a request on behalf of my team and likely others.



The CLM security pages are locked down too tightly – I would like other members of the team – in particular Prudence Au (my co-PTL along with Luke Parker) to be able to view and edit pages in the wiki space







https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_SV_Security-2BVulnerabilities-2BHome&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=GJRZDyPt7OxvhPZZf346V-fCqeLbVoz5lyyl-c5xKOs&s=yRRjlz66kNTVZFUxMTQxwp-jrxkDOYw-vYb8xVNMnrw&e=<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_SV_Security-2BVulnerabilities-2BHome&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=iUq2e1fcZ0ZWUCIQM8Kkn3CfYoukoHtjTFsSOQU0pLg&s=ep9iQknKUgFi9kibTREZn9VuMmQ4Jqr49fOkC1sMQHk&e=>



https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D43385152&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=GJRZDyPt7OxvhPZZf346V-fCqeLbVoz5lyyl-c5xKOs&s=KBxsZWXlHK19rOnsZ9SZ2XNAlnCD-11Ir8mqoR7eUjw&e=<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D43385152&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=iUq2e1fcZ0ZWUCIQM8Kkn3CfYoukoHtjTFsSOQU0pLg&s=VRSjVGDc4SFvxR_Pd22P5pkl-MDJ7q0njmdxbh59lJ4&e=>







The issue that we did not forsee – distribution of CLM work among the team.



Also when a PTL is out for a 1 day vacation – the delegate PTL does not have access to the site.







If the SV space is locked down – then the bottleneck is the PTL – in my case Prudence is a go-getter and would like to fix the remaining vulnerabilities – in our case we inherited several from another project we have a dependency – they already marked that vulnerability as a red-herring and have a pom override – but without myself acting as the wiki conduit – this work is slowed down with some re-inventing the wheel occurring.







Can we make the site read/only at least for any of the following



- Committers of a project



- Ideally any committer of a project can see the pages of the other project – so one fix can be distributed among several















Thank you







/michael











“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.







“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.











“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.

















“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.

Vitaliy Emporopulo
 

We've been successfully using SonarLint https://www.sonarlint.org/ for pre-commit static analysis. Every developer is required to run it before submitting his/her changes for review.
You can bind the local configuration to ONAP SonarQube server to pull the analysis rules etc.

Regards,
Vitaliy

-----Original Message-----
From: onap-tsc@... <onap-tsc@...> On Behalf Of Jimmy Forsyth
Sent: Wednesday, October 10, 2018 21:56
To: onap-tsc@...; onap-helpdesk@...
Cc: onap-discuss@...; Prudence Au <Prudence.Au@...>
Subject: Re: [ONAP Helpdesk #61994] [linuxfoundation.org #61994] RE: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security

+1 on being able to scan a commit rather than having to go through whole merge process - if that is possible, it would allow a committer to work these issues without having to wait for Non-author code reviews.

Thanks,
jimmy

On 10/10/18, 2:36 PM, "onap-tsc@... on behalf of OBRIEN, FRANK MICHAEL" <onap-tsc@... on behalf of frank.obrien@...> wrote:

Issue closed for myself - keep as-is for the wiki security lockdown



Had a discussion with Roger just now that jogged my brain (I jogged in the forest a couple days ago) - and I completely forgot about zero-day exploits and the effect that exposing any vulnerability will play in the future - I recommend we continue to keep our vulnerabilities under wraps - (as per chained-multi-level exploit use-case https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_Stuxnet&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=92rRSC9G5w05T9qgx8OSmeWWGBBO0EupCMD8F9Tx0p0&m=OtG_IyEf4hDx5OnyWv-3fKHDAERC5EG8xhPPJSlvQBM&s=kMBVxF51fTvjxiq85Ytnj7_cLCMq6mdS7cjwz3yJixo&e= level protection)



I also subscribe to the ACL/SecurityGroup model for AWS and Azure where we should assume a rogue pod gets in and should be defined by specific access/port/network rules for comms between microservices.



Therefore the discussion on threat access in the wiki and the tool to generate them are 2 separate issues - and we keep access to our reports locked down.



On the side - if there was a way we could run the magic word "run-sonar" on developer unmerged reviews (without having to merge the code) - this would be good - as we are going through multiple cycles of test/merge where the CLM numbers go up/down as we progress.



Thank you

/michael



-----Original Message-----

From: @djtimoney via RT <onap-helpdesk@...>

Sent: Wednesday, October 10, 2018 10:41 AM

To: Michael O'Brien <Frank.Obrien@...>

Cc: onap-discuss@...; onap-tsc@...; Prudence Au <Prudence.Au@...>

Subject: Re: [ONAP Helpdesk #61994] [linuxfoundation.org #61994] RE: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security



+1 to Michael's comments ....



As I see it, there are 2 serious issues with the current IQ tool:



1) The limitations on sharing the report places a large burden on PTLs and committers, since we're the only ones with access to the source report. We can mitigate that to some extent in many cases by things like what we're doing in odlparent - namely, enforcing standard versions for third party libraries, but it would certainly be less onerous if we could just ask developers to check the report themselves to see whether these are false positives and/or if there is some workaround that they need to do in cases where version upgrade is not an option.



2) The tool reports 2 types of security issues : public CVEs, and private "SONATYPE" issues. We're permitted to share the CVE numbers with a link to the NIST database describing the issue, but not the SONATYPE issues. The CVE issues usually are quite detailed and indicate clearly in which version the issue is resolved. The SONATYPE issues usually do not clearly specify where the issue is resolved and simply just point to the project's JIRA or Github page, which often doesn't clearly state the release when the fix was done. This makes it extremely difficult for us to provide guidance to developers on what exactly they need to do.



I'm afraid that I don't know of an alternative tool to suggest, but I think it would be good for a small subteam to do some research to see if we can find an alternative. I'd be happy to be part of such a team.



Dan





--

Dan Timoney

SDN-CP Development

ONAP Project Technical Lead : CCSDK and SDNC



Please go to D2 ECOMP Release Planning Wiki <https://wiki.web.att.com/display/DERP/D2+ECOMP+Release+Planning+Home> for D2 ECOMP Project In-take, 2016 Release Planning, Change Management, and find key Release Planning Contact Information.





On 10/10/18, 10:09 AM, "onap-tsc@... on behalf of OBRIEN, FRANK MICHAEL" <onap-tsc@... on behalf of frank.obrien@...> wrote:



Catherine,



The situation on the ground is more fluid - we may get someone to fix a CLM issue for a couple hours - then they get assigned to other work. All of us are security experts as some point. A developer may take the initiative.



Some workarounds



Move the read/write part of the wiki where any contributor can edit what is being worked on.



We can follow the rest of the security issues identified keeping us from violating our license.



Bottom line is that running this commercial software does not mix well with open source development - I recommend we use something less restrictive.



/michael







-----Original Message-----



From: Lefevre, Catherine via RT <onap-helpdesk@...>



Sent: Wednesday, October 10, 2018 7:04 AM



To: Michael O'Brien <Frank.Obrien@...>



Cc: onap-discuss@...; onap-tsc@...; Prudence Au <Prudence.Au@...>



Subject: [ONAP Helpdesk #61994] [linuxfoundation.org #61994] RE: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security







Good morning Michael, Manoop,







As previously discussed, we are not authorized to copy/paste the complete CLM report to the ONAP wiki.







What you can or can’t do - has been previously documented here:



https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_DW_TSC-2B2018-2D09-2D13-3Fpreview-3D_41420751_41422209_ONAP-2520CLM-2520License-2520Version3.pdf&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=GJRZDyPt7OxvhPZZf346V-fCqeLbVoz5lyyl-c5xKOs&s=0iV59QhFsRFJd7VjKcLxXjaniEgvIaibDMGR2TkGXhg&e=







Nevertheless if you have identified your security expert(s) then I believe we might be able to swap them with 1-2 of your committers.



Feel free to reach Gildas to explore this possibility with the Linux Foundation.







Best regards



Catherine







From: onap-tsc@... [mailto:onap-tsc@...] On Behalf Of TALASILA, MANOOP



Sent: Tuesday, October 09, 2018 6:22 PM



To: onap-tsc@...; onap-discuss@...; OBRIEN, FRANK MICHAEL <frank.obrien@...>; helpdesk@...



