Hi Faith,
Regarding your comments on reproducibility and traceability.
If we are not blocking ips, which I agree with Bryan is heavy handed
from a practical perspective. Perhaps ant eater could create a report
of external sources per repository, and then exit 0.
The developers could then be alerted to our concerns.
Gerrit Comment or email to ptl:
"Hi $project developer" Here are external ips connected to your build.
{list goes here}
If any of these sources should go offline, your builds will no longer
be reproducible or traceable.
Please consider this carefully. If you need a file hosted, contact
helpdesk and they will be happy to put in on artifacts.opnfv.org
Or something like that..
-Aric
On Thu, Mar 8, 2018 at 9:11 AM, Fatih Degirmenci
<[email protected]> wrote:
> Hi Luke,
>
>
>
> I have few comments and followup questions regarding this:
>
> “This in turn means we won't raise alarms over curl, git clone and wget and
> will instead check the IP addresses or URLS that those commands query. This
> should make anteater a lot less chatty at gate.”
>
>
>
> You might remember that one of the reasons we have checks for curl/wget is
> to find out if projects pull artifacts from unknown IPs during
> build/deployment/testing.
>
> These are not malicious but we have seen that few of the IPs where the
> projects fetch the artifacts belong to non-production/personal devices that
> tend to disappear over time.
>
> As you know, this is an important issue from reproducibility and
> traceability perspectives.
>
>
>
> Now the questions are;
>
> Assuming the IPs are not explicitly added to exception list for the
> corresponding project, do you mean that we will stop flagging changes/files
> that contain wget/curl against unknown IPs if they are not marked as
> malicious on VirusTotal?
>
> We also had plans to make anteater checks voting/blocking. Will we discard
> this plan since wget/curl against IPs are not even planned to be flagged?
>
>
>
> /Fatih
>
> From: <[email protected]> on behalf of Luke Hinds
> <[email protected]>
> Date: Thursday, 8 March 2018 at 14:02
> To: "[email protected]"
> <[email protected]>
> Subject: [opnfv-tech-discuss] [releng][security][infra] Anteater
> Improvements
>
>
>
> Hello,
>
> I have some changes to improve the reporting ability and hopefully tone down
> the false positives.
>
> Aneater will now interface with the VirusTotal public API:
>
> 1. If anteater finds a public IP address, the DNS history will be quiered to
> see if the IP has past or present associations with malicious domains.
>
>
>
> 2. If a URL is found, it is checked against the VirusTotal API to see if its
> marked as malicous.
>
> 3. Binaries will be sent to VirusTotal for a scan by the aggregation of
> scanners hosted there.
>
> For anyone wanting a demo, please see the following:
>
> https://asciinema.org/a/JfzUPWpBGm0wDKPCN3KlK2DK0
>
> I will work with various people to get this rigged into CI.
>
> This in turn means we won't raise alarms over curl, git clone and wget and
> will instead check the IP addresses or URLS that those commands query. This
> should make anteater a lot less chatty at gate.
>
> Cheers,
>
> Luke
>
>
> _______________________________________________
> opnfv-tech-discuss mailing list
> [email protected]
> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>
_______________________________________________
opnfv-tech-discuss mailing list
[email protected]
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
