tag-security
tag-security copied to clipboard
cncf
[Security Review] KubeEdge
Project Name: KubeEdge
Github URL: https://github.com/kubeedge/kubeedge
CNCF project stage and issue (NA if not applicable): Incubation and preparing for graduation
- Sandbox Proposal: https://github.com/cncf/toc/pull/205
- Incubation Proposal: https://github.com/cncf/toc/pull/461
- Graduation Proposal: TBD
We are now preparing for graduation and need to do a security assessment before we start the graduation process.
- Self-assessment: https://github.com/kubeedge/community/blob/master/sig-security/self-assessment.md. Also available on Google doc
- Joint Review Draft: https://github.com/kubeedge/community/blob/master/sig-security/joint-review.md
Security Provider: no
- [x] Identify team
- [x] Project security lead @vincentgoat
- [x] Lead security reviewer @JustinCappos
- [x] 1 or more additional reviewer(s) @victorjunlu @Alevsk @bsenel (observers: @jkjell )
- [x] Every reviewer has read security reviewer guidelines and stated declaration of conflict
- [x] Sign off by assessment facilitator on reviewer conflicts
- [x] Create slack channel (e.g. #sec-assess-projectname)
- [x] Project lead provides draft document - Joint Review Draft
- [x] "Naive question phase" Lead Security Reviewer asks clarifying questions
- [x] Assign issue to security reviewers
- [ ] Initial review
- [ ] Presentation & discussion
- [ ] Share draft findings with project
- [ ] Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
- [ ] CNCF TOC presentation (if requested by TOC)
This issue has been automatically marked as inactive because it has not had recent activity.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Just posting an update, contrary to stalebot: currently looking into this (plus additional projects) to assign resources.
@kevin-wangzefeng
Good day!
So I've created a public calendar (to help w/ scheduling sync-up meetings via Google + Doodle): https://calendar.google.com/calendar/embed?src=fa0dbd33fa6a41e9c2530bd5cd77e039adf802b12c8a60865c6055f15e923c75%40group.calendar.google.com&ctz=America%2FVancouver
Access has been restricted, so individuals will need to request access. Also, I've created a dedicated Slack channel: https://slack.com/app_redirect?channel=C04FSNLFQRJ
Please reach out to me on slack, @IAXES, and I can setup your access to the channel plus the calendar. Also, we can setup access to a shared folder in Google drive (if needed for one-off files, notes, etc.), get the contact details for your colleagues (add them to the Slack channel + calendar as well, write down their names and email addresses in a controlled/private file in the Google drive + Slack channel, etc.).
One additional note: there are typically two different manners in which the assessment documents are reviewed/tracked.
- Create the initial review document in Markdown (
.md) format, submit it for review, then the document is converted to a Google doc, assessed over multiple rounds, then re-converted into a Markdown file again. - Create the initial review document in Markdown (
.md) format, submit it for review, and the maintainer/submitted creates a pull request (against a repo they own), and review comments can be submitted via PR comments (i.e. using the GitHub web UI).
It would be a good idea to consider which approach would be preferred as you're preparing the first round draft. The final review will likely also include (using CloudCustodian's review as an example) a security matrix and a threat model diagram.
I'll be facilitating rather than reviewing this round, but for completeness:
Hard conflicts:
- Reviewer is a maintainer of the project - NO
- Reviewer is a direct report of/to a maintainer of the project - NO
- Reviewer is paid to work on the project -NO
- Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
- Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
- Reviewer uses the project in his/her work - NO
- Reviewer has contributed to the project. - NO
- Reviewer has a personal stake in the project (personal relationships, etc.) - NO
This issue has been automatically marked as inactive because it has not had recent activity.
Hi, @IAXES Just move the stale label. Any updates would be appreciated.
This issue has been automatically marked as inactive because it has not had recent activity.
I'm checking things out here and am a bit confused about what happened to make this assessment stop moving forward.
@kevin-wangzefeng , your team has clearly done a lot of work here. It's interesting to see a joint assessment (is it a draft?) as well listed in the repo above. If folks on your side still have cycles, I'd like to propose getting a team together to push this to the finish line. I do spot a few issues in the assessments which may need to be addressed, but given you've done a lot of work already, I think we can complete this without a major amount of effort.
Can you confirm that you're still interested in having this move forward and have cycles when we are ready for it (likely in 2-4 weeks)?
The lack of a defined timeline is the primary reason that is blocking the progress of this project. We would like to move forward this assessment and have cycles when you are ready. Your assistance in driving it forward would be highly appreciated.
The lack of a defined timeline is the primary reason that is blocking the progress of this project. We would like to move forward this assessment and have cycles when you are ready. Your assistance in driving it forward would be highly appreciated.
Understood. I'll try to round up the folks to staff this during an upcoming TAG security meeting. You should see some folks volunteer to review on this issue.
This issue has been automatically marked as inactive because it has not had recent activity.
I'm a bit confused about the status here. There is a self assessment and a draft joint assessment, but the latter is not in the usual format (like it was drafted by the project team).
@vincentgoat We absolutely have the cycles to complete this and I'm happy to get started. I'll mark myself as lead reviewer for now and will see if I can recruit others in the meeting this week. Please confirm you'll have time over the next 2-3 weeks from your side.
I'm a bit confused about the status here. There is a self assessment and a draft joint assessment, but the latter is not in the usual format (like it was drafted by the project team).
We have drafted a joint assessment, and the final version needs to be improved continuously with the help of reviewers during the review process.
@vincentgoat We absolutely have the cycles to complete this and I'm happy to get started. I'll mark myself as lead reviewer for now and will see if I can recruit others in the meeting this week. Please confirm you'll have time over the next 2-3 weeks from your side.
Thanks, we are ready for this. cc @fisherxu @Shelley-BaoYue
@JustinCappos interested in joining this assessment. No conflicts from my end.
@Alevsk Do you have any conflicts? (See: https://github.com/cncf/tag-security/tree/main/assessments/guide#conflict-of-interest-statement-and-review )
For the record, I do not have any conflicts.
Please @vincentgoat @Shelley-BaoYue @Alevsk join this channel: https://cloud-native.slack.com/archives/C05T4487FEH
I couldn't find your slack names so couldn't add you directly.
@Alevsk Do you have any conflicts? (See: https://github.com/cncf/tag-security/tree/main/assessments/guide#conflict-of-interest-statement-and-review )
For the record, I do not have any conflicts.
I do not have any conflicts contributing on this review.
Okay, @jkjell sounds good. Would you kindly describe if you have a conflict of interest? https://github.com/cncf/tag-security/tree/main/assessments/guide#conflict-of-interest-statement-and-review
@JustinCappos I would be interested in contributing to this assessment.
Okay, can you read the conflict of interest text ( https://github.com/cncf/tag-security/tree/main/assessments/guide#conflict-of-interest-statement-and-review ) and describe if you have a conflict?
@vincentgoat @kevin-wangzefeng @Shelley-BaoYue @Alevsk : We are ready to proceed. As I stated a few weeks ago on slack (and reminded about a few times), I need to speak with someone from your side about the format of documents quickly. Once we iron this out, we're all ready...
Hi, this week I'm available to discuss about the format of documents
Okay, what's the best way to connect? Can you message me on CNCF slack (justincappos) to coordinate?