diff --git a/assessments/projects/cloudevents/CE-maintainers-communications.md b/assessments/projects/cloudevents/CE-maintainers-communications.md deleted file mode 100644 index 585b08c9b..000000000 --- a/assessments/projects/cloudevents/CE-maintainers-communications.md +++ /dev/null @@ -1,213 +0,0 @@ -# Communications with CloudEvents Maintainers - -## Slack Communications - -* **Security Pals Involved:** - * Igor Rodrigues (Igor Rodrigues) -* **CloudEvents Team Members Involved:** - * Doug Davis (dug) - -### Slack Report - -#### Igor Rodrigues (Nov 29th at 4:29:13 PM) - -* [Message - Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701293353624819) - -Hello all, I'm a student at NYU involved in the SecurityPal effort from TAG -Security. Our group is conducting a security assessment on CloudEvents, which we -will later submit to the [TAG Security Assessments -Repository](https://github.com/cncf/tag-security/tree/main). We have completed -an [initial -evaluation](https://github.com/Igor8mr/tag-security/blob/main/assessments/projects/cloud-events/self-assessment.md) -of the project and would appreciate your feedback to validate the information we -included. We also want to know if there are additional aspects we should include -in the assessment to correctly represent your project, along with more details -for sections like [security issue -resolution](https://github.com/Igor8mr/tag-security/blob/main/assessments/projects/cloud-events/self-assessment.md#security-issue-resolution) -and [secure development -practices](https://github.com/Igor8mr/tag-security/blob/main/assessments/projects/cloud-events/self-assessment.md#secure-development-practices). -Please, feel free to share your thoughts here on Slack, on GitHub, or on a call. -Thank you! - -#### Dug (Nov 29th at 8:02:04 PM) - -* [Message - Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701306124114029?thread_ts=1701293353.624819&cid=C9DB5ABAA) - -Hi @Igor Rodrigues - will take a look. Just curious though, what made you decide -to analyze CloudEvents? - -#### Igor Rodrigues (Nov 29th at 8:36:26 PM) - -* [Message - Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701308186825319?thread_ts=1701293353.624819&cid=C9DB5ABAA) - -Hi @dug, thank you. The assessment is one of our assignments for a class we are -taking with Professor Justin Cappos. Each group was assigned to a CNCF project, -and ours was CloudEvents. The project is interesting, so we are trying to do a -bit more than expected. I hope the assessment helps in the future. - -#### Dug (Nov 30th at 10:24:13 AM) - -* [Message - Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701357853677559?thread_ts=1701293353.624819&cid=C9DB5ABAA) - -@Igor Rodrigues thanks. Just a few comments from my quick scan: - -* Where do you see ANTRL being used? I'm surprised you didn't include markdown - in the list despite it not being a "programming language", being a "spec" - markdown is kind of our "language" :slightly_smiling_face: -* `CloudEvents was developed to address the lack of uniformity in event data - format...` be a bit careful here. While CE does provide a "structured" format, - that's just there are times when people want the event data and context - attributes in one doc. In general though CE is NOT trying to define "yet - another common event format (one format to rule them all)". In particular, - many people use/prefer "binary" format because it just augments their existing - events. And even with "structured", the stuff that does into the `data` - attribute is wide open - and should be defined by the business. I just don't - want people to think we're making the same mistake as other folks who tried to - force one format for all events. Rather CE is about standardizing "where to - find common metadata about the event w/o having to parse/understand the event - specific format". -* Nit: in "Protocol