Skip to main content

Security Office Hour meeting minutes

Announcements

  • SAST: CodeQL transition is ongoing, PRs to add corresponding workflows is ongoing. Veracode license will expire at the end of March, so everyone is encouraged to review their workflows to ensure a timely transition to CodeQL.
  • DAST: Invicti license will expire at the end of August and already exceeded the website limit. There will be no DAST tool required for the next Quality Gate.
  • Secret scanning
    • Gitguardian is currently set up, but Gitleaks is a potential successor.
    • Testing of Github secret scanning is still in progress.
  • TRG 8.0 has been published as a draft, adjustments as PR are warmly welcome.

Open Discussions

  • none

Gabor Almadi

Office Hour meeting minutes

System team

  • n/a

Security team

  • TRG 8.01, 8.03, 8.04, 8.05 first drafts are created, final versions will come soon
  • Be patient with CodeQL, could be tedious since it does provide a lot of findings

FOSS

  • New commiter election is open for Rohan Krishnamurthy. Please visit the page and make your vote!

Open planning / community

  • Role of the committer is being discussed, it will be presented in the next committer meeting. Basic role descriptions come from the Eclipse Foundation, but we want to specify in Tractus-X what else can be expected from a contributor, commiter and project lead.
  • Association release process and Eclipse Tractus-X needs to be aligned as the first is managed by the association and the second should be driven by the community.

Open Discussions

  • We should align on how and where a migration documentation should be created for products. This would ensure that upon Breaking Changes the upgrade processes can run smoothly with a guide available for everyone. The guide could include property, configuration, API changes and everything else that would affect the upgrade process from and old version to the new. A draft will be available on a working model that could be implemented by the products soon. A TRG could include information on where these guide should be located and in which format.

Tractus-X Office Hour meeting minutes

System team

  • Docusaurus: Please use "toc_min_heading_level" and "toc_max_heading_level" to adjust your TOC
  • The community has to transparently describe our post-consortia release process

Security team

FOSS

  • Reminder: please make sure to attribute your "foreign" logos correctly

Open planning / community

  • second Eclipse Tractus-X Community days will take place 16-17 May 2024:
    • please provide your "wishes" for topics
  • Roadmap review finished 29th Feb 2024
  • refinement phase will start the next days
  • different open meetings can now be linked directly

Open Discussions

  • n/a

Security Office Hour meeting minutes

Announcements

  • Security team approvals for most projects in scope of release 24.03 have been completed.
  • Upcoming changes for release 24.05 will focus on FOSS security tools, including
    • switch from Veracode to CodeQL for SAST,
    • switch from Gitguardian to gitleaks for secrets scanning,
    • DAST will not be part of the upcoming TRG until further notice.
  • DAST was removed from TRG due to issues with authenticated scans and SARIF report as scanning alerts in repository security section.

Open Discussions

  • An overarching issue for tracking the tool shifts was discussed, as it is necessary for proper planning by teams.
    • Teams need to estimate efforts to adjust Github workflows
  • The PR for the new Security TRG was discussed, which includes a new requirement of remediation of findings with medium severity, but not for the 25.05 release.
    • Concerns were raised about the need for additional planned team resources for triaging these issues, and it was suggested that the TRG should be finalized and teams made aware.
  • What are best-practices for scheduling security tools Action workflows, with every PR or another frequency?
    • The TRG claims at least once, this is mandatory baseline for all.
    • Best practice is more frequently, recommendations differ per tool (e.g. secret scanning for every PR, dependency scan on a weekly basis).
    • The trigger will be on push + on pull + scheduled - frequency depends on repositories activity, so the team has to decide.
    • Best practice recommendations will be published in the sig-security repository.

Sebastian Bezold

Office Hour meeting minutes

System team

  • Quality Gate Reviews in progress. Please keep an eye on your issues

Security team

  • New "Read only filesystem" TRG will be introduced to the "Container" category
  • New "Dependabot" TRG will be worked on via PR #659 and moved to the security section afterwards
  • With Release 24.05, Veracode will no longer be part of the QGate. We move to CodeQL. Do necessary migration early on, if possible

FOSS

Open planning / community

  • n/a

Open Discussions

  • Automated email about upgrades to Kubernetes and PostgreSQL version: What does it mean?
    • See it as a discussion starter and reminder
    • Potentially, the committer group can use that as a trigger for alignment on these two crucial topics
  • Is there a publicly available test installation of a dataspace build from Tractus-X components
  • Is there a possibility to enable contributors ot edit other contributors issue descriptions
    • No. This is only possible with write permissions
    • Write permissions are only granted to the committer role

Sebastian Bezold

Office Hour meeting minutes

System team

  • Still looking for volunteers to work on QG reviews together with the system team
    • Goal is to spread knowledge on how TRGs are checked
    • Especially interesting for committers, that already know they will stay post consortia
  • Preparing an open description on our release process. Feel free to comment any suggestion or important topics, you think should be covered on this draft
  • Markdown linting will again be enabled for KITs. Findings will be collected as issue per KIT
  • OpenAPI plugin for docusaurus will be removed
    • OpenAPI definitions will be pushed to SwaggerHub. User credentials available as org secrets
    • Ongoing discussions: Some definitions might be published through standard and therefore out of eclipse-tractusx

