...
Introductory webcast recording
Notes
April 15, 2020
- Security group update
- For Vuls and other tests that use CVE tagging: all high and medium vulnerabilities must be fixed
- For Lynis: gives a hardening index but it is difficult to use that. Low and high. List of exceptions, time limited
- Kube-hunter: work in progress
- https://gerrit.akraino.org/r/c/ci-management/+/3356
- https://gerrit.akraino.org/r/c/ci-management/+/3358
- Tagging 3.0
April 8, 2020
- Security group update: they now want examples of "Lynis, Vuls, or Sonar Cloud"
- Daniel will provide
- https://gerrit.akraino.org/r/c/validation/+/3343
- https://gerrit.akraino.org/r/c/validation/+/3340
- Tagging 3.0 awaits this patch
- Documentation review
- Test plan
April 1, 2020
- Presentation now done, another coming
- Clarification: Redfish only has Use Case testing (which is what is packaged in Bluval)
- What should kubehunter return?
- Robot has some third alternative between "pass" and "fail", Juha will investigate
- If a security tool finds vulnerabilities, it could be pass since the requirement is to run the tests but this could imply that there is nothing to investigate
- The vulnerabilities could be harmless in the end, so fail would also be misleading
- Later on, there can be a whitelist of "harmless" warnings
- Tagging Release 3.0
- Can be done after the changes to security tests
- Cristina will do the tagging
- Status
- Patches for CI integration have been merged
- Vuls fails when run after other tests; Daniel is investigating
- Juha will send the kubehunter sample report to security@lists.akraino.org
...