- {{ partial "under-construction-tmp" }} + {{ if not .Site.Params.ui.breadcrumb_disable }}{{ partial "breadcrumb.html" . }}{{ end }} {{ with .Params.Category}}
{{ upper . }}
{{ end }} {{ block "main" . }}{{ end }} From 32bdf9294ceddd09c70f9f63c11a28de679f04ef Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Tue, 25 Jun 2024 22:00:07 -0700 Subject: [PATCH 27/47] Added maintainer guide as part of #1260 Signed-off-by: Eddie Knight --- project-resources/security-hygiene-guide.md | 240 ++++++++++++++++++++ 1 file changed, 240 insertions(+) create mode 100644 project-resources/security-hygiene-guide.md diff --git a/project-resources/security-hygiene-guide.md b/project-resources/security-hygiene-guide.md new file mode 100644 index 000000000..5758bcfc3 --- /dev/null +++ b/project-resources/security-hygiene-guide.md @@ -0,0 +1,240 @@ +# Security Hygiene Guide for Project Maintainers + +> [!NOTE] +> This guide is under revision as part of [#1260](https://github.com/cncf/tag-security/issues/1260). It's contents are accurate, but are expected to be adapted or extended. + +## Introduction + +Tackling security requirements can be a daunting task, especially in the Cloud Native landscape. There are several resources available to assist the community in their security journey, such as the resources and publications by the CNCF Technical Advisory Group for Security, OpenSSF Best Practices Working Group, and many others. + +Security Guidelines for New Projects aims to provide recommendations for new projects to ensure they follow the minimum measures to secure their projects and build incrementally as their maturity grows. These security guidelines can be grouped into the following categories: + +1. Securing code repositories +2. Self assessment +3. SECURITY.md +4. Incident management +5. Badging + +![](../images/SecurityGuidelines.png) + +**Figure 1**. An overview of security guidelines for new projects + +These guidelines are heavily influenced by the contributions of the CNCF Technical Advisory Group for Security, particularly the Cloud Native Security Whitepaper[[1]] and Software Supply Chain Security Best Practices Whitepaper[[2]] and the tooling for these guidelines can be referred to in the CNCF Cloud Native Security Map[[3]]. + +**Note** + +This paper refers to GitHub as the source code management repository due to its popularity in the Open Source ecosystem, however the same guidelines are applicable to any other source code management service as well. + +## Goals + +This guide aims to outline the minimal security measures for sandbox or early maturity CNCF projects to ensure security measures are included as early as possible for the development and source code management of the project while increasing their awareness of resources to iteratively build secure practices as they enhance the maturity of the project. + +## 1. Securing Code Repository + +The foundation of a project is its source code and it is essential to ensure the integrity of the source code. Source code repositories such as GitHub allow contributions from numerous members from all across the world in a single repository which is a boon in itself, however if not leveraged securely, it can be a bane. The key to doing so is protecting the repository where the source code lies and introducing changes to the repository in a controlled and secure manner. + +This section outlines several measures that can be taken to ensure authorized members have access to the code repository, changes are suggested, suggested changes are reviewed, and changes are introduced to the repository in a secure and controlled manner. + +It should be noted that secure device management is assumed - if you have a remote access trojan on your laptop, many of these countermeasures are subverted. + +## 1.1 Access management + +### Enable Role Based Access Control (RBAC) + +Define roles and associated access controls based upon the different personas interacting with the code repositories. The roles should be assigned following least privilege on a need-to know basis based on their assigned responsibilities. For example, GitHub provides roles such as Owner, Maintainer, Developer, Reviewer, Approver, and Guest. Each role should then be given fine-grained permissions with regards to repository access control. + +### Strong Authentication mechanisms + +Strong authentication mechanisms are key to ensure accounts are not susceptible to several attacks including but not limited to account takeover. We highly recommend the use of password-protected SSH keys or a personal access token (PAT). + +However, for certain non-code intensive projects which specifically require accommodation that cannot be made possible using recommended methods (such as access to Github.com via browser), we recommend the use of unique and complex passwords (complexity in terms of a combination of alphanumeric, special characters as well as length). For details regarding configuring an authentication mechanism for GitHub, please refer to GitHub's documentation [GitHub Docs - About authentication to GitHub](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github). + +### Two Factor Authentication/Multi-factor Authentication + +Introducing an additional factor such as "something you have" or "somewhere you are" in the authentication process proves to be of higher effectiveness than relying on one factor "something you know" such as passwords. It is required to configure two factor or multi-factor authentication for your accounts, especially for any privileged accounts. For details regarding configuring a 2FA for GitHub, please refer to GitHub's documentation [GitHub Docs - Securing your account with two-factor authentication (2FA)](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa). + +## 1.2 Branch protection + +Branches in a source code repository provide a constrained area to develop features without affecting the other areas of the project. There will be certain branches which ought to be protected from unintended changes which impair code integrity. This is where branch protection helps. + +Branch protection provides functionality that allows a policy based approach to protecting particular branches. Policies such as who can make changes to certain branches, whether push/force push are permitted, merges with/without certain checks are permitted, whether delete operations are permitted and so on should be reviewed and configured based on the requirements of the project. For details regarding configuring protected branches for GitHub, please refer to GitHub's documentation [GitHub Docs - About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches). + +We recommend that any change to the repository should be introduced as part of a pull request and should go through a review process prior to merging. At least two individuals, of which one should have write access to the branch (preferably maintainers), and both of whom are independent of the request must review and approve the request and then the change is to be merged to the project. For projects with small teams where requiring two reviewers is not feasible, it is sufficient to require only a single reviewer. For projects that have a large codebase, the implementation of Code Owners (e.g. via GitHub CODEOWNERS file) is recommended to automatically request reviews to maintainers that are responsible for specific sub-modules or features. For details regarding pull request reviews for GitHub, please refer to GitHub's documentation [GitHub Docs - About pull request reviews](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews) + +## 1.3 Managing Contributions + +### Issue template + +Any ideas, bugs or enhancement suggestions reported to the project need to be tracked, and can then be discussed, triaged and prioritized/de-prioritized for implementation. GitHub Issues are one such avenue that allows tracking and managing ideas until they are brought to fruition. We recommend the following template for proposing changes to the project [CNCF TAG Security Project Resouces - Issue Template](https://github.com/cncf/tag-security/blob/main/project-resources/templates/ISSUE_TEMPLATE.md). + +### Commit signing + +Any code committed to the source code repository associated with the project is recommended to be signed to help ensure the integrity of the code and establish identity of the author(s). Git inspired SCMs like [Github](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits), [Gitlab](https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/), and [Bitbucket](https://confluence.atlassian.com/bitbucketserver/using-gpg-keys-913477014.html) all provide different mechanisms to sign & enforce git commits. + +As the security maturity increases, it is a recommended security practice to store the private signing keys on a hardware token (HSMs or YubiKeys) and the adoption of secure key distribution method(s) is encouraged. + +### Secret scanning (recommended) + +It is critical to ensure no sensitive information is exposed as part of the source code, the documentation or any configuration in the source code repository. It may sometimes accidentally escape even the vigilant eyes of the contributor and reviewers, hence we recommend automating this activity and implementing secret scanning as part of the continuous integration process in the source code repository. + +There are several tools and projects aimed at providing secret scanning services, including but not limited to the ones mentioned in the section "Develop" of the Cloud Native Security Map[[3]]. GitHub also provides its own secret scanning service, you can find more details of this service at [GitHub Docs - Keeping secrets secure with secret scanning](https://docs.github.com/en/code-security/secret-scanning) + +### Code scanning (recommended) + +Code scanning is an automated security test to identify vulnerabilities and errors in the source code without actually compiling or executing the code. This is a key testing strategy to shift security testing left and we recommend configuring code scanning and utilizing its insights in your projects. There are several tools (both commercial and open source) available to perform the code scanning or an array of languages and technologies. GitHub also provides code scanning functionalities, which can be seen in their documentation - [GitHub Docs - Automatically scanning your code for vulnerabilities and errors](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors). + +In addition to scanning your code for identifying vulnerabilities and errors, managing the vulnerabilities dependencies is also important. [Dependabot](https://github.com/dependabot) is one tool that helps in managing vulnerabilities in dependencies by automatically raising a pull request to update vulnerable versions to secure versions of that dependency. These pull requests can be then analyzed, and further action can be taken. Further details of Dependabot and configuring it in your project code repository can be found at [GitHub Docs - Automatically updating dependencies with known vulnerabilities with Dependabot security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates). + +For further information on securing the code repository, we recommend reviewing the **GitOps section** of the [CNCF Cloud Native Security Whitepaper](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#gitopsnew-in-v2) and the **Control Environments** sections of the [CNCF Software Supply Chain Best Practices paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) + +## 2. Self-assessment + +CNCF Technical Advisory Group for Security states that the self-assessment is the initial document for projects to begin thinking about the security of their project, determining gaps in their security, and preparing any security documentation for their users. + +A security self-assessment is a great start for a new project to think ahead about the security measures that are important for the project, and also to understand the gaps in the current implementation in a proactive manner, and plan for mitigating them. + +Self-assessment dives into the following aspects of the project to understand the current maturity and the gaps in security implementation or the documentation aspects. + +1. Background and overview of the project +2. Project architecture +3. Project metadata +4. Goals and Non-goals +5. Actors and Actions +6. Compliance and Regulatory requirements +7. Secure development practices +8. Resolving security issues + +A template to perform the self assessment is available at [CNCF TAG Security Project Resouces - Self-assessment](https://github.com/cncf/tag-security/blob/main/assessments/guide/self-assessment.md). All the assessments (self-assessment and joint assessment) conducted by TAG Security can be found at TAG Security GitHub repository. As an example, self assessments are available within the dedicated project folders at [Assessments folder of the CNCF TAG Security GitHub repository](https://github.com/cncf/tag-security/tree/main/assessments/projects). Further sections (SECURITY.md in particular) in this document provide some of the pointers to address the gaps and create the necessary process & documentation. + +## 3. SECURITY.md + +Awareness and processes are a big part of enforcing security in any project. A SECURITY.md file in your repository should talk about the security considerations of the project, and the efforts undertaken to ensure that there are policies and processes in place to report vulnerabilities to the project maintainers, and for project maintainers to notify the community of the status of the vulnerabilities. It should also list the dedicated personnel responsible to address these vulnerabilities in a timely manner. In GitHub, the SECURITY.md file creates a security policy, and when someone creates an issue in your repository, they will see a link to your project's security policy. Further information regarding security policy is available at [GitHub Docs - Adding a security policy to your repository](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository). + +CNCF Technical Advisory Group for Security maintains a number of templates to assist projects in addressing these sections, which can be found at [CNCF TAG Security GitHub repository, under Project Resouces folder](https://github.com/cncf/tag-security/tree/main/project-resources). A special thank you to Google's OSS vulnerability guide folks for making the Security TAG aware of this collection of resources upon which much of this content was built on. + +Disclaimer: These resources are designed to be helpful to projects and organizations, they require customization and configuration by the project intending to use them. It does not prevent security issues from being found in a project, will not automatically resolve them, and does not place CNCF Security TAG as the responsible party. If changes are made to these templates, projects are not required to pull in a new update. + +## 3.1 Security considerations + +This document is an outcome of the self-assessment which articulates all the measures taken in the project to tackle the security goals of the project, including but not limited to ensuring its confidentiality, integrity and availability - as well as compliance with any laws or regulations. This may also be the place for security bulletins and to list out the known vulnerabilities and patches available to mitigate them. + +## 3.2 Security contacts + +This document states who are the personnel to reach out to in case of any security questions regarding the project, including but not limited to the triaging and handling of incoming security issues or security reports. Security contacts could be external participants and are not limited to being the maintainers of the projects. A template for this document is available at [CNCF TAG Security Project Resouces - Security Contacts](https://github.com/cncf/tag-security/blob/main/project-resources/templates/SECURITY_CONTACTS.md) + +**NOTE** + +CNCF could help create a mailing address (through service desk ticket) should projects need one to assist with managing their security reporting or reporting. + +## 3.3 Report vulnerabilities + +Vulnerabilities are sensitive information and exposure of information regarding vulnerabilities without the availability of a patch generates unintended risk for all the consumers of this project, hence it should be handled with caution. + +At a minimum, the vulnerability reporting policy projects should include is as follows, A template for this document is available at [CNCF TAG Security Project Resouces - Reporting a Vulnerability](https://github.com/cncf/tag-security/blob/main/project-resources/templates/SECURITY.md#reporting-a-vulnerability): + +1. The medium to report vulnerabilities - Email, Web form etc. +2. Disclosure timeline +3. Point of contact or mailbox (if any) +4. Bug bounty programs (if