...
- Presentation now done, another coming
- Clarification: Redfish only has Use Case testing (which is what is packaged in Bluval)
- What should kubehunter return?
- Robot has some third alternative between "pass" and "fail", Juha will investigate
- If a security tool finds vulnerabilities, it could be pass since the requirement is to run the tests but this could imply that there is nothing to investigate
- The vulnerabilities could be harmless in the end, so fail would also be misleading
- Later on, there can be a whitelist of "harmless" warnings
- Tagging Release 3.0?
- Can be done after the changes to security tests
- Cristina will do the tagging
- Status
- Patches for CI integration have been merged
- Vuls fails when run after other tests; Daniel is investigating
- Juha will send the kubehunter sample report to security@lists.akraino.org
March 25, 2020
- Presentation to TSC
- Vuls and lynis on CI: https://gerrit.akraino.org/r/c/validation/+/3306
- Discussion with Security Committee:
- Interpreting the results from the vulnerability tests will require understanding how the project is used
- Thus, the evaluation must be done together with the project PTL
- The Security Committee requested a sample document from the tests
- Presentation to Akraino TSC+PTLs next week Tuesday:
- Start with the list of mandatory tests (Tapio)
- Show hands-on how to run the tests (Juha)
- Show how to run the tests in CI and copy the results (Cristina?)
- Show the results in UI (Ioakeim?)
...