/
2023-11-02 Meeting notes

2023-11-02 Meeting notes

Date

Attendees

Discussion items

TimeItemWhoNotes
?Anything Urgent? Review the Kanban board?Team
  • SECURITY-9 - Getting issue details... STATUS
    • Craig McNally  will investigate/reach out to devs for:  edge-courses, edge-fqm, and mod-consortia
      • Created story for mod-consortia and linked it to SECURITY-9
      • edge-fqm/edge-courses:  the edge-common-spring framework apparently has a runtime dependency on the folio-spring-system-user library (due to dependency injection?).  I've reached out to Taras to see what we can do about this, but he's on vacation.  Circle back next week.
        • No update from Taras yet.  Craig McNally will check with him and report back in Slack.
    • Axel Dörrer will do the same for the other 4
      • Has created some, e.g. MODCON-114 - Getting issue details... STATUS
      • mod-caiasoft, edge-dematic, edge-inn-reach, edge-dcb still don't have JIRAs.
  • We reviewed several isues.
  • Started to review the SECURITY issues filed yesterday, but ran out of time.
    • Julian Ladisch will continue to take a first pass at these and we will revisit next week.
10-15 minCritical & High Vulnerabilities Identified by EBSCO scansTeam
  • EBSCO has started using a commercial tool (Prisma) for vulnerability scanning.
  • This is needed for LoC / FedRAMP compliance.
  • The most recent scan has found numerous vulnerabilities related to outdated dependencies
    • Many are related to Spring and will be addressed when teams upgrade to Spring (3.2.x?)
      • I believe this is planned for Quesnelia.  Need to double check though.
    • Excluding those we're looking at ~20 Critical and ~130 High vulnerabilities
    • The open question is whether or not any of these should be embargoed.
  • Critical (the ~20 are some combination of the following in various modules):
    • While these are probably P1s, I don't see anything that screams "must embargo".  Let's discuss.