any) + +In addition to the vulnerability reporting policy, the defined process or co-ordinate the disclosure in a secure manner is highly recommended. There are several methods to accomplish this including encrypting vulnerability reports with GPG keys among others, and projects could leverage them based on their need. + +GitHub provides an easy to use, established platform to coordinate the vulnerability disclosure between the maintainers and the reporter in a private manner. Further information on the coordinated disclosure of security vulnerabilities in Github is available at [GitHub Docs - About coordinated disclosure of security vulnerabilities](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities). + +## 3.4 Embargo Policy + +The vulnerabilities reported to the project are then handled by the security point of contact(s) and the rest of the stakeholders of the project. It is important to define a policy the stakeholders need to abide by in order to restrict the unauthorized disclosure of vulnerabilities. An Embargo policy is created for this purpose and at a minimum it should include: + +1. The stakeholders - security contacts, project maintainers and any others +2. What is covered under this policy +3. What is unacceptable or acceptable behavior +4. Medium to report violations of the policy (accidental or otherwise) +5. The consequences of any violations +6. Disclosure timeline + +A template for this document is available at [CNCF TAG Security Project Resouces - Embargo Policy](https://github.com/cncf/tag-security/blob/main/project-resources/templates/embargo-policy.md) + +## 3.5 Security notifications + +The vulnerabilities may need to be reported to certain stakeholders, and for this purpose, an embargo notification template can be utilized. The embargo notification at the minimum should include the information stated below: + +1. Purpose of the notification +2. Summary of the notification +3. Vulnerability name along with Common Vulnerability Enumeration (CVE), if any +4. Affected versions of the project +5. Severity of the vulnerability +6. Proof of Concept +7. Mitigation or Remediation for the vulnerability along with the fixed versions +8. Timeline of events associated with this notification +9. Any additional information relevant for this notification + +A template for this notification is available at [CNCF TAG Security Project Resouces - Embargo](https://github.com/cncf/tag-security/blob/main/project-resources/templates/embargo.md) + +## 4. Incident Response + +Incident response defines the processes that aid in solving a security issue. This issue may be an internal finding or one that was reported by an external party, in which case it includes the processes between the vulnerability reporting and embargo notification. + +Incidence response primarily states how the vulnerability is triaged, replicated, and notified. The incident response process should include the following at a minimum: + +1. Identification of the security issue or an incident + 1. What are the affected components? + 2. What type of an issue is it? + 3. How complex is this issue? + 4. How severe is the impact? + 5. What use of interaction and privilege is needed? + 6. Is there an exploit available? +2. Acknowledge the receipt of this problem +3. How can the issue be reproduced or replicated? + 1. If a CVE is already present, request the CVE +4. Patch publication and Notification + +In addition to the above, you could also consider adding relevant timelines, including but not limited to third party disclosure timelines. A template for the incident management process is available at [CNCF TAG Security Project Resouces - Incident Response](https://github.com/cncf/tag-security/blob/main/project-resources/templates/incident-response.md) + +## 5. OpenSSF best practices badging + +The [Open Source Security Foundation (OpenSSF)](https://openssf.org/) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices[[5]]. This initiative allows projects to voluntarily self-certify, at no cost, by using their web application[[5]] to explain how they follow each best practice. These badges are a great way to showcase the efforts towards securing the project. + +The criteria of best practices badging is defined at [Badging Criteria - BadgeApp](https://bestpractices.coreinfrastructure.org/en/criteria/0). We recommend that all projects obtain a best practices badge and that projects determine the desired badging level early in the development cycle and include it in the project milestones, to ensure efforts towards security as accounted for, managed and tracked. As adoption increases and the project becomes more critical, also consider increasing the badging level. As an example of defining this activity, you could consider passing a bronze/silver badging level prior to the "x" release of the project and aim to attain gold badging level within a defined timeframe. + +## 6. OpenSSF Security Scorecards + +The [OpenSSF Scorecards](https://securityscorecards.dev/) project helps quickly assess your project for risky practices. You can run the tool via the CLI manually or integrate it into your build [via a GitHub Action](https://securityscorecards.dev/#using-the-github-action). There are a variety of checks that are executed by default and the tool is even extensible to allow you to add your own checks. The CNCF highly recommends that projects enable this tool by default and it is integrated into CNCF onboarding tools such as [CLOMonitor](https://clomonitor.io/) or external tools such as deps.dev and more. + +## References + +1. [CNCF Cloud Native Security Whitepaper][1] +2. [CNCF Software Supply