On Tue, Feb 6, 2018 at 2:32 PM, SULLIVAN, BRYAN L (BRYAN L) < bryan.sulli...@research.att.com> wrote:
> Hi all, > > > > I’m wondering where the Anteater program is – and want to note a broken > link: build jobs with Anteater violations reference “Please visit: > https://wiki.opnfv.org/x/5oey”, which is the wiki page > https://wiki.opnfv.org/pages/viewpage.action?pageId=11700198, which says > “Project > specific exceptions can be added for file_name, file_contents and binaries, > by using the name of the repository within the anteater/exceptions/ > directory of the releng-anteater > <https://wiki.opnfv.org/gerrit.opnfv.org:29418/releng-anteater.git> > repository.” – but that link (releng-anteater > <https://wiki.opnfv.org/gerrit.opnfv.org:29418/releng-anteater.git>) is > broken. > > > > I want to start adding the exceptions for Models etc as an example for the > LF IT team that is setting up the Acumos project gerrit/CI/CD process, and > in general to help optimize the Anteater overhead for projects. I think we > need to get some analysis of the types of exceptions that are typical, and > establish a process for vetting those exceptions that goes beyond a simple > review by a releng committer. > > > > Further, we need to bring in other scan tools (e.g. security > vulnerability, virus, or malicious code scans) into the Anteater process. > This is in response to concerns about the security of the governance > process for open source (e.g. upstream, but also direct contribution in > projects) that is used to build production-oriented systems. We need to > demonstrate that OPNFV and other LF projects are addressing these concerns > through their infra toolsets. > Sorry Bryan, I missed a few of these emails thanks (or rather no thanks) to a bad mail filter rule. I am working on the following now which we will see soon: Much better documentation: http://anteater.readthedocs.io/en/latest/ Virus total integration: * Any binaries will be scanned using the virus total API, unless a sha256 waiver is already present e.g. https://github.com/opnfv/releng-anteater/blob/master/exceptions/calipso.yaml#L9 * Any IP addresses / domain name / URL will be scanned (again using the Virus Total API) for known malware and other nastiness. I also have a load of new strings to add to dig out and report anything of a more recent finding (for example a javascript based bitcoin miner). The project is also hopefully going to move into github (once agreed with LF) to encourage wider contributions and allow it to be more easily consumed else. Once the above is in place, docs will be clearer to follow, project will be more presentable, with more coverage in finding vulns will be wider. > > > Thanks, > > Bryan Sullivan | AT&T > > > > _______________________________________________ > opnfv-tech-discuss mailing list > opnfv-tech-discuss@lists.opnfv.org > https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss > > -- Luke Hinds | NFV Partner Engineering | CTO Office | Red Hat e: lhi...@redhat.com | irc: lhinds @freenode | t: +44 12 52 36 2483
_______________________________________________ opnfv-tech-discuss mailing list opnfv-tech-discuss@lists.opnfv.org https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
