Hi Luke, I have few comments and followup questions regarding this: “This in turn means we won't raise alarms over curl, git clone and wget and will instead check the IP addresses or URLS that those commands query. This should make anteater a lot less chatty at gate.”
You might remember that one of the reasons we have checks for curl/wget is to find out if projects pull artifacts from unknown IPs during build/deployment/testing. These are not malicious but we have seen that few of the IPs where the projects fetch the artifacts belong to non-production/personal devices that tend to disappear over time. As you know, this is an important issue from reproducibility and traceability perspectives. Now the questions are; Assuming the IPs are not explicitly added to exception list for the corresponding project, do you mean that we will stop flagging changes/files that contain wget/curl against unknown IPs if they are not marked as malicious on VirusTotal? We also had plans to make anteater checks voting/blocking. Will we discard this plan since wget/curl against IPs are not even planned to be flagged? /Fatih From: <[email protected]> on behalf of Luke Hinds <[email protected]> Date: Thursday, 8 March 2018 at 14:02 To: "[email protected]" <[email protected]> Subject: [opnfv-tech-discuss] [releng][security][infra] Anteater Improvements Hello, I have some changes to improve the reporting ability and hopefully tone down the false positives. Aneater will now interface with the VirusTotal public API: 1. If anteater finds a public IP address, the DNS history will be quiered to see if the IP has past or present associations with malicious domains. 2. If a URL is found, it is checked against the VirusTotal API to see if its marked as malicous. 3. Binaries will be sent to VirusTotal for a scan by the aggregation of scanners hosted there. For anyone wanting a demo, please see the following: https://asciinema.org/a/JfzUPWpBGm0wDKPCN3KlK2DK0 I will work with various people to get this rigged into CI. This in turn means we won't raise alarms over curl, git clone and wget and will instead check the IP addresses or URLS that those commands query. This should make anteater a lot less chatty at gate. Cheers, Luke
_______________________________________________ opnfv-tech-discuss mailing list [email protected] https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