Chain Best Practices Whitepaper][2] +3. [CNCF Cloud Native Security Map][3] +4. [OpenSSF Badge program][4] +5. [CNCF TAG Security Publications][5] +6. [OpenSSF Scorecards][6] +7. [CLOMonitor][7] + +## Contributors + +- Ragashree M C +- Chris Aniszczyk + +## Reviewers + +- Andrew Martin (CNCF TAG Security Co-Chair) +- Brandon Lum (CNCF TAG Security Co-Chair) +- Emily Fox (CNCF TOC Security Liaison) +- Justin Cormack (CNCF TOC Security Liaison) +- Faisal Razzak +- Justin Cappos +- Marco De Benedictis +- Sergey Pronin +- Shlomo Zalman Heigh + +## Acknowledgements + +This paper is influenced by the publications of CNCF Technical Advisory Group for Security, particularly the Cloud Native Security Whitepaper[[1]] and Software Supply Chain Security Best Practices Whitepaper,[[2]] and CNCF Cloud Native Security Map[[3]], programs and initiatives by OpenSSF[[4]] [[6]]. Our sincere gratitude for the contributors of these programs and publications, and to Emily Fox for suggesting the creation of this paper, to the contributors and reviewers of this paper. + +[1]: https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md +[2]: https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf +[3]: https://cnsmap.github.io/ +[4]: https://bestpractices.coreinfrastructure.org/en +[5]: https://github.com/cncf/tag-security/blob/main/PUBLICATIONS.md +[6]: https://securityscorecards.dev/ +[7]: https://clomonitor.io/ From 069eb66973acbd563f1957ca7ae399c804ace42d Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Tue, 25 Jun 2024 22:29:09 -0700 Subject: [PATCH 28/47] Added guidelines image to project resources Signed-off-by: Eddie Knight --- project-resources/SecurityGuidelines.png | Bin 0 -> 38180 bytes project-resources/security-hygiene-guide.md | 8 ++++---- 2 files changed, 4 insertions(+), 4 deletions(-) create mode 100644 project-resources/SecurityGuidelines.png diff --git a/project-resources/SecurityGuidelines.png b/project-resources/SecurityGuidelines.png new file mode 100644 index 0000000000000000000000000000000000000000..bbe8bca6286f92b6e3a98741fcb0a91ab984d989 GIT binary patch literal 38180 zcmeEs^LM39@Mkcw?POwG6Wg{uvF&6gwv8LxHYWCsZQJJN{qB!@_Al72bMCq4_R~*y z;ZxOBbvs;9UIGCY7ZwBr1VKttR2c*W90&peDg+JwJ>utJ>+t;r>Z~jw3{pLXfAam~ zhq;iP5C}+JEZn;h#P@6vMOjs`@A3an|6c?D&uXB7=|1dR_%9b_c@+>)Fz_D`kWkPt zuyF7Qh)BpNsA%XIm{{02xOn&kghW4yNl3}aDJZF^X=v%_85o(ESya`UV-$A+ARux1Qldht9{LyA5SprTSi?XHx{VF;h|;jq<-gd=8_OHt^lFSnv7BF6 z80M0iBpC)qlOM*twce4Mgz7f)^l^FRxt#6&WLL}cmF{ddl?96Xe^5pb1cj@Dh{)ZQ z_=NG{CFvT)s7h#0xbX1k8j_99W(ap-UfxS!ZOHnICNfsm^~Yu9&F*|#dqKxULn#w8 z-KWS<0JC11GaDP5KXkUUL4bxU>%2uha-PD|nzH%X*vR!&?2#spHIA!;kigdET%P>g z^z=JSM(2o5o^(oDvj}DP=&@YN8ML*@r?a)C--^ds?S(-<-3!!zD}qcO;rN!32sQk1 zS68h=bZGYD$`wqOg8W_BSQ7C)AsXRH*p8@tWcVkycs9-ARA+v+YFW^uz3|zm%eSO| zS$5ZO%To{at?IV>3l`91Zc9g|%aWlll&W#F5)ad?tvNhnSRYE9roFA&z z!4Eat^OcbxAjlQWa=D|Zz2SwH;G`sm6zd6f)2xCDjr8GqRshNTpYti$(P%^bj!7qHB za#0bHxv;SHTNgN6a59S&|nJ6j-fj~8SSS747Wic1ySQYaB7!5i)W{|e`X%< zTVo~K_jS|O%;ULC9ur`m24V8L)7K zqFQElzsY!##hS!T_1FE47;a|=D#_qp9TuGWhA48eF&;$9MF7`zq-rf3@p579O7UL9%M!CLYMDt6;?nvo!8%V zlvUd}8tdJR&UkqzvbZ4)fwarOA1h(w^UVL*wSV*ZL`vW@7rSO5-sepk(ea_Qdx9)Xt9v8$-khNgngjA_=r`4%Ll zx8ldkp8eCa&Z`00RIvXMI3((9&k|`9-DeVbqvye0atU+u;$;T7A#&vAzFG@CKax?$ zLM`i0A_2z5{?7)dHHZOemNj{cwn>JwPwkXCz*4as zGNO{aJWHEpJ-fr$;xQ1486)ts_TXggRX@YyOS)yn_9PM7pMD@n`y~G%=N%L~qj}0; zE4m~GnvNtQV2KSQFUCrg;?QNdAzch=-1N?d;GW!2XqYO0tN43eRkHR=naNn15#43| zOh&_Iuv#kzMWgj6ST#O>E_9jde6YWh(I z^Q5@=LaZHldFT_{=IgX|*+qHr!H>zGSupn^`OB+LHnY7NcRnQugEy;U>qB@ISor1! z<#xsAx3agfbW|bNP6+quW-h4LvYeZjhXN9q9of$jAD?YZfcbGpM#oQ2-S=?|Y3hVru)`sYg}&)*T8-m9qX*K?M8E z`pKPUx#nMnt3div;|HcA-&U=IN1Shu4-ma|^Wv%RO+>E2h4~C?dY{{;_?-vlbO{qO zz}K>Beizze{;nyw`Hcu@l!|=Mf$Y_*k! zY-Z#Q!U~~%yBFw{sJ`8&3#I8vz1MwXQ*M_?Bm5<_ZD1oj$w1Z&r)7;7q(9Ae-cik> z2$eV|c371ozwwOL|+OvjePenxQPRi$BUkk@$cYg=g+l6z{#)EQLX z*mCi;Tq)f5`KCr##1g+dfpr6ReCP;B#6?JT#eFF_<7wyadTn^kD3HeMXgb)t>F1o+L^ZTPrsgc%a)55CvYbUnlUlAoad8n56{3_*;(~tZ2j1h2 z2D4{7=^aJI_oE~2?p$iV$gXEo`!?{MfqUmNz#2K3%YggFojQm;Y5iWPtBM!kbtZxL zJ5fMEjrxe+f2>UcXcZU;P!tyoUWJZ;OA^v7%bM*K-%oTtbt(&nhjrmO3WWo_MWImt zQAhRLJ8Dd5YdL5~|B^ZJRJ;`2jR^@6*K{E08g)fY0u1Kl6A$>t0{5rbD$86O}oI_2+K94{h62+tequ0nm)_wZMAdY zbiyMw<#uB&}9bP#{j>rP;mv z>yA`SO@1B&?wRaj>QIrIrT4#Qm8`=+4n^)tH6PkerSoUj)|3TjoB>NIl|= zO>!+aIio#E|5H|E4q6hii*@x^K_`HAZl{0R?8#gmYjdGJ+DFopPh;q(Enkg*(fogr z01uD?5X&4TvYNj;+AvEIUsWR?Iy&a$WIE4LP6Qy#*|E)WTInBEnSV#BQ@M`b_ZIt} z_r@Z`iawIJqqp;Q&i=Cg+v8UB{UcvtJnQKOKkPB!B#^wM_`k>|eUt^&oM<~d{~OsE zQZ~cJ8$_-Ial8Nzjo05szOKh*FIaDAN@LSJ|B`q`mFDk{`Z9=@fybxIhc>HoSPWIMKTYu9` zHSf_R+E0Mt#py+b zLQc+u>b0==WHQ6K3+JJblcvr;Q)x+!FN^rjVLq{0_g(t z9Hz39^)_PZSFXo*rTs(BhjL zf#GTVN}Y))bX$Cc;iWb)`Rc3FsYks%;V=JZ)C)KzUP|75ux@v{brK3VNO7eMa4-^S#clR^bq zzq#l&v?#d<<=%BcxiE@g$lLgfMBD+Iz&3PCo*E1?{G2b<(OuYs{7q9m-#B zFpYq(U&hJ_KBA>)(SKh~Dr2v@bFXq(whj&!Wj~Jw5OC+`f?&tDm!7-SR(ejgRFY}f zSP~NT5(5;15A?ITN2mpe4}2Fl0Q01MMOy1L<*ImYH{WYAg`D97_(?p@U0kb4T$PuZ z%=S$;b@@%ZoS9cS?aU@8(pvg2tR2ix)B8kkR-z4l=mi7T#O(8=qa%y^kB(9aDMFBj zOb_qP-DqP6F{kzg$aFIXtBRzX98(tWh=zXUPCx9JBtUJ7#YB@G!))<#qdq05DD$1x z1|@NFu#ZO3z@gNs9p}TVG3;pYwM59D%VXeS%s@dj{Qk3&591p46~*U7{~{rLz&OV$ zqb;W+p_d{;@QH(sN~6u40UK>Oy9jZZ+_K2Bi^^LamR6XyTiF*p@3}Ke#w?jggZSnI zki)RHqYxKvoJ>6tqM%*4{lJ(2>tFZ%euBT=&fUbd!olU$?-8ANvqHQCeOhYQmcSe6tU2=fx z7h=Pd$6x_JPr-wse5DJxXI1xSI3MvyO}s;!m>cG_d(EGGo~TFaIKOlJ8g>nV=MI_)de_Z&6^nGwI&}wJjMBc293lpcFoKXU;*PO)j&m@S17EF2DK6aDnKQ389?oL__S;6U0BNKTZTTttBVdN<6k zi>S;he}R8eU=T%%QtEn|kxv87CHEpc*uwDm^3j`0ZFv4`t{`)xC({nnH`DN5mceb# z-*R6T865mPRWq-nrtl7Zx+@;!TJKUVNxe^}23D5Ptj}>zqXs6!hSvdaG6daiV3ocr z7R3_Y-kAiplEnQ0)Vr-_+r%~w)vcLaYu5NZUQPBTV60fT==V^2$TQJ!M*@j*H$`TQ zhBiy3Vc;{_@6Muv6YZg%6^hIT zYhLzL7N4~u%$`&p;7Zc^`&p2BA6|_{gu74`xWSJIS|?KaT)(|>Y$+DYbJqAv-$zoV zL+w@WluTkyaZ3_K105Xv12rn?rKv-?e@dfctp^736zyxQ!