Binding" section it mentions `structured-mode` but hasn't - defined that term yet. You may want to define binary vs structured CEs in the - doc before this section. -* Not sure what the "trust boundary" is meant to represent in the diagram since - "trust" is kind of orthogonal to the roles. -* Goals: may want to tweak some of those based on my comments above. Plus, some - of those aren't really goals for CE since CE doesn't control them. For - example, "generate events before consumers are listening" - a good idea, but - CE doesn't really talk about those in the spec itself. CE is just about the - format and how they might appear on the transports. With a few exceptions, it - doesn't get into the protocols themselves or event - management/subscriptions..... -* CE is under review for Graduation status right now... hopefully will be - approved very soon -* CE doesn't really describe any encryption mechanism or deal with integrity - - the text you wrote kind of implies CE addresses it. Perhaps say something like - it's an implementation detail/choice?? -* Ecosystem - might be good to link to the [cloudevents.io](cloudevents.io) site - which includes a list of adopters. -* The "Security issue resolution" section reads like an SDK specific section - - perhaps "SDK" should appear in the title to make it clear that the following - sections apply to the SDK repos and not the spec repo? -* There's also a new security mailing list people should use to report security - concerns: https://lists.cncf.io/g/cncf-cloudevents-security/topics -* There is no "CloudEvents Steering Committee" that's mentioned in the Threat - Modelling section (typo in Modelling) -* It might be good to mention that (I think) all of the security issues found by - Trail of Bits have been addressed - -#### Igor Rodrigues (Nov 30th at 11:58:51 AM) - -* [Message - Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701363531073659?thread_ts=1701293353.624819&cid=C9DB5ABAA) - -Hi @dug, Thank you for all the comments! For ANTLR, GitHub marked it as 14.1% of -the [CloudEvents spec](https://github.com/cloudevents/spec), so that's why I -added it to the assessment, but I may remove it if it's not very relevant. I'll -also definitely add Markdown, thanks for noticing that. We'll review the doc, -update it with your comments and tell you about the changes. Thank you again! - -#### Igor Rodrigues (Dec 4th at 11:15:26 AM) - -* [Message - Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701706526314599?thread_ts=1701293353.624819&cid=C9DB5ABAA) - -Hi @dug, we fixed the comments you provided on the [security -assessment](https://github.com/Igor8mr/tag-security/blob/main/assessments/projects/cloud-events/self-assessment.md), -along with the comments from the meeting. Here are the [new -changes](https://github.com/cncf/tag-security/commit/e75e0e0a908ffa462c7923fad6e6e201b5feaef0#diff-086780f8339d58b8abcf32f9cf930f8b11ebf1889ee3e36c4eeaede7dc21a7b7) -since then. Please, let me know if there are more parts we could improve. Also, -I wanted to CloudEvents have a public SBOM that we could link, and if you think -there are more aspects we could add to the specification side of the [Security -Issue -resolution](https://github.com/Igor8mr/tag-security/blob/main/assessments/projects/cloud-events/self-assessment.md#cloudevents-specification). -Thank you for all the help! - -#### Dug (Dec 4th at 11:36:23 AM) - -* [Message - Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701707783421699?thread_ts=1701293353.624819&cid=C9DB5ABAA) - -The closest thing we have to a SBOM is: -https://github.com/cloudevents/spec#cloudevents-documents Thanks for the update. -Will look it over in a bit. - -#### Igor Rodrigues (Dec 4th at 11:44:52 AM) - -* [Message - Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701708292972649?thread_ts=1701293353.624819&cid=C9DB5ABAA) - -Great, thanks! - -#### Dug (Dec 4th at 12:08:22 PM) - -* [Message - Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701709702994029?thread_ts=1701293353.624819&cid=C9DB5ABAA) - -I put just a few minor tweaks as comments on the commit. - -#### Igor Rodrigues (Dec 4th at 12:28:53 PM) - -* [Message - Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701710933601919?thread_ts=1701293353.624819&cid=C9DB5ABAA) - -Thanks, I'll fix those soon - -#### Igor Rodrigues (Dec 5th at 8:05:09 AM) - -* [Message - Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701781509377939?thread_ts=1701293353.624819&cid=C9DB5ABAA) - -Hi @dug, I forgot to ask this before, but are there any action items you are -currently working on or plan to work on that would solve the concerns mentioned -in the doc or other security concerns? I think it would be good to include those -in the assessment. I remember you mentioned implementing bots to check the SDKs, -do you have a pull request, issue, or any other link to the implementation of -the bots idea? Also, we are willing to help implement one of those solutions to -the concerns if you have some specific things in mind. - -#### Dug (Dec 5th at 11:57:30 AM) - -* [Message - Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701795450643219?thread_ts=1701293353.624819&cid=C9DB5ABAA) - -@Igor Rodrigues just this one: https://github.com/cloudevents/spec/issues/1235 - -#### Dug (Dec 5th at 11:58:19 AM) - -* [Message - Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701795499076589?thread_ts=1701293353.624819&cid=C9DB5ABAA) - -If someone knows how to setup the bots and wants to submit a PR to add them... -that would be great! Or even just a list of instructions for an admin to follow -(if it's more than just a PR) that would be great too. - -#### Igor Rodrigues (Dec 5th at 12:12:57 PM) - -* [Message - Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701796377013619?thread_ts=1701293353.624819&cid=C9DB5ABAA) - -Great, thanks! We are taking a look here - -## CloudEvents Team Meeting - -* **Security Pals Involved:** - * Igor Rodrigues -* **CloudEvents Team Members Involved:** - * Doug Davis - * Tommy - * Erik - * David B - * Jon - * Calum - * Jem - * Clemens - -### Team Meeting Report - -The team joined the CloudEvents public team meeting on November 30th, 2023, -which was [recorded on -YouTube](https://www.youtube.com/watch?v=2OZPTQOqFEw&t=191s). diff --git a/assessments/projects/cloudevents/files/CloudEvents SBOM.spdx b/assessments/projects/cloudevents/files/CloudEvents SBOM.spdx deleted file mode 100644 index 2e9ded54e..000000000 --- a/assessments/projects/cloudevents/files/CloudEvents SBOM.spdx +++ /dev/null @@ -1,174 +0,0 @@ -SPDXVersion: SPDX-2.3 -DataLicense: CC0-1.0 -SPDXID: SPDXRef-DOCUMENT -DocumentName: github.com/Igor8mr/spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 -DocumentNamespace: https://s3.us-east-1.amazonaws.com/blob.fossa.io/FOSSA_BOMS/git%2Bgithub.com%2FIgor8mr%2Fspec%24130ba0d183f5e45c1d141f5c1f272cf71d898623 -Creator: Organization: NYU Igor -Creator: Tool: FOSSA v0.12.0 -Created: 2023-11-28T08:10:45Z -LicenseListVersion: 3.18 -DocumentDescribes: SPDXRef-pip-aiohttp-3.9.1 -DocumentDescribes: SPDXRef-pip-bs4-0.0.1 -DocumentDescribes: SPDXRef-pip-Markdown-3.5.1 -DocumentDescribes: SPDXRef-pip-pymdown-extensions-10.5 -DocumentDescribes: SPDXRef-pip-pytest-asyncio-0.21.1 -DocumentDescribes: SPDXRef-pip-tenacity-8.2.3 -DocumentDescribes: SPDXRef-pip-tqdm-4.66.1 - -#### Packages - -PackageName: spec -SPDXID: SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 -PackageVersion: 130ba0d183f5e45c1d141f5c1f272cf71d898623 -FilesAnalyzed: true -PackageOriginator: Organization: Git -PackageLicenseDeclared: Apache-2.0 -PackageCopyrightText: 2021 The CloudEvents Authors. -PackageDownloadLocation: NOASSERTION -PackageLicenseConcluded: NOASSERTION -ExternalRef: PACKAGE-MANAGER purl pkg:github/Igor8mr/spec@130ba0d183f5e45c1d141f5c1f272cf71d898623 -PackageChecksum: MD5: edde7edecb511530e340a6758e68469f -PackageChecksum: SHA1: 68b11edf18e3ee4aefb010d0039b46678279cc35 -PackageChecksum: SHA256: ede64337447df771e0cca0261121bf4fb2f3fe9c1b48f2c74b75907bf9c6ef8f - - -PackageName: aiohttp -SPDXID: SPDXRef-pip-aiohttp-3.9.1 -PackageVersion: 3.9.1 -FilesAnalyzed: true -PackageOriginator: Organization: Pip -PackageLicenseDeclared: Apache-2.0 -PackageCopyrightText: aio-libs contributors. - aio-libs contributors. -PackageLicenseInfoFromFiles: MIT -PackageDownloadLocation: https://files.pythonhosted.org/packages/54/07/9467d3f8dae29b14f423b414d9e67512a76743c5bb7686fb05fe10c9cc3e/aiohttp-3.9.1.tar.gz -PackageLicenseConcluded: NOASSERTION -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.9.1 -PackageChecksum: MD5: a678b74da295fad8bc65e76ef882028d -PackageChecksum: SHA1: 077a26885ada5fa78bd540d61ad96d7b25ff2f14 -PackageChecksum: SHA256: 60b3a90c477906cef6846cc60499bf25a5fb725b3966958bdcfc30681fefbe46 - - -PackageName: bs4 -SPDXID: SPDXRef-pip-bs4-0.0.1 -PackageVersion: 0.0.1 -FilesAnalyzed: true -PackageOriginator: Organization: Pip -PackageLicenseDeclared: MIT -PackageCopyrightText: NONE -PackageDownloadLocation: https://files.pythonhosted.org/packages/10/ed/7e8b97591f6f456174139ec089c769f89a94a1a4025fe967691de971f314/bs4-0.0.1.tar.gz -PackageLicenseConcluded: NOASSERTION -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/bs4@0.0.1 -PackageChecksum: MD5: 0cf3b06d60f6de4e489ac9eaaf606e15 -PackageChecksum: SHA1: cb7eeca557338c2e6f83ded115730edb0358b5c5 -PackageChecksum: SHA256: f5238cfb5026c9846b4bbca72e3d1af0c98e750fe9c9fe610c7e1827dbd4cd8f - - -PackageName: Markdown -SPDXID: SPDXRef-pip-Markdown-3.5.1 -PackageVersion: 3.5.1 -FilesAnalyzed: true -PackageOriginator: Organization: Pip -PackageLicenseDeclared: BSD-3-Clause -PackageCopyrightText: 2007, 2008 The Python Markdown Project (v. 1.7 and later) - 2004, 2005, 2006 Yuri Takhteyev (v. 0.2-1.6b) - 2004 Manfred Stienstra (the original version) -PackageLicenseInfoFromFiles: ietf-trust BSD-2-Clause PIL -PackageDownloadLocation: https://files.pythonhosted.org/packages/35/14/1ec9742e151f3b06a723a20d9af7201a389ebd3aae8b7d93b521819489dc/Markdown-3.5.1.tar.gz -PackageLicenseConcluded: NOASSERTION -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markdown@3.5.1 -PackageChecksum: MD5: 17521d1c48bec050461c9749648eb02e -PackageChecksum: SHA1: 93ef9f0f2d38bb6a2e67b2e6b6928d8c6f3fd739 -PackageChecksum: SHA256: b33293b09516ec07f4f82388c82dc4101e2af4b0308d104a00a40c212dfda492 - - -PackageName: pymdown-extensions -SPDXID: SPDXRef-pip-pymdown-extensions-10.5 -PackageVersion: 10.5 -FilesAnalyzed: true -PackageOriginator: Organization: Pip -PackageLicenseDeclared: MIT -PackageCopyrightText: 2014 - 2023 Isaac Muse - 2007-2008 Waylan Limberg](http://achinghead.com/). - 2008-2014 The Python Markdown Project - 2006-2008 Waylan Limberg](http://achinghead.com/). - 2013 GitHub, Inc. -PackageDownloadLocation: https://files.pythonhosted.org/packages/fd/fe/a3f51f84844e7a493884dbd5d70775fc83e26e414234c212fb342d65a079/pymdown_extensions-10.5.tar.gz -PackageLicenseConcluded: NOASSERTION -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pymdown-extensions@10.5 -PackageChecksum: MD5: 5307ac49eccdfedc0500e861454c1807 -PackageChecksum: SHA1: 999e7fc85d2be0e34e2f29306aae79aeaa77fd1d -PackageChecksum: SHA256: f9bf4664db12301525699019a1325132b48e7f606d2cf85c9a10867addff5780 - - -PackageName: pytest-asyncio -SPDXID: SPDXRef-pip-pytest-asyncio-0.21.1 -PackageVersion: 0.21.1 -FilesAnalyzed: true -PackageOriginator: Organization: Pip -PackageLicenseDeclared: Apache-2.0 -PackageCopyrightText: NONE -PackageDownloadLocation: https://files.pythonhosted.org/packages/5a/85/d39ef5f69d5597a206f213ce387bcdfa47922423875829f7a98a87d33281/pytest-asyncio-0.21.1.tar.gz -PackageLicenseConcluded: NOASSERTION -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/pytest-asyncio@0.21.1 -PackageChecksum: MD5: b7a6b994b519756e167eb060f7b9c215 -PackageChecksum: SHA1: 4bd2b79d5335f9edc9d651223b371b8676e5027d -PackageChecksum: SHA256: 9ed0689af4d77ce1a842e557a08346827c6f8e91432322568ef8e4d6454b2293 - - -PackageName: tenacity -SPDXID: SPDXRef-pip-tenacity-8.2.3 -PackageVersion: 8.2.3 -FilesAnalyzed: true -PackageOriginator: Organization: Pip -PackageLicenseDeclared: Apache-2.0 -PackageCopyrightText: 2016 Étienne Bersac -PackageDownloadLocation: https://files.pythonhosted.org/packages/89/3c/253e1627262373784bf9355db9d6f20d2d8831d79f91e9cca48050cddcc2/tenacity-8.2.3.tar.gz -PackageLicenseConcluded: NOASSERTION -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/tenacity@8.2.3 -PackageChecksum: MD5: 997f8584a7fc7a2fac8129e5b7b38660 -PackageChecksum: SHA1: 04832f7674ec9b765f5b5fa6eedd7dcc0e66fe33 -PackageChecksum: SHA256: fa1582aa8ae5ba5e44f54ccc7de63a8be0593a8d3f77aa8966785f4bfb75b7f7 - - -PackageName: tqdm -SPDXID: SPDXRef-pip-tqdm-4.66.1 -PackageVersion: 4.66.1 -FilesAnalyzed: true -PackageOriginator: Organization: Pip -PackageLicenseDeclared: MPL-2.0 OR MIT -PackageCopyrightText: 2013 noamraph -PackageDownloadLocation: https://files.pythonhosted.org/packages/62/06/d5604a70d160f6a6ca5fd2ba25597c24abd5c5ca5f437263d177ac242308/tqdm-4.66.1.tar.gz -PackageLicenseConcluded: NOASSERTION -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/tqdm@4.66.1 -PackageChecksum: MD5: 7948f65ba4a5924756d4b0f96ffbd2ac -PackageChecksum: SHA1: 8927f903a643ea9c15d2d1df91147d05f8f8f4b6 -PackageChecksum: SHA256: cc06ac41d0dca3fdd457918b98daabfb98ca4d37a5e875dbea3701c31ffc892e - - - -#### Relationships - -SPDXRef-DOCUMENT DESCRIBES SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 -SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 DEPENDS_ON SPDXRef-pip-aiohttp-3.9.1 -SPDXRef-pip-aiohttp-3.9.1 DEPENDENCY_OF SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 -SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 DEPENDS_ON SPDXRef-pip-bs4-0.0.1 -SPDXRef-pip-bs4-0.0.1 DEPENDENCY_OF SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 -SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 DEPENDS_ON SPDXRef-pip-Markdown-3.5.1 -SPDXRef-pip-Markdown-3.5.1 DEPENDENCY_OF SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 -SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 DEPENDS_ON SPDXRef-pip-pymdown-extensions-10.5 -SPDXRef-pip-pymdown-extensions-10.5 DEPENDENCY_OF SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 -SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 DEPENDS_ON SPDXRef-pip-pytest-asyncio-0.21.1 -SPDXRef-pip-pytest-asyncio-0.21.1 DEPENDENCY_OF SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 -SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 DEPENDS_ON SPDXRef-pip-tenacity-8.2.3 -SPDXRef-pip-tenacity-8.2.3 DEPENDENCY_OF SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 -SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 DEPENDS_ON SPDXRef-pip-tqdm-4.66.1 -SPDXRef-pip-tqdm-4.66.1 DEPENDENCY_OF SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 - - - - - - - - diff --git a/assessments/projects/cloudevents/self-assessment.md b/assessments/projects/cloudevents/self-assessment.md index 0bd6e411b..1ed06367a 100644 --- a/assessments/projects/cloudevents/self-assessment.md +++ b/assessments/projects/cloudevents/self-assessment.md @@ -71,7 +71,6 @@ document](CE-maintainers-communications.md). | Security Provider | CloudEvents is not a security provider | | CloudEvents Specification Language | Markdown | | CloudEvents SDK Languages | Python, C#/.NET, Go, Java, Javascript, PHP, PowerShell, Ruby and Rust | -| SBOM | [CloudEvents SBOM generated by FOSSA](files/CloudEvents%20SBOM.spdx) | | Technical Documents | [CloudEvents Documents](https://github.com/cloudevents/spec#cloudevents-documents) | | | |