tag-security icon indicating copy to clipboard operation
tag-security copied to clipboard

Published 20 hours ago verified publisher icon cncf

[Proposal] Collab w/ TAG Observability

Open halcyondude opened this issue 2 years ago • 2 comments

Description: what's your idea?

Solicit input, feedback, and collaboration on https://github.com/cncf/landscape-graph, specifically on Sub-Graph Modules related to software packages and threats (details below)

Impact: Describe the customer impact of the problem. Who will this help? How will it help them?

This data model and graph will serve useful to a variety of Personas, from those responsible for operating cloud workloads and infrastructure, Security Professionals, Project Maintainers, Developers, and others. It will help by providing a scalable data model capable of answering questions such as: https://github.com/cncf/landscape-graph/labels/Q%20for%20graph

Thread from Slack

https://cloud-native.slack.com/archives/C01KL0B4LKC/p1658416961087659

Hi folks, I've been in the process of launching a new project that I think likely has some utility to this WG. In a nutshell, I'm pulling data from a variety of sources --> Neo4j Graph Database, with GraphQL as the strongly typed interface/api/data (schema) definition language.

https://github.com/cncf/landscape-graph

It aims to help answer questions such as:

  • for a set of projects, for all repos by release, show package dependency trees, overlaid with current CVE announcements w/ reporting and alerting as necessary.
  • for a set of projects' contributors, who employed them whilst they contributed? Who funded those organizations? Who owns them? What else did they invest in?
  • How does investment flow through the Landscape? Who maintains what? Who uses it?
  • Identify communities. Understand how they interact. Comprehend how they collaborate with each other.
  • Grok groupings of frequent code review <-> author interactions across projects.
  • Facilitate generation of Dora metrics in-rears from historical GitHub data for all CNCF projects. (more on DORA).
  • Are popularity and market cap correlated?
  • What companies are using which projects? What vendors support that?
  • What happened in Twitter last week related to my project?
  • The ones in bold in particular could be useful to inform secure supply chain tooling.

Presently using this as an initial Data Model, with active work going on around schema composition (supergraph/subgraph, federation, etc). This will allow for extending the graph using modular, testable, and verifiable strategies and workflows.

The most recent status update for current design/thinking w/ a link trove: https://github.com/cncf/landscape-graph/issues/4#issuecomment-1189200070

Question: Are there already efforts underway or considered around building a graph? I think it would make sense to add deployment information to the current subgraph list:

https://github.com/cncf/landscape-graph/tree/4-graphql-endpoint-v1/db#sub-graph-modules-sgm

.
├── blogs
│   └── sgm-blogcncf
├── boards
│   ├── sgm-ghdiscuss
│   └── sgm-stackoverflow
├── core
│   └── generated
├── corp
│   ├── sgm-crunchbase
│   └── sgm-yahoofinance
├── email
├── packages
│   ├── sgm-brew
│   ├── sgm-choco
│   ├── sgm-crate
│   ├── sgm-deb
│   ├── sgm-deno
│   ├── sgm-go
│   ├── sgm-maven
│   ├── sgm-npm
│   ├── sgm-pip
│   └── sgm-rpm
├── rtc
│   ├── sgm-discord
│   └── sgm-slack
├── social
│   ├── sgm-linkedin
│   └── sgm-twitter
├── threats
│   └── sgm-nist
└── videos
    └── sgm-youtube

I’ve been incorporating feedback from TAG Contributor Strategy and TOC members, as well as input from a variety of communities. The project is rapidly approaching the point at which contributors and maintainers will be actively solicited.

10k Kanban w/ in-flight work Help Wanted, Questions, etc.

Please reach out directly or in #landscape-graph if interested. If it would make sense to discuss at a WG meeting I’m happy to join.

TO DO

  • [x] Security TAG Leadership Representative: @mlieberman85
  • [ ] Project leader(s):
  • [ ] Project Members:
  • [ ] Fill in addition TODO items here so the project team and community can see progress!
  • [ ] Scope
  • [ ] Deliverable(s)
  • [ ] Project Schedule
    • [x] https://github.com/orgs/cncf/projects/7/views/2
  • [ ] Slack Channel (as needed)
  • [ ] Meeting Time & Day: TBD
  • [ ] Meeting Notes (link)
  • [ ] Meeting Details (zoom or hangouts link)
  • [ ] Retrospective

halcyondude avatar Aug 01 '22 20:08 halcyondude

Prior art: https://lyft.github.io/cartography/modules/cve/schema.html

halcyondude avatar Aug 10 '22 16:08 halcyondude

@mlieberman85 any updates on this after our initial triage?

PushkarJ avatar Sep 21 '22 17:09 PushkarJ

This issue has been automatically marked as inactive because it has not had recent activity.

stale[bot] avatar Nov 23 '22 04:11 stale[bot]

Hello @halcyondude. I'm picking this back up. It's been some time since you opened the issue. Are you still looking for feedback? What form of feedback are you looking for? Is there something in particular that you are seeking from a security standpoint or more an overall review? Are there areas you'd like to direct our attention to?

anvega avatar Jun 21 '23 04:06 anvega

Closing due to inactivity. Please reach out again if you'd like to revisit the proposed collaboration.

anvega avatar Aug 01 '23 02:08 anvega