|9NB(^EaG9q>yq zywqDSL_V?Pv2DoI)3!k$<~kFLHyRg_?IC;p+KD0}M;ioufe{l0CD z@EdY6BGOR(d1F?d_$4+(ye(CBD3{G*3+b{gbnlHz7jRf>$7hVHmgJ5P=OED zW}85q2fG$s5A)qZBvVeK8o=lLvU=ccz@Su;^rYYI;YkCesri!PWgSOA{VOii~RN1sR+%>Gkg{y(Luj0@ZI!i-x9&xk>DVenE11gtf3vvxI~K2n#Ev(kO88 z$^3`86Sn=@x9!A5jy(Lsq=$1C7kaA5Jh`Gs-@wu$wK3m33-M`aapd{PV-t`>1BF`L}f;-4^>Lt91(lkxXu|BSQ;;Y(DN zkLL07q}g}nJzv9QGUSfB#5^SEy=EjCktdw+<#8kC*Xf%r=T{VyqHNXpb90)n{Ag12 zb-bIeqUX8oBCQNl%$g7ZJI(O(BgdVPA;w0m(5K(69}#N4z-=VJb0Js`P8S%0;uG&v z55}Z_{ub@88nfL*0beV*L-ZTQ90Q>K^XnkeA+wBq?}YMGiECCtEBtRMpR0>vm`Gxe zvOJKzpXbJTJgc)JVVZMk=?^#MkJDcU3pm+@(tQ$K@38D4I%8qydAaC5)iV-|j$h|l zR-)^8zwv*@()QK)%MTSGjU(-9#oUJ?$F_o+02%V+t?Y7*WRo4OSZ*6Ot`eRRv&2MBNR7&$5;?f#CKVBa)Q_ptlAI}U5 z=MEm|wx4-PUW)*k9F+z=M$RT57OWA&iBEy75{XaAnzB`Cy4sot{a|?s00e{I55*D5 zD2)K`eI?vB8HCXcx#P;gJ}|~lQGdDy%P%( z<6)ibSI4TOALyCZK4cNHOLslEYJAna>4?O2nTZEh>5{mD)#Znbs{z|z?m6svIiT@y z_$H3Y!(?U#D$2KyV4iV=jbU>b_HF}MdM|h_dUHAUOVS=60^*ix9N;rE)6&@Ng=J%1 zso#szHDvfe9moTY$&+qepU1?tIkELBv_I%uwQuFN9qHs9k7|2<~?AR6VT>KUELbHN7 zrax(2XIZa2Zq#RUk5i9Gb-7aK8ZPh7Cs6AH*Z%PGPf-MFL3a7iru|zZy@gUPQWota zaIBKT*n~HC9eLS0JacjMN}l-_7zr8wl;F5D;%%gue>BR~P*;~N<%z2tgHtmnJ@Sh< z=$YwIN}34TQ>oZ)A#9_NLF5>aTQsmL(ZwRn%w98*rQ4pxnxpw^S#n+sxLzR86919! z3Q+Vl4`AVwiO%Bd3R*G25d1xIe$wELYWB$BQot-iZ?1vTxx4%CZ_!F$G<7BHVYQFn zXAlgIntFnk=R1&_S;1ouj@(PV=g}w-n5q98=dEVW-JaHTi>kgGS{*2tPv!eFNyP*e z2HXlAKaup<(Qm`yG#TYpb&rK%5#^L+qHYLpw>l6Y_E=zB*s@BibL>=|_*LoM%2Zm2 z%MNz7>yH5F#H0al#)-zK6`Vd#u3&Jq2Q-E7Rzr_71jtU$@E*orLmEkcn72iis!pkq zX!0r0WuCcKG5@QuDT|DpwgT-S=pQrd3bcx%GL_3WD`OVgS6HOFewa|5R;+@x#h^R# z4cp?;G3`b^Rm7Ic9_q&~P^lM(n-r-0v1f5zv$(PIOAb5jlM-y;@Fz=>%6_mn#!2&n zGB6?LELWG<%#RiiDRE8huC`n7VS)y(zLMT!iz%obIqxmNc4--^Y)Oo&B}5eKM=KuP z&K@IT=JfWN){d-)1xApEHn=;{s?g(9S3?j_{bY%}7vyoqXYL^}%D;czJ9lTZ6KYab zxhAVVr=`qVufar84f|;RWF264)Odit0!vF+J8Bn+ z`58or>PqM@1D#M~d^x@FX|L0y>zy+#tHIzoH3uVx*sdB6O3RO@Q6%(p4Hb6R`G%mQ z{vqwJi94_RiZ@miyo^cZW@U-!(Ke4y#dhh+H%7f!uUiwp5_(jR*zaxqC4p55RF1j# z+RiT)qROfH`KO0NXQ4{m5ADY)7mS@bMD7umor7ITUlWEb<$qu*!RJTZaynCmpR!@T zBL;bncQpF|J%(1ja3TK3Ry1g^Mo%>(20tZhnJM;O#N#zw(Y0Oo*$`vX)KAij;C@Cg zj%o(-M8Svkl0T?WPE{Wz0wQ`5VPbD!g&Ji@M5=E+9QWX^^tZ@fs0XN4gh+dYxjyD+ z?n2QsJgG|!>-Bm(v<=q07(=D|YZhMWA9oa`A1$q&3NuBd9|QGyS=RgEn?!r5hiP3MckG*PGoi<2opI+X{n z#mL9#BGSaiSv3j(Vlv{*RpEKHcG2GZnJa439^Ao= zbgez)-@<#B9ER$9V%d*R<yI2zj>p#%DSR<9{N99rBSm;e;*h5p^B8a=~5Rg${4L?8ziN!)+x{0_^~OK zt9lfv=UA6Y)gs5zER`M_Q6APwOCo-f4lZGVp7%qY&^etXB=kfc5nvo!JoNIWt_55l8de?Ju~8e!{xi9_JG1Mb3po6?gGA zJv|kGQw6e!vj<&9kChrX3ynSD_U1j)^l&#<_SyfeVdrOi*i1l_b|qwCzV+6t_tuaY zcBf`MeTrXTqz`My^eq}< z_rnXBx35mD&>&!i;~d^E zdvUJA$0Ov?;AhgcE@$CUD_Uqikp@pv>#4%>n|ArX!%Zhz;jgBrA*OFtIh%YN7IWq0 z+ksUz<(Y0dS=y$`5M@&wzJ7srBD{(zTVTCsm=dFBgj3ZOH~-dhuQYHv-({S{GB?5C*^qB!3^Og6j|l%tEkHBTwZw) zCS`ubxEjZ=hW6n1p1_^gHEZuhqtta4Y?U7T%H|o4?w6_^u4D9KdmKgEFrW0V&cbW0 z=(ipiRUqy2Y%gyG-(dya?%fZq$OAgRP>w3|5`S+;4`nEtY#W?$nYWMHRsZ^UqB3hG zuk`GGZSQF55Dm&HLI&5KyD7D^be=2B zhbh0)JP4?U6g!NIv!K&}j=+sspD#T(?hUgs&C3hJMU*ZS7RFXOrXtI+0$nxw-+# zmdFFNDiBRZZ#RkNJv@Rc)vMZq)b+Hb_Ql*<;h{V#5vFL*hRAB`!CNQ&d0d^G1qzt` zf+w48@$_*toSO)K+NxNI`{l|0ntr;B|Mci7L~ca(Ey0F0|F;CjuR)}Pr9b!YYptMi z*|K`BQz6T?Vqhcmh9S@5;&M^*-BdnX{(KyPmTQS8D7X)(x6~m@OmB;UO@xEgWaP~MV!SeC+M8k`|9LUX@p0c18VrQzOj>5ya80Mp8 zQ!3N71b#czv7xuFe#&`qF@{YB6{Yv`Pp*FaZF<)94y>+442p+O+mc#mZg|csNg(n2 zep0HwN0;tY2;t_YK6&Rd9Xj85^KMN~O_0zMfUn~bcz-@yV6NtZlj09V75J?+7vn0N z@40%3A&{Elyi-VCHx}yK>c;cg)1K2I1y7C`1eiB=U{z4UB2oRh%f0GWUSs0S`bJ9PVg%{3wU^R@w5Y z4zZvIp`achHk6@UH1=&^C;6mb$gis7&_X4$r@}$`KRQ&E-ccUfm!&nOvnwEPc;B=hhpt}b)lSoW*>y1lSur4z;BL`_0B5&1==OeE+GmA21;;Ort4TL#lu@{>b*E)( z;b=D^XhRoN0C~MFk9%s};EOhbnurK~pXl_>x{H9Nvd^}h{N^&SGoR5<9N~flK--$X zdW%xtcVa{}NfPungi9%fPNbY_bPmx0AFIVN7Nfs_f8W$<)8;0>XRD`K1bEmy|6x&& z;hCCafFb#%%QNOaGrOv`MdjspERA7RDE9fgeBMIx7e#^)K1G4q)2Um_uQS)Yz;x}7 znEg)eGkju(WU{hS^C@+g*7kpLe@}5jlEz&=Y9WQjb7%=dg(at%qZfnc;Y@rgGO`(s zq|@PIJMpMH@Iz)FU5vu1|D7E^Y97Ny zAVY!wiiOpez&}xQ4C{2f=iR-#Y=8dhTWl~hGg9j3NpS7SB)6yT=8`$w@Uu z=uR>RnPb{sP!#1 zOdz_`)c2jN_;Dro_HK0f;|SZ}^C?W0C)N<#@LBh)fM>0ezDlOyr?}{Tw*aDh2Z#>b zN-}iVPz_xjkxr2tST$N7N<@KttbuDbuWhNgXK|g_LqJOr(KFvFi+6X|pJAXp6iJ_``Q*YJ|Xs79L3 zS#GGBh~;6H&iL9t-c%0+Dzw!OkiTtd%W7My98LASj$zeJT-C@bCnuZHQVC8kE1Qu{ z3CHOB!6+G;1Q(|q?ecGSCd@~9@%gyBjp16qjJN31xn;h^;4yh#EhH*|1hj2LR4RfE zfsT?PW5);a&5R#+m+phpbcr0@8WPHoaqcY z!3PWNRr!NZEw!>$@z_l*jU^pl>V6*iN39hIgu(C@!RQw~8%qzliZ$G+;MmzvW6M#> z*0>on$y^xyr!K?2i(|YZ8h>hZ=mR|MNp^*JuUE+7?<>4DnBOwO?3+mqGVuMSiADR1 zW%kc<8G|T{AH_srx};k_^75%oU6l@bUF)OnTpRCx^cj?!f5^#S#u8k0c&bK6J}teo z`krU@uFvr_Nm+#PAX#wj ze%fa3@~>iq@i@}Hcbo{o;Q+&Hj_pAK5121L0qravcpJ2Xxr60Y7 zqsebj>b;uzhAe}}A2>JNbt@Zx^w{ZAL?dlqb`~HgK0;@td^8vN@b;6IUpkNen$kL; z`;HMnX9<*=*ZRm=?6P|HZJU6>kd-k>rs=}~V zm$t{zgI-fUz@vrpKg%rm0vv7##DITYPy;w`3C;bB0K+{8 zSA4avYaqAX+=~UcEy%Bo#tC{1%{{K_E7gzdZ!o5j_?~t%?Dl@k$e*Qv73;8_J@`+G zkaxNxev&KEU=ZPj^am;T$zPk#R#fGvnD>s5TZzV=dmYp!Lvo*oJR zr${a0@8mVvGi9?jP1}lHCqLbu*zvN2?Uw>C$SFJH`Lnr|cr$I9)he2_c8q%;t!sNd zNNa*R(BV`aG&&d6?tbK#A&QR{e$B1@k7!U58~oUy&wr{gwXD z7SN$lT(;1tw@;;c^mNd0*l@m;AT%k`EO&1A^Np!JM&Rsfj?Ru+tvnh{c$(FLGx0C} z7E8X!UOtWNMatY=?A*d&5**|r3(M2U(|OwT$USU3Rn5`J_mzO5J^Q)4>j}r_l!l+& zKfFV{q|B|dOw9yhDjDid{n0jE(J^ixH!2k5TM10o%+)24X8DhhyVc-;GQK%DSwYQk z)~j>-3(0`4O6w90jTTWOmxM})BAxOhjWk1sxw{hErV=u%pJ?N_v2F9z2~J*ac8!&5 zrth|1c5k0do{Z*yHU_2!*-OmS5Xv<;7X2A7Ou(`jtBB0&@=B4K%fiJH54aw>ae5nb06IClSeASd}(sfJnxZn$a&&5sev<#F^%uE z=S%;HS<-xBwO1^7rqzsnZsh0G&6;NGKawklmV02A-?|OvhUM^7?9>4ru&(tqqHm#? zpIdSo$+?6#^S~#pqxqjZdBBFRL=*^=iaDv^I*b&r3jVJII|0>aPlhqWCLUz9ID}|A z=Gw8YpFyC`e@yN(&nqW5El;!-;aRg?xbcG~#$ZzNRx#+I4=8wSLlqIeZPh1$$n2?eDz25+dG)M^;FBmmeK z7bQW16HF1{v6j5-cKUfm5k{gRECrBsd0L_fItiszLHcLFX? zmpU;5VW8;w?cyG!