[Security Review] KubeVela

[wonderflow]

Project Name: KubeVela

Github URL: https://github.com/kubevela/kubevela

CNCF project stage and issue: https://github.com/cncf/toc/pull/890 (incubation)

Security Provider: no

• [ ] Identify team
  • [ ] Project security lead @wonderflow
  • [ ] Lead security reviewer
  • [ ] 1 or more additional reviewer(s)
  • [ ] Every reviewer has read security reviewer guidelines and stated declaration of conflict
  • [ ] Sign off by 2 chairs on reviewer conflicts
• [ ] Create slack channel (e.g. #sec-assess-projectname)
• [ ] Project lead provides draft document - see outline
• [ ] "Naive question phase" Lead Security Reviewer asks clarifying questions
• [ ] Assign issue to security reviewers
• [ ] Initial review
• [ ] Presentation & discussion
• [ ] Share draft findings with project
• [ ] Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
• [ ] CNCF TOC presentation (if requested by TOC)

[lumjjb]

@IAXES for your action!

[IAXES]

@lumjjb Acknowledged.

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[wonderflow]

Hi @IAXES , please guide us if anything we can do to make progress, thanks very much!

[IAXES]

@wonderflow Will do! Just getting things going on my end. Should have an update within a couple days tops.

[IAXES]

@wonderflow

Good day!

So I've created a public calendar (to help w/ scheduling sync-up meetings via Google + Doodle): https://calendar.google.com/calendar/embed?src=4559ebcf9dd724f2d3b36a146c1bccab7c6406235213ca69d87f1a7983ad5684%40group.calendar.google.com&ctz=America%2FVancouver

Access has been restricted, so individuals will need to request access. Also, I've created a dedicated Slack channel: https://slack.com/app_redirect?channel=C04FM6PJBBP

Please reach out to me on slack, @IAXES, and I can setup your access to the channel plus the calendar. Also, we can setup access to a shared folder in Google drive (if needed for one-off files, notes, etc.), get the contact details for your colleagues (add them to the Slack channel + calendar as well, write down their names and email addresses in a controlled/private file in the Google drive + Slack channel, etc.).

[IAXES]

One additional note: there are typically two different manners in which the assessment documents are reviewed/tracked.

1. Create the initial review document in Markdown (.md) format, submit it for review, then the document is converted to a Google doc, assessed over multiple rounds, then re-converted into a Markdown file again.
2. Create the initial review document in Markdown (.md) format, submit it for review, and the maintainer/submitted creates a pull request (against a repo they own), and review comments can be submitted via PR comments (i.e. using the GitHub web UI).

It would be a good idea to consider which approach would be preferred as you're preparing the first round draft. The final review will likely also include (using CloudCustodian's review as an example) a security matrix and a threat model diagram.

[wonderflow]

Hi @IAXES Thanks very much! I had some trouble joining the slack channel, I didn't find it, does it in CNCF slack org? My slack ID is wonderflow(Jianbo Sun), please help contact me, thanks!

[wonderflow]

One additional note: there are typically two different manners in which the assessment documents are reviewed/tracked.

1. Create the initial review document in Markdown (.md) format, submit it for review, then the document is converted to a Google doc, assessed over multiple rounds, then re-converted into a Markdown file again.
2. Create the initial review document in Markdown (.md) format, submit it for review, and the maintainer/submitted creates a pull request (against a repo they own), and review comments can be submitted via PR comments (i.e. using the GitHub web UI).

It would be a good idea to consider which approach would be preferred as you're preparing the first round draft. The final review will likely also include (using CloudCustodian's review as an example) a security matrix and a threat model diagram.

We prefer the second manner, we should create a private repo, right?

[IAXES]

We prefer the second manner, we should create a private repo, right?

That would work, yes. And if there's a "hidden option C" that we haven't considered, so much the better. I've looked into some Markdown tools that integrate with Google docs/drive, but they weren't compliant with the security policies of the teams requesting a security review, so the 2 options I noted seem to be the only viable options (of which I'm aware).

My slack ID is wonderflow(Jianbo Sun), please help contact me, thanks!

I'll add you now. :)

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[wonderflow]

Ping @IAXES

[JustinCappos]

I'm picking up stale items in the security assessment queue to try to push them forward. Apologies for the delay on your assessment!

I took a look and your self-assessment seems like it is in good shape! It is up-to-date or does it need to be updated? If so, once this happens, we can get a team together to do an assessment. Once it reaches the front of our queue, this will require back and forth with your team.

I'm so sorry for this delay from our side. Also, if a security assessment isn't desired anymore, please let us know and this issue can be closed.

[wonderflow]

Thanks @JustinCappos . Currently security assessment is not in our high priority. I'll close this issue. Once we have time, we'll come back and raise it again!

Thanks again! @JustinCappos