2020-08-28 Meeting notes

Owned by Mike Gorrell
Last updated: Aug 28, 2020
2 min read

Date

Attendees

Discussion items

TimeItemWhoNotes

NPM investigationRyan

Update based on last meeting's assignment:

Discussed potential vulnerabilities related to NPM and more broadly Java and other languages that might bring in dependencies. Additionally what types of code scanning might be possible/recommended. SonarCloud/SonarQube offers some - and some happens with Github, but are there other/better options.

Ryan volunteered to look at the Javascript environment/front end.

Ryan reviewed snyk - they have an open source plan and he was able to configure it to scan FOLIO repositories. Very similar results to what we get from Github dependabot. One feature that's a timesaver is that it allows you to make multiple changes in the same PR. They also maintain a blacklist of known malicious packages (thankfully FOLIO has none of those). Also has command line capability so it could be integrated with Jenkins. Not clear that you can scan specific branches (may only be Master). Can set it to make periodic scans.

2 "Shiny" features you don't get with Github:

1) Dashboard

2) Bulk pull requests for grouping minor version upgrades

Note this tool also works on Java.

Conclusion/actions:

  • Use this within the Security group to provide insight and get used to it.
  • As we use it consider inviting other UI developers to use/test
  • Explore how it helps Java. Craig and Julian will try and review it.



Secret StorageCraig

See this ticket relating to Secret Storage for FOLIO

Every now and then I'm asked about this, but it's never gotten any traction.  I was recently asked about it in the context of https://folio-org.atlassian.net/browse/MODORGSTOR-33.It would be great if we could discuss and possibly get the ball rolling.


Tangentially related is https://folio-org.atlassian.net/browse/FOLIO-2583 which specifically addresses issues with storing sensitive information in mod-configuration.   Also see https://folio-org.atlassian.net/wiki/display/DD/Distributed+Configuration - WIP that I had started a while back but never published until just now. 


Review open issuesTeamReview open issues and progress/status

Housekeeping - email, JIRA, etc

Mike Gorrell

NO ACTION TAKEN - follow up in 2 weeks.


Email alias/address security@folio.org still not working. Coordinating through Peter Murray  who is working with EBSCO on other address(es).

Jira configuration actions:

  • Can the Security Project be setup so that new issues automatically set the Security Level to FOLIO Security Group? 
    • Confirmed how to get this done - need to coordinate changes to permissions scheme and security scheme for the Security project with JIRA admin (some dependencies with other settings/projects).
    • Expect to complete week of July 27 (MDG OOO next week).
  • Some issues appear to show Security Level but others don't. Investigate. Could be issue type (Epic vs Story vs Task vs Bug).
    • Still investigating. It won't show unless it's set. The field has to be configured to appear on the screen that the project uses (not so for UXPROD)
    • Able to set for task, bug and epic.
  • Clarify and/or propose how we set a security level that allows only those who might need to know (ie. the specific developers who might work on issues) 
    • Need to define who is part of the list. Currently an "external core contributors" group that has 178 members. The current Security Role of "Core FOLIO Team" points to this group.
    • Use the "Core FOLIO Team"
    • May not ever need a more restrictive group.
  • NEW ITEM: Figure out a tagging/other system to note which items this team discussed