=y4>w<>?4XP{f$F`O5%JGdO2N*p&z-8EM5jolmJr+x;>^;3)8# zH=KK*Ry@(0k@sAXKqGpjQ}!M$JMj-c%JZfH6i0lGb7>xEM;D`5XS`Ju_tui@A0fnZ=_HPWHS564wJjdRY{>P){ zg5`1R-R#U0$-btPpH94<7^y9*aNE|*8Mh732wz4WOe22m=U;5EYJL>MK@O5doG%{3 zid0)#Wzt!7vj_M++k}Ltodzyfke^u56kuo?*wi$5sZpqy>3%Bt;3>&}umo%z|KjkO})r^G0T7bN5J-)_)YbfMm3gy+O_# znu*4i@xPShN0qp8f zfPY~#?&hGRw?@ZG3=zaDbvQ^9sLJcl{w7>u9eM(2B856e5yp^~K>ny6Trl3=!@lB) z4eM4vhw%zfn@~O!TpEv8dK9g$*}1%dnnLli^WvuXWJ!kcC-nlE?s?Y3W9mRgb05O? zIE%gKMZ1#jG<|bMspGT-Noo!m;?e2-^;Vt2e|#6&4{K)8Z8)9$eR*x@%B4>} z<7DIGp)xJPoTb}GYE6aV>1uyDHfJlFiia7$Xrv$YekRdLO10B@?ng@PvWr_fRk`q5 z2Xdah!b`f+Z+RcV<51r!&xjThM#sxn@TL+2>_Fku)T3gV8Q1n-!5NP7z-qhUYiw&a8Y!?3qWQ@~8xG zdsI&3OFiWj=xUO*$`TG+Zmj`;qkJOHjy+63$CdSR*L&wo?m;L^BL4%+OO`E|Tzz+= z@!-e1B0g~!ezuvM#0!_FD9LBF))kR?ZYG-ce z_4_{Y_u=8&$pS@P_#2Z-p`3`G34urkCWo0ez@kG--!c@=F>QQgq{5M`i&yYjKMOPb zD?Two$xM4fe8m?%xfDf83vy!(|qTO==bjJ`tCrfV4Xo>8O{1Axj% zifPp9kNve21Cr`%`XBMdBfC~9@(WB3PZ?eY;rlgSD{N_an>hcj+0jVe5&H_lyDmB@ zfwCjDQit$=axQ2UWbM&?WUNh5=WY>}7SXG(_6EcCIe9y>4TZoAIhFXpm3#Y@;`-DX z1XfVfhNJep0GFI(Q~C`}bO|$*j6jlKRs4C|Wuc1Q=^m0hnxjp}6eh+fw^^4Fx@qnD z&=3;|AmI(rgSP*AUYOB4?e;=o*F3-Y*QUGJkzyWbt4PoL!`6${C(!Wb))Z&Xu*57l z+2B5$Jb*`q91h?ZMWT7JfjDo|u^qm(ZCpE)Ud%ZDtmTedSY_-Bg?=YnJ01{xvINqRQ*Qe`9MWrhP&38cUDuzO-Ppzhm8u zyMbTe%!!$z62pE;UQP@&hVf!RG}eB8Tgs?4i(tq*G91)roLTAif&1f$!sQ!IS;-Tu zbcWeHw79U3&=7uDcJY4j;TUY}u3hhzOBSYGqq&esI$P0^^pK#m+ZitdiTVgQpH^$o z0h2^Lr(*rR1EM6(W4_N`SKLMG@r=Q4g3^Px_GkT?7_I|{FNSYd76S^*6#eVNW zEpq103&u)!2Zky9MZb9qx#$QFgmuPu{W;#C#7$g1Q+~^!44mk|p$r4SksXBW(?I-XPzRKvADZ+n=)Y1M(W_H9bA#Rys7T$SyB1s5RYv z+EFu9nTLhrD+*O7LV@KeZ(+iD1gJVhU<*}+w>7;)+y1i+%AYEgAs028|G>vfYnV;r z;JarPmwp%-*D?Pq$>aAD0(zknP8G3y%Y;;)m%N|-80?4mFMjJ8=3;s;GBA<2(C6|i ziAMGJpIxztVmU8ux*5Oy2Gz{TZkJpomPI!L5XYBETQ=Unr$KLTq6Gv(unOdU-u&R( zY~aMNO6-m*V4T5&u*Me(*UZK;|WknPs%%)m*i%55Gm->W-!bbH8%%j31D*pUu?FSB(~ zJIX5`LH9EHJn07?P($u^@E8jmM`cRZ@y;!vgQa25GxG$=p11CA)!IzAxu|;zL+qzf zu*bZD{X_^*%=%p}bd}S3d7;tY)(wztEINKMvyeAu7E>ccTP*cX5nUJ(zE8$NJpmpz zR?c2qBKs8Tw(=O;n|DmN+1w`L2jS^kfsTZpk4zmQy3+UtmQXHPwc)=MrV%w`r;JIj z^_oYi?{9CDC0$hSd2d_^gx_w06LW}N5~0rh5QC{yMYwUrxV-iEkT5?mlkeek>ke2? zIWW4AU=Z%ti4O;^KDE1sKRfM67M-6dNpctsfbOD($hUFz6K{mCT;UT=H97L8pDe(a zu%3lYs?s8?KKXkZ7tIr5X;{Pu_oKBIy!ejKF~-rV13=zDoT9)IsB(-2Td(T=H1C_9 z`JWi7>hRT3UUd8ZUm*|cI6Fk*d}ks=APx4^t*iROHUBhYVyEn`(#8btL@SW<8nblkf+U-~@D#H#+ zs4Cp_EdqW|0C%cN*ypId=9Y|OLfRR}wtPYJTGp!be}SL#;Ip)R;8xotMb$6qiP*cW zzWv+^#!&vJT0Gp4+s8ZhtmxjSz9a8C?VUZR<3n-#2W3kcs%33iik-9pymatLi+Mw7 z3Kws*?U=jfYE2~G2b5i z7=%yK%~%1}AJfi^O7jj74Oaftg8B`}zY$TKe?}>QY7T+f@*Q;GA&@{MJQlt6ruF!9 zHU}yc6`K7MKK3tF7&aosc9y6@ID;@H;^ct%BFy_ueZ97>=nhiOde364Yy7dCB;TI+ z3Dp>BrSE1G*l$wQC*SfU<8(A7cSJOMuzdPaCcCX?H$|Im?w_rEmDsty@Mb2g;)WkdG=81V=ho!HJfO!R60I zXG-)EC>CY`3bg9qal5)MnYA^mhh3fzRfpk!GU~>J@W$Ao4qN>586^fLl!PVJD)Kp3 z7jsC-x4lN!i$^fnAS?OJu}vh%{C>EVapnuszB6B&tE;btpOXd5aJ=(mp!;dXSVtB! zW`Ms+J?C)xX)MR20yt$y$+}Bh)L)n44YNM0&>oAeP72yvB@VFoNo=g6UNLPj^i%P! zNnJ-L2&nYTpjKK~qgYt!>Kc-l5>Ld`C&i92N5~GFh-C{LR;UGX;s9S(E*OSLGogTi z$7?PZ?A~U;W3xUGKtRzY#EL!vjyAHQ)P~K5@)Z0C(h!d(`x4JtaP@#Prp0w(s-G7L ze);*%@%Jn!hJE3jIm0O9qnV4%^Pz}u(SNxyr3lk0a2ltQ(&{vbu(mNahnPnL1`B=B zpls#ul>y`*PrDn?jhmdFM*B~`4Sesq2*bC21$ao`@B~1kpv3AS0`8(oba>^7%=tW_ z*wF}<4YEvJ1NtY4uIJdti?@rcSa3mYLF36$hkC2OU-1vto?$9{(KQbeW7OWxD0MX0 z^-;UOzDM!Lwkjs;be0FX`Xr89r>xgBMu8okIn)H{CR=>OHm;U$Jfu|@isd0fi%aBQ z6nk&Gz(>2w+>ZVxlIh?Tqhmc8^$E^C^0hzmEZ<#-T_$+Xh}DnQF0*a~e>2l%_kDK% zQxWqExRE(4O|VPEn1b4!wa97eAsh60jgEf0{{>1wwZDGKoOwRmr0j6c5oZSkn4WCf*Dz55t)EU%X{%8w2ufDa{{_rjBRmz9# zKH6_S7=v2ux30JuIK_Y6>R?F8cZonxs9+;T^JCvpzY#^BUnM7J+*3S{$gS0yWMMta zM`Jzv{3KGYEkrj#GdT|%ILdLKhyH`+6Bl7U_1sdpC|rc9tnL zNhs_Ho!_9MZ4I%j%CLH!6Y>tFT7eBhL&!5dlhF6H52$b>2im;<{yFOhvX@|;{Q2JX zY1T<>jfaWDP?Rio_-9u9*PmCUX8*{K%R?`X;VjW6HI&x*=*Ys?Kj*`)uioUKi>4dO zwcBtPp)Cxo=O5mClCc>utT<{2s13TQ4#3oWH_@x$Pp>M^Xw}bqxZ{!~Cs|!$3P#D&8L;KLZ8mbL7Nu{<+#5)1B#bF zqoSYL{OxKs{cy#dPBdC8eftag`XkFs)DfkBLO&fez{C@qbOrXxQts&EkJkg?*w3vX ziha>gRdwfL{MwGXui=2Q+^k1Le@M>JZ+ z7g>X5@Q<#bpZvAG>ZcEzr_YTZWJi1vy}d`#&$G~OD8 zG}qBn6=Pf^N0iw5Z?JaNQwcp2?h2`At&|TP@PD%hdA)jX3{omgtml6ixPQi`@DZ%% ztGF|Q@%8MV3FKz2kOzgOt4WuYJ7t|QwB3lcZMuF06J)2JIy!_SI)9-mum&I6*`n=o z{Jj`2J$-(i1;{O!F9*^yma72M>d(c{VX#L9r zzoo_6mQ(!wlV3Mb3D2!6S5j?A3|}&5)|@3hnFbq2kh4DWqxSu?f(-ZUvhm#EDY(y; zpK@SVKM{}^e{`N&$7!;R5i3Gg)`aMrmAk21t$Ge_>l+e!NDj1w=rg)zTgyH~!#-&DJc*yJ*hX6Z47L zH}yG3_l?4>TZgTex8a)EX%Th;byof}Mg&x59Ns?;zqaW-et57+5?PDuhlU&SHq|y# z1O3Ar2zN?k!W3=U9!Y3~+UE@X@(OC$&k8Tov)B!Eb=JIDcHiC`E9-+;BpR!x0s3#g zTg*Xs6tI;fDbbt_>(E7I+^(HN+ts{LZ$i)ANIkP6zs$g2w-&?X%||o7p0}X~dNs|Q z_gLTEbVMw2A)F|Q&D%S*ocFP?lh*s(iHb@VX0R9~4{ft~fOr@>+~YEON9dWzTDb`8 zSuy^{uGUh}=`%vNS#l@cyI?)rF|a*=^?Vd<$Hs1a-=2Z>^Pm4lq_z1$O`NiMORk0n z**aT%j?v^%gGwS=H?Z|5|C8 z`(>zhhe)zM)gS45XaZHNJ0lB|bgAO+GY+9QFTf>ID{96ee>=zUk%oSc4uqm9 zt-@~}PA;-h3r77xCmQvFCT~$USb*|wo%Vbv-Sk~i8_-QdJz+v|ad3rQ>nkw)&~lmx_LD6Ne4O#V-Q#E`#b*RG5M0VZQ}^Nl*XOhY?B)yu)(zn8Ch`P+~`r zeu%JZV48~!^9|?%lMFP#zRW?;3_+j1Cj1C43u5}uVu{`eYe$=UumxSDN`E!thrYav z$@;LLa`ftn%!3j?weCnepksAhq*Vo-A3Sz`=HYuzrLDgM>4dkvlKwt?yB6-6H-zNp z`AvrQp7uP()=>Ti13ltS5d8pabJ*(E&L49h^aY#epWa??i=THX?PI2WbFrOo3L;lZ z%3XN>@x=_T%s>7Xpmfov1*qNjG6k`jKJPz7tl+BOch?8`YrZW(c2`^~5rR`4GE?k5 zZ*OS9KhRlr%hhfawsyovoc46zYYCvc{=wr#ilDIS&Z%~z4mN?s{}A(8oz6_b{_Vb} zM>UA?=5!N~UiD9N=y84o1NvXU4))OV{jmvn&S`y%&8zqWlmBT99M4tS@8(ak7M-R_ ze>Y-17Hyf|v7S*{C2;yJuQ7hUD#Rx)ZouR-TUrJqC&6GUQKqMumaY=t=u*X*!xHNS!S4Nuu8KwBvx+Jz8MHs*$A7+RW zZZ}H?pJQ!D_Sm2#&NF!UER%>UWAcdS^6-aeQ=wx2X_(Sd0x_ZmgYKYm`%=@;{1(Pp zs1B>wXlQ8u4KzK!^)IqDX=rF@XlQ6?XlQ8u?Qlh_+TuoS);KCp1^}Z;yT2@R6+`qd z8nUCIX%MR21-K2c>G=mvS2lF295HD9Ikt3@Y?WAQ!I1C~X*YR#m)a+Br#SrfJS~kt zVbp)lo2C*AfAH7O3WPbRIPne2th|P~cTrrao)zx|jiQP|Msm+rgwS^CsCpdGQ;-@y zvSHC1G!;-S&1+T{x^DjMP)TNMDlp{V3AbxYXg{$7?