From: uk-wg@... <uk-wg@...> On Behalf Of Shane Coughlan
Sent: 07 March 2022 10:41
To: OpenChain Main <main@...>
Cc: OpenChain UK <uk-wg@...>; OpenChain India <india-wg@...>; OpenChain Germany <germany-wg@...>
Subject: [uk-wg] OpenChain Webinar Today: Software and Network Security Special 06:00 PST / 14:00 UTC / 15:00 CET / 19:30 IST / 22:00 CST / 23:00 KST + JST

 

 

From: main@... <main@...> On Behalf Of Steve Kilbane via lists.openchainproject.org
Sent: 08 March 2022 16:33
To: OpenChain Main <main@...>
Subject: Re: [openchain] [uk-wg] OpenChain Webinar Today: Software and Network Security Special 06:00 PST / 14:00 UTC / 15:00 CET / 19:30 IST / 22:00 CST / 23:00 KST + JST

 

In yesterday's webinar, I asked a question about how ARM approached scanning when there are many dynamic dependencies; Sami gave _an_ answer, but I think I wasn't clear, and Sami was answering a different interpretation from the one I intended. I did attempt to clarify after the call on Slack, but Shane suggested posting here. Here's what I put on Slack, and I can expand if it turns out that I'm still muddying the waters…

 

"Thanks for the response Sami. I think I wasn't clear in my question during the call, but I didn't want to take up extra time, and your response was interesting anyway. :-) In an attempt to rephrase: It's one thing to say "open source must be scanned as it's brought into the org" if you're talking about the open source developers want to use, but with Node.JS, pulling in a single package that the developer wants to use might also bring in hundreds of additional, transitive dependencies that the developer doesn't really care about (React being a classic example). A minor change to the application might change those hundreds of dependencies to a different set of hundreds of dependencies. Do all of those get scanned, too? Are you blocking the developers from using the packages until the scanning is done, or is there a continual background queue of inbound open source that gets scanned asynchronously from the developers' usage?"

 

steve

 

 

 

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

From: main@... <main@...> On Behalf Of Sami Atabani
Sent: 17 March 2022 14:50
To: main@...
Subject: Re: [openchain] [uk-wg] OpenChain Webinar Today: Software and Network Security Special 06:00 PST / 14:00 UTC / 15:00 CET / 19:30 IST / 22:00 CST / 23:00 KST + JST

 

Hi Steve,

 

Sorry for the very late response on this.

 

This is a very good question and we have a separate project where we are requiring our engineering teams to mirror what they need to use into an Arm repository (we are using Artifactory) to ensure that any build is not accessing external dependencies. The aim is to run automated scanning of our repository then trigger any alerts should a new vulnerability is identified.

 

Happy to discuss further if that helps.

 

Best regards,

 

Sami

 

 

In yesterday's webinar, I asked a question about how ARM approached scanning when there are many dynamic dependencies; Sami gave _an_ answer, but I think I wasn't clear, and Sami was answering a different interpretation from the one I intended. I did attempt to clarify after the call on Slack, but Shane suggested posting here. Here's what I put on Slack, and I can expand if it turns out that I'm still muddying the waters…

 

"Thanks for the response Sami. I think I wasn't clear in my question during the call, but I didn't want to take up extra time, and your response was interesting anyway. :-) In an attempt to rephrase: It's one thing to say "open source must be scanned as it's brought into the org" if you're talking about the open source developers want to use, but with Node.JS, pulling in a single package that the developer wants to use might also bring in hundreds of additional, transitive dependencies that the developer doesn't really care about (React being a classic example). A minor change to the application might change those hundreds of dependencies to a different set of hundreds of dependencies. Do all of those get scanned, too? Are you blocking the developers from using the packages until the scanning is done, or is there a continual background queue of inbound open source that gets scanned asynchronously from the developers' usage?"

 

steve

 

 

 

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.