Security team

  • New TRG suggestion PR: eclipse-tractusx/eclipse-tractusx.github.io#681
  • Reminder: please focus on eclipse-tractusx instead of catenax-ng
  • Please reach out to the security team, as soon as the security scans for QG checks are ready for QG review

FOSS

Open planning / community

office hour meeting minutes

System team

  • Kube Prometheus Stack upgraded to latest release 56.6.2.
  • Committer Election for Tuncay Tunc on Eclipse Tractus-X has started.
  • The Committer Election for Fábio Mota on project Eclipse Tractus-X concluded successfully.
  • Committer volunteers wanted to participate/shadow next Quality Gate process.

Security team

  • New TRG/s from security team was presented requesting for feedback Security TRG 8.0.
  • Suggested to contact security team directly for any support required to use, complete Invicti related issues/tasks.
  • Update for static application security testing/source code scanning, ongoing transition from Veracode to CodeQL. Reach out to security team for any assistance.
  • Reminder on available onboarding process to Snyk.
  • There will be separate security office hours meeting, biweekly Thursdays 8:30 - 9:30.

FOSS

  • N/A

Open planning / community

  • Open meetings PR.

Open discussion

  • Question related to TRG 1.04 Diagrams as code, if there a need/requirement to convert already existing .png diagrams. It is recommended to use described in the TRG toolset to keep good level of maintainability of the diagrams, not a hard requirement though in case there is lack of source.

Fabian Grün

office hour meeting minutes

System team

  • Please be aware of our Markdown lint problem in the eclipse-tractusx.github.io that currently only the /docs folder is checked and should be extended to more markdown file directories
  • TRG Update information about TRG 3-1 that was superseded by TRG 5-09
  • Upcoming Office Hours meeting minutes will be reported in the community section of our webpage and you can find here

Security team

FOSS

Open planning / community

  • Open Meetings Links with ics invitation files are available for the community

Open discussion

  • No open discussion

Gabor Almadi

office hour meeting minutes

System team

  • Whenever a new room is created in the Eclipse Matrix chat, please announce it in the main Tractux-X room, office hour and mailing list so everybody can learn about it and join.

Security team

FOSS

  • There was a new election for a project lead role for Stephan Bauer
  • The Eclipse Project Handbook changed the section about handling copyright headers. A year range is not longer necessary, only the year when the file was created so there is no need to keep an eye on updating the headers. It is still allowed to put year range (creation date and last modification year) in the header but they have to be separated with comma character.
  • Please sign the Eclipse Contributor Agreement when trying to contribute to the webpage. Without that it is not possible to merge commits to the main branch.
  • ❗ Please don't put any Catena-X content or resource on the website without permission.

Open planning / community

  • New Open Meetings Links are listed directly on our webpage to participate and separate calendar files can be downloaded from there.
  • Office hours will probably start a few minutes later so the people don't have to wait until everyone gets there.
  • Commiters and Contributors Meeting could be a new form of communication where the committers are more involved getting some pressure off the System Team.
  • Newjoiner rounds for basic introductions would be held every 2 weeks in a separate session.

Open discussion

  • Umbrella chart:
    • Currently there is a temporary solution for the Managed Identity Wallet by SAP until the open source version is fixed. This is a COTS application and it raises questions like how it can be integrated into an open source software stack like the umbrella chart. It is not confirmed yet whether the version from SAP can be used without a license. Currently all components can run without MIW but data exchange functionality won't work.
  • Public API versioning is still an open topic where no decision has been made to create a TRG or guide the Tractus-X community to follow one versioning strategy.
  • An alternative for MS Teams should be found as it is hard to manage for an open community (e.g. Discord).

office hour meeting minutes

System team

  • No update

Security team

  • Many open cases (>10) from GitGuardian, please check you inboxes (or spam folders)
  • A bug bounty program is in the making

FOSS

  • Happy new year: Don't forget to update the year in your copyright headers
    • some corner cases will be clarified until next office hour
  • There is a new draft TRG 2.06 regarding dependabot usage
    • please update your DEPENDENCIES file(s) to ensure that the suggested changes are license compliant

Open planning / community

  • Last open planning session went very well
  • There's a new open meetings page

Open discussion

  • discussion regarding the "Notice for docker image" to be moved into a separate file.
    • TRG 4.06 will be updated to mandate a dedicated file.
    • Please keep in mind to update your docker build workflow to include the new file instead of the README.md. See example of TRG 4.05 for reference.
  • discussion on where to discuss about new / changes to existing TRGs: TRG draft section, within the PR or GitHub discussions
    • Sebastian is going to create a PR so everybody can vote on it
  • As multiple people struggle with our current docusaurus1 setup, there will be a training/hands-on session soon. It's will be announced on the mailing list.
  • Content updates for KITs: Please ensure that no copyrighted content (incl. Catena-X) is contributed to Tractus-X.
  • False-positive issues opened by Trivy - please raise a "tooling support" issue in the sig-security repository

  1. docusaurus: the generator for the pages you are reading right now