&>BGVT`QS=G8rG8&grD4OB z!Q?jb9MrHi$K{xd{7gICM1GP0JcB0ud`dh6QOi#;SkF8|T_sgXP&4I#qyjMX`SFzM zMye_b^gplvgQV3G0zg3zWY><)CDxvpz8jhj#i(vwGzOBcz#l^-$3*R z{$V@)Yr_dN!vpuFqgV5H<)MV(z}}Ja6XoC01@r9N|78D+9}kk}vk=PqM+Q{Rzy0y~ zUEXqN=TY$E?L|$P{`$J_%U&ZlCMdFL$-h7Ng>VJ%ZBH z9Q2UTQHUZ;aF34horisC%R5o`4}FYM0_!Ky;eG)dSUVrJhdu5C&qqC<$^@m|K`}3% z`_`Put$whM6Klf7i7CT2>yOPNIt;PFyZ7{B%FVGA2dQZ@q(mo-(BCps)OfO?+WxO! z507fMh)AB-b!GiN4cEYkACCUlz|?8>hm4L9g`fCqocSSG{96{^sum&FIf+nX7Ut1? z7%)4iBzrrvZ1jbC5_O{Ds0@R_XxR)Hk9HF|Ovw}cyMGP(St#$iFZz~w;RSlZ6L)YJ zJvjs|f_C4~yNkZaM@io2T2y;uz;ZuoO|U~@mCwr^+DMwML$BN z^%L{#{L!~1+$b~-+)!R_7W&YRvGu3R`ETeYf9<|tVeCL@Q^;YsiEj!&e(`7m(kDM6 z^rlPG{3HWtmYLO5B`C)m1*>f@-q5=c{rv8=H0!M~NVpN{0)8Le3qe8GafA8yAb%h< zq-6DegDF0UZVnvi_R>=dhNXP=l~9gjybuf8SrfX*+%BdRXbaBXR*|z z7gihh6IQ1AmSdy%!JzUB&n(AHafh9U2Vp52tv^3kR(2Y$Cf!D{)kk!&n3B5KExr`c}rg0rcWSWE6NtX@h zEF~{I+H$%*j11hjKV~+2$%}R8M{w8stvgRH%Fw%6;Id6_c%Jv!fZ!%z_2Ssh@C`(D zymV%G_V2JPP!wFrz~x*hQzYLtQ-+CyGqmRT>|=F8o;gQf4Ij&{8CObpD^s@enQ zH<4X@-{VyKDizJqsF0*V0O)4FHwS~vcg>;AySx^lz1lS}8=VBRuMs+6@GhejnC|up z{fIWetU`}zkI@_~+}xGW6WnUqZm|cLQ=xtPF7P`mSf_4zeJnTePqw~~z z2!J^#Y4d*1?=hAj(q;M15VV({#G%LMDB0eH_nMAG&TLUa&kuk$B^lVKcIp||- z;9RYb_o0|Z4ZOA8vYp5{r?YVDa1n_S*o*Ac7Yuv0*@mlc$E{oV-KCbT3V_mBRZyS5 zccwBxUrPXkQPSeQo6lJ)Fbi4SWYzA0_+OHnv2(I4ZwPL3Oonk~`!!!Pi3?3v z?{4V+1y!-am#q-G3e=Nu9b*{0UP-KZc)kl@Q<%;}?2xggo?k1mxXt2w0Ze{B5sXr2 zu^yZQn2|ylYbpuru#CjL_XDhtlG`4k1nQb5@l)`R<<4tgxQ79}d#3@O?g1E`ZVoFV ze%t^41-VN}`&K=Dyb&CcxzO|o*^K!^9aMyl@U$sSiy&ryb8{65`8 zFY(*$9ih0sj>=8XPu`~h%Tf659oyITVb4Z)*n|}humhcgW9a$TU0YXn#RvNsumYXp zZ6I>w35q$$8UGe9(MGYOUvhk2qh0t7Hv@F}7$c<~kFrtHP>|s3c^1G0v>Mi@P=b+-()%ZoSF6h#{<=;h}=S;1EJ?8Z{Iaj4n3F%D~UWWN!tVagIs$s3mTTHkcZ9Hxr4_^qf*CQ_nOwkNk0k9}k!6-I3 zVmHsi!~R&(8Y7;0A;?Gye1^OM{|2TulqQ%*e@=qJkOL9GQ&@Im3-f`m67O~hT-{;Ef5@(L> zp*#No(*?_2CTN|Q)8U5y4=Z!ar$ zh)F$PfMq4==6CY-{Ez5LbYDhb!wGYU-5|s~(aO$05?e?e#3uG;bej#f#o-F$KV6PyYhQrv?WXTYJrh|{ z2|c&T%F)BM$mz?CxYzX??bm+%_D&~I_T4WfdE8H8U#NyiYh|NEtmpG?Fr;XoiiC>) zPD#lN&xt{Q)^#s7+_UE$3DIM=dc6sroMOQE)Fv{iK1R}l8|s%mo$rmCk82LfB5M*2 zC#H1Z80l*VEhF`8ka1UAigo*@g2<*s0mdKju}BYgyb<=HEii2EM-2hiuqR>Nnx&ka zFk^CeF0{M&Y7qlE*~iZyD_w^~>=DcgQU@vTHZHAr$T?9`yLMJu)_aA zu!E|$b8-A_W5#CRn*pl@G*hmhU)Tkj_u(Aev9>`;#$ZyIW7-d8 zY&uIMz1@Qn{oSt(W2pO}XS??KErkWhi36*MbZ`5x+ia5b(`nmbpV6=v9bv*6bb&n# z6+fRNs7kZ|CCyuM554U)5GA!95QBYIo5JGV8`DsP@;u~waPy4TARdlJ!xJK}nmt;k z7n65>*YZI^Nz@{~YMiRvxF6ZA`V_}&14v1;jv`k>rRi-n-xtr;IfpWuDTkpR_`*Zz zC^UOhJX(PZQ-6L(cJ&-ikeCql#LVY`^UTybE(xXu*=>4+1OAsg`{B5Wyau!JdM z$vXIv1K1WBW3Zk>G(pO5HOGU{Ejj)zDh@KiCpm%GNCz(aY=8o&D5*tk21REl(XMgW zYZ1L?2TTt_gB@Z$9`R>J8-md*!u7%|K)W;~4FXq+D*Eh&?#;Mu(q^+Q)&huasXb~8s$6B2BHuO~RHfS3CR10(i{R}w=GP8aEiJrq=UliaN zP@LNh%%@e&C(_{QceI&}i8$6r}WJy!<=@?tGaIaOul3?wOx& zQ{NSy6-ET8gcr()N8k3d#BZZ_k6g01fn_4fNGTf4xQBk^e)##`R5gLfWDTd#X^`|p z#h%SUI}ZJgscVrK`^dw!R+j^9{RW9V-FHP=^IKn>%GJS59pRpeHt%kU z9aG6>%J`@fvmO@s7nCu<4uO=3G6O`~bf_td+HaxQf5@=meTm2nwHaG& zbVp%VNP5`1!4f@&OaD{6P|ols`UiSXR)?-L^|9SML%&UDuR4PNQhX97-0#V_K|iblZ(Tl2r1wwDf-}}vw+qw$n408p6H}E19NbZgkPkD(33o$G3m-6# zppz9N7wSsuXGiB>PVU3pn6%z@$8;F>)^6d0p}gC%D=ri`!}#~O!D8=9ST%9?6uvdz zA~y%u#KCXuX59;H3JbHhZhe)lr<^W;j;0j#TNmda&R77GQuj<)zf!_1>CU|Ci#S^{ z*B{LfmNQ8rM(<{&?U=A`g%D#-_~9NUqci+(mhanDXAzbNfvMy+82ZV(r4(PRgQf|iaR2N=oN8p)!ye~+&a@|U82(kT#wVb+Uq2q^ z2YHsDd*^4-TlCzfgtWV0p_q<_fO)kTVjRtu90h1CAU+9z5;jQN&Zv%9=)Wr zG!z@PDn9oun~!R*8*{Y9%EA?(80FYeqSxzH#_enyJ~8&2C>om@33~Qh5HOmLTQt2L zKlrB%dFwd~2AAwj^XKW|bE4iUWh50z*BGRg$**5hfoP<-L=rq;a`+9Fv~o#As8%#F z6ow541-_bOxxi)uM{tAN1ma5ku2)={bg0A>iT7g2v4O*2aQW?ugt8DP7a9k}o`P`~ z+c^dYyNqB@xJ-;EnBDeuf6$9LF2McN#WBE`mhjXFCc3*nJ55LV|C1T122EoybW0*++AJ&GMMqk%^2nv4Hh&bP!|bYFub%um^T0Hz zI9*oD=r#2M)LktX)BL}{=&)xTe+~413dRP1S2v%Mt;u9{%K}Ijq>x*OF;BXJoLfoU z%Jej1n^Ka=zLg`9*An~oVOB<#tRF9dp;?*`==U(*b!$)M$!^X+=gL&c8Fc8%jv5Ak z#An%G8q5L3mDf-8WN=0wJA87R0Me!Kq#HJ?${RmjU<)H?D#6yQ%a3Co?XilAIr%Ta zd+9xB(D0H?-NrsBn_rm2PqN22=ECCiE78=HxYEo`h65|lMYOWwH+TzzE9)8l*+Lb5 z52NSL_Bw5>)TeUzv4tdJCsHpS^GdCDR#)U;{E=%nHN|g+?z?r4qY@B!;5dJ!dqWTz zeLKiwWkZ5`HPSv2OEm-wL%fkj&&v?wf!x3yr2od%#hAgmNWszk*6$HXWUg=tXb9^CWW+}xRAf6m}X}Y zurxMbHJ+HC>%M-T5g4^+0rXsJv(irqSbf&bR0rs!*J1TAE^AoA%f&>5!SAvxK?_9H zaosTJMeaT>-@P3hIG1h$==1j-o%LZffW*}leNYw`>q@pdQe8UXUrI@u-M$4ti{xnl zY9c*ydILk9p%W>P6$$gcehE%S4M{twnej#NdKSN0Ir^6?BaC5grc8;Q%ClPsZIddl zJ`$0^p3SOrHN+^eWCS%W!!T1ao@q^ZQU;SJ8R9#`8B;WQQ}a&`R+R4~222YB&^I)m z(F~yZjFBbnuXz92-C5B3VT>(NrS!VsMo_(r7|4yBX^9`~h%2pu1xvb>@+7NYUA@M@ zpd?;Gp?{0t{{+0}XT`;NAhOl(q(kd2QTZ-QCD-_#_IYLmw&^|&p`oU5jq! z1jMdjL(>}`FD|OWJo`ibu}eTZ{w&c9w|!5>S7?U`BGyMS`p0_BRtt!bJ+3bQ%U3fb z%x8ui53~rELsXxN3y?P?gAp_h2~&q5D-P<)`15MZ$|e^GB!x`{M3$1PpUctRUKo+C z(icmzl5ppagtiG4bCh(sDh)7fehsFA`sMCasiCkgKfdewY8@NK1U+>R9srguH=PzJ z-uNDKt?7UuV-S6?4(9v2L{5N-epjD5@a;1FTYe9t4ocd-`RF|i9}Z2xD&FiQW$NPn zFlH?n22KH3_dueR|J_#ye&46kTWzl}Y23FthC-~Id1IHE4u_goIk zNx#|(a#FB3z=*?bsRO#N7J_ZTdU@TjQ``ejK_YS)*abCUfH~#XU|m?;Np&bfO$@JxqYxbHHQH0h%W z+>yD*Ev3YDWv!bsl;pr7s+Xya25#k=a)8}LUUuil$*ozk%D7G{_Uf-gJd0~;LsVj| zK|P4jDBw)UJJ=q3u0{j9HZ;(X>73b5ZADHC&4dGL8kYkk_D5>TsIkrB=c#cgrJ3Ts zYB#J#t97NDM=q2$ez}i$3gbkixzeb2lO&J$8xd;JjNT54!8@3D+;x=~q<1t-o(Hhc zU()=?J!7TcHg1~xc%OY<)1L1z47ae>8*BVcoX_y}JUy7GZQUlsm*+aNtN*0`MUOFb^iIe+)1UkidM%62e|eDE~#WjmPRqXzP>Gb|&EqECpdza<9k+=BuG`-6$k1-Doa1L*4f z%nkcKxO;w5l=P?>dts9FP0n&Tl#mN!g8?QS~TnyV=H@0Pop0 z*!U7#PNQ?zkDnHHk7(yK!dK$2@5ve1k6}TY7RBgf)S7*o^dDTHhhFG=9BX^aS0X1VT z$TlYj=hT~uT|Z9hS?R2wArBY^&GD6N8K#y&-L%bnevE&=FwoBe7QN5_&XSiW52Y`G zSz(F*TYMEsJuk(k!kxs0Oxq}35OpQ;Ho){qtmm^V=n>apXbkDiVmOk{u*~srzhFi)xvK$Y(p$3HGoBxSQPG`YFs?5#N0mB^6`7mV zQ?eod?ZEV@@=cnL8JZ?c#kbe5 zbGP~M8W*&(K|X_h;qbk{z(7lr-Js9KiR_U zj{$w9cl!B0>Is^McX>UoTQ@|FhvDy4B={`MjZy)sXkKK3HR(BCo+$F+^AefZOA2N5ruRc7c3F97>ZsqqN z8dR`)-ENl~X(NwJA`|a&E}ou}(T6C3`281zld~|d4V-?2H5;{}X)@nA+v_X_O;X6b zjJ!ayF;RTANG*iQ645}6cfCSrv7#R$JTTZxB;p1aG(-8-*N)h(Oewmx|7aE(Itsny zdy#DyY>cuBrQ+p=T!kE?T@Dsg;0h_EiVw@}xP`^pIiHXkeaj!&Po|II*m|{;;0d z<8L>kSMN*tbwX_Gb8+sSm|2_Cqr_Cb zJZ#6Tw*>!xaIMN{4hM6V6M5Kv6ZV{i&09N$N)LE5Pu-xmx@