-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TAC: publishing repositories for "CVE benchmarking" initiative in Security Tooling WG #35
Comments
Hi @sj!! I am merely one member of the TAC, so I wouldn't pretend to speak for us all, but my personal view is that this looks very nice and would be a great thing to release under the OpenSSF flag, especially if it has been worked on within the tooling WG. I really like the idea of generating comparative benchmarks for these tools' efficacy and I can see easily how the extensibility of this can make it more powerful and general-purpose over time as well. @rhaning -- what would we need to do from a TAC perspective to discuss this together and decide on next steps?? Bring to next TAC meeting? |
+1 |
@sj I love this idea! I am wondering if the vulnerability metadata schema that we are working on within the Vulnerability Disclosures WG could be helpful. One of our goals with the schema is to facilitate capturing information about remediation, including fix commits, etc. |
Thanks for the support @jenniferfernick, @kaywilliams, and @MarcinHoppe! @rhaning: when will the next TAC meeting be? I'd of course be very happy to join the call to explain this further and ask any questions if/when necessary. @MarcinHoppe: it definitely looks like the work you're doing in the disclosures WG is very relevant to us! Apologies for having missed it! can think of a variety of ways in which we could incorporate this work in the future. Might you be available for a quick call with myself (and possibly @esbena) today or tomorrow so we can discuss the two initiatives and how we can work together pre and post BlackHat? I'll ping you an email. |
@sj This is really great. There could be some collaboration with the Security Metrics project happening in the Identifying Security Threats WG as well. cc: @scovetta The next TAC meeting is scheduled for Tuesday November 3rd - 8:00AM PT. Details are in the invite in the OpenSSF community calendar. If you can put together an overview to present, we can discuss it at the next meeting and decide on the next steps and how to best coordinate with the other working groups. |
Would love to discuss at next TAC. Very cool stuff.
It sounds like no - this is about measuring tools' efficacity (what that WG focuses on) vs projects' security... but it certainly could help us decide what tools we may want to run on projects, or recommend! |
To help unblock this, do you think you could get the repos staged somewhere? It sounds like you'll probably want your own organization (rather than sticking everything into the ossf one) because you need to organize a potentially large set of repos. Getting a few of these created somewhere should make it easier for TAC members to look at, then later we can get a "real" one created under the ossf accounts and transfer everything into there. |
That's indeed what we were thinking as well.
Sure thing! I'll get this together ASAP in private repositories in a separate org: https://github.com/ossf-cve-benchmarking (name can be changed if people prefer). I'll make sure all TAC members in this issue have access. |
@sj @psiinon @esbena @calumgrant @kevinbackhouse - this "CVE Benchmarking" effort sounds very interesting! I'll try to connect you with Paul Black at US NIST. NIST runs the Software Assurance Metrics And Tool Evaluation (SAMATE) effort for evaluating software assurance tools. They have a set of test suites for evaluating tools. Most of their test suite is artificial, but they do use some live code. They might be interested in adding this to their suite and/or have information that'd be useful to you. I tried to do this years ago & the CVE databases didn't provide enough data to really locate the vulnerabilities without LOTS of help; I hope that's changed. |
Thanks @david-a-wheeler, but we've already spoken to Paul and his team back in June 🙂 |
@sj - excellent, glad to hear it! Never mind then :-). |
+1 this looks really interesting |
@estesp, @david-a-wheeler, @dlorenc, @mayakacz, @xcorail, @rhaning, @MarcinHoppe, @kaywilliams, @jenniferfernick: I've given you all access to our tooling and metadata repo: https://github.com/ossf-cve-benchmark/ossf-cve-benchmark Most of the development happened on internal GitHub repositories in the past, which we've combined into a single commit. Currently, development is happening in feature branches of that repository. Very much work in progress! We'll add some repositories with vulnerable code (eventually there'll be one such repo for every CVE in the dataset) later today or tomorrow. As soon as those are live, I'll give you access to those as well. When will the TAC meeting be, @mayakacz / @kaywilliams? I'd be very happy to present our plans there and tell you more about our BlackHat talk. It might also be useful to discuss whether the OpenSSF would like to make any announcements on this, and if so: how. We'll be posting a blog on the GitHub website as well. Any questions: give me a shout! |
Thanks @sj! The next TAC meeting will be on November 17, 2020 at 08:00am PT. I'll put you on the agenda to present, we're all excited to learn more. Thanks! |
Thanks @rhaning; I'll see you on the 17th! The deadline for us to hand in the recording of the BlackHat talk is 16 November, though. It'll be broadcast 7-10 December. I think it's fine for us to talk through some details at the TAC meeting (after the recording), but it'd be great if we could discuss a few things asynchronously here so the recording of the BlackHat talk is not blocked. Hope that's OK! If possible, I would love to get a thumbs-up / thumbs-down on the following:
Very happy to discuss this further in comments below. If people are completely happy with the above, it'd be great if you could leave a 👍. Many thanks! Everything else we can discuss in virtual person at the TAC meeting on the 17th! |
FWIW: Love this - am fully in support of it as written. Looking forward to seeing the talk! Curious also to learn more about future directions for the project, and to learn more about the current and future activities within the tooling group more generally. I suppose we'll learn some of this at the Town Hall! :) |
Thanks for the support everybody! Considering the many 👍 on my comment (including from members of TAC and Governing Board), we'll go full steam ahead. I've just created a Team |
Excellent! @LindsayLF - do you know what logistics would have to happen to "officially" transfer this org over to LF/OSSF management? I think if the org is free we just need to add "thelinuxfoundation" as an OWNER on the org. Not sure what happens if we need billing. |
@dlorenc Yes, please add me as an owner @LindsayLF and I will add "thelinuxfoundation" in. Do you anticipate any fees in setting up this org? / If so, what would the cost be, and what billing info is needed? |
I haven't had time to delve into everything, but the basic idea looks very sound! Thanks for working on this! |
👍 |
@LindsayLF: would you mind if we waited with adding extra owners and any formalities until we've safely recorded our Black Hat talk (deadline: Mon 16 Nov)? We can talk about the details at the TAC meeting on 17 November. At this stage I don't anticipate this involving costs anytime soon. |
@sj Sure thing! Add me the week of 11/16, thanks! |
@sj can @LindsayLF be added now? Anything else needed to close this out? |
At the TAC meeting a week or two ago, we decided that we'd hold off with the transfer of ownership until after Black Hat has actually taken place (Wednesday next week). Hope that's OK with you too, @dlorenc! |
Ah sure! Makes sense. |
That works for me! @sj |
@sj Is this now done? Seems to be published here: https://github.com/ossf-cve-benchmark/ossf-cve-benchmark |
Closing, this is done now. |
Hi TAC 👋!
Within the Security Tooling working group, we've been working on an initiative called "CVE benchmarking" (working title, might change). The idea is quite simple:
eslint
,jslint
,jshint
)All of the above lives in a collection of repositories:
We've almost finished creating the first version of the tooling and the data set (specifically for JavaScript CVEs). In fact, our talk proposal for Black Hat Europe has been accepted, so we'll be announcing it there on 7-10 December.
We'd love to release this tooling and data under the OpenSSF flag. In particular, we'd love for the repositories to be published in an OpenSSF GitHub org. For example, we could consider:
(It goes without saying that I'm very happy to talk about details like repository structure — the above is just an example)
It'd also be great if we could bundle our efforts on the announcement side of things.
What's the best way to proceed? To give an idea of timelines: the BlackHat talk needs pre-recording, which we're hoping to do in the week of Monday 9 November.
People
cc @greysteil, @mayakacz
The text was updated successfully, but these errors were encountered: