-
Notifications
You must be signed in to change notification settings - Fork 122
/
2023-08-03.md
58 lines (39 loc) · 2.4 KB
/
2023-08-03.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Node.js Security team Meeting 2023-08-03
## Links
* **Recording**: https://www.youtube.com/watch?v=fJNDQz9sAQo&ab_channel=node.js
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1059
* **Minutes Google Doc**: https://docs.google.com/document/d/1eLSRK2nKeEnWD1YcEjjROYgVOfuVRPupi7BS5kIMH4I/edit
## Present
* Security wg team: @nodejs/security-wg
* Marco Ippolito @marco-ippolito
* Rafael Gonzaga @RafaelGSS
* Michael Dawson @mhdawson
* Ulises Gascon @ulisesgascon
* Ruy Adorno @ruyadorno
## Agenda
## Announcements
*Extracted from **security-wg-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting.
- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
* Wait NVD database to be fixed - Ref: https://github.com/vehemont/nvdlib/issues/26
- [X] OpenSSF Scorecard Monitor Review
- Last report: https://github.com/nodejs/security-wg/pull/1066
- Organic improvements due SAST analysis and variations based on increasing/decreasing unreviewed changesets
- Ulises will apply stepsecurity auto-prs to all the repos in the org
- We will focus on monitoring from now on using the issue generated.
### nodejs/security-wg
* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
* No progress. Just for visibility.
* Marco is investigating this initiative.
* Initiative for CII-Best-Practices for Node.js Projects [#953](https://github.com/nodejs/security-wg/issues/953)
* Ulises will ask TSC for final approval in silver level
* Ulises will prepare the next step: gold level to be reviewed by the team following the previous process.
* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898)
* Discussion around https://github.com/nodejs/security-wg/issues/1039. We agreed to follow option 2 (array/multiple flags)
* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
* OSSF Funding approved by TSC (no objections until the end of the week)
* OSSF is approved the budget is no objections are presented before the end of the week
* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859)
## Q&A, Other
## Upcoming Meetings
* **Node.js Project Calendar**: <https://nodejs.org/calendar>
Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.