2021-06-28 Meeting notes
Date
Recording
Attendees
Discussion items
Software Supply Chain Security
Vipin: I am doing research on supply chain security. From the viewpoint of past security incidents in software supply (Solarwinds, etc.), supplychain security is important, and Cactus as OSS is no exception. You must create an SBOM (Software Bill of Materials) to manage vulnerabilities associated with HL repositories. Whitesource-bolt, installed in a branch, automatically detects vulnerabilities on libraries in the dependency tree in that branch on github. When it was done for Cactus, it detects many components with vulnerabilities. It is necessary to deal with these by upgrading.
Shingo: If vulnerability issues depend on the library, should each contributor create a library carefully in the future to resolve these issues ?
Vipin: You need to improve the vulnerability not only by making future dependencies but also by fixing existing libraries.
Vipin: I am planning to write an HL blog about HL OSS supply chain security.
Hart: We have to look at false positives, since false positives cause developers to ignore real warnings and become complacent about real warnings.
Vipin: Need to look at the rate of false positives. Also develop a methodology for doing periodic scans, or scans just before a significant release.
Other
Hart&Shingo: We should discuss more on Email.
Shingo: The video of HLGF is available, so I recommend you to watch it.
- Vipin: Had problems during video, will be re-recording.