/
2020-12-11 Meeting Notes

2020-12-11 Meeting Notes

Dec 11, 2020

Date

11 Dec 2020

Attendees

  • @Mike Gorrell

  • @Ryan Berger

  • @Julian Ladisch

  • @Craig McNally

  • @Axel Dörrer

Discussion items

Time

Item

Who

Notes

Time

Item

Who

Notes

 

Review Security Issues

Team 

Review Kanban board

 

Snyk token

@Julian Ladisch

Synk has two ways to analyze maven projects:
a) Run maven to create a dependency tree from all pom.xml files and use the result for Snyk analysis, or
b) Snyk directly fetches the pom.xml files but doesn't resolve the dependency before analyzing.
The reports from b) are unusable because they have many false positives and false negatives, see this screenshot. On the left a) with julianladisch/raml-module-builder where a GitHub action runs maven and then the snyk analysis and on the right b) with folio-org/raml-module-builder where Snyk directly fetches the pom.xml files.

To run the GitHub actions for a) we need to put the SNYK_TOKEN into the GitHub secrets settings. Temporarily the ryandberger Snyk token is used in the julianladisch repository. Should we create a folio-org Snyk organisation and token to be used for https://github.com/folio-org/ that is free for open source, or should we use the ryandberger Snyk organisation and token?

Everyone agrees we should create a folio-org Snyk organization and Token. The POC period has ended. @Julian Ladischwill try to do this in the coming weeks, including asking Devops to add the token to the repo.

 

 

Safe harbor, policies

@Mike Gorrell

Safe Harbor Statement/Acceptable Use Policy - Still no activity/movement