Cc: AU, PRUDENCE <prudence.au@...>



Subject: Re: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security







***Security Advisory: This Message Originated Outside of AT&T *** Reference http://cso.att.com/EmailSecurity/IDSP.html for more information.



+1



The Portal team also in similar situation. The two security experts in our team are not PTL or committers, so they cannot access the CLM reports leading to delay in analyzing the impact and action on the identified vulneribilities.







Please see, if you can relax the access or at least to provide access to requested team members (in our case we need access to these IDs – “fmir@...<mailto:fmir@...>” and “arundpil@...<mailto:arundpil@...>”).







Manoop







From: <onap-tsc@...<mailto:onap-tsc@...>> on behalf of Michael O'Brien <frank.obrien@...<mailto:frank.obrien@...>>



Reply-To: "onap-tsc@...<mailto:onap-tsc@...>" <onap-tsc@...<mailto:onap-tsc@...>>



Date: Tuesday, October 9, 2018 at 11:48 AM



To: "onap-discuss@...<mailto:onap-discuss@...>" <onap-discuss@...<mailto:onap-discuss@...>>, Michael O'Brien <Frank.Obrien@...<mailto:Frank.Obrien@...>>, "onap-tsc@...<mailto:onap-tsc@...>" <onap-tsc@...<mailto:onap-tsc@...>>, "helpdesk@...<mailto:helpdesk@...>" <helpdesk@...<mailto:helpdesk@...>>



Cc: Prudence Au <Prudence.Au@...<mailto:Prudence.Au@...>>



Subject: Re: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security







Hi, I was wondering if we can get the security rules relaxed – currently I would need to copy/paste wiki content for other members of the team doing the CLM work.



Thank you



/michael







From: onap-discuss@...<mailto:onap-discuss@...> <onap-discuss@...<mailto:onap-discuss@...>> On Behalf Of Michael O'Brien



Sent: Friday, October 5, 2018 10:14 AM



To: onap-discuss@...<mailto:onap-discuss@...>; onap-tsc@...<mailto:onap-tsc@...>; helpdesk@...<mailto:helpdesk@...>



Cc: Prudence Au <Prudence.Au@...<mailto:Prudence.Au@...>>



Subject: [onap-discuss] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security







Team,



Hi, I have a request on behalf of my team and likely others.



The CLM security pages are locked down too tightly – I would like other members of the team – in particular Prudence Au (my co-PTL along with Luke Parker) to be able to view and edit pages in the wiki space







https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_SV_Security-2BVulnerabilities-2BHome&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=GJRZDyPt7OxvhPZZf346V-fCqeLbVoz5lyyl-c5xKOs&s=yRRjlz66kNTVZFUxMTQxwp-jrxkDOYw-vYb8xVNMnrw&e=<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_SV_Security-2BVulnerabilities-2BHome&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=iUq2e1fcZ0ZWUCIQM8Kkn3CfYoukoHtjTFsSOQU0pLg&s=ep9iQknKUgFi9kibTREZn9VuMmQ4Jqr49fOkC1sMQHk&e=>



https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D43385152&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=GJRZDyPt7OxvhPZZf346V-fCqeLbVoz5lyyl-c5xKOs&s=KBxsZWXlHK19rOnsZ9SZ2XNAlnCD-11Ir8mqoR7eUjw&e=<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D43385152&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=iUq2e1fcZ0ZWUCIQM8Kkn3CfYoukoHtjTFsSOQU0pLg&s=VRSjVGDc4SFvxR_Pd22P5pkl-MDJ7q0njmdxbh59lJ4&e=>







The issue that we did not forsee – distribution of CLM work among the team.



Also when a PTL is out for a 1 day vacation – the delegate PTL does not have access to the site.







If the SV space is locked down – then the bottleneck is the PTL – in my case Prudence is a go-getter and would like to fix the remaining vulnerabilities – in our case we inherited several from another project we have a dependency – they already marked that vulnerability as a red-herring and have a pom override – but without myself acting as the wiki conduit – this work is slowed down with some re-inventing the wheel occurring.







Can we make the site read/only at least for any of the following



- Committers of a project



- Ideally any committer of a project can see the pages of the other project – so one fix can be distributed among several















Thank you







/michael











“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.







“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.











“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.

















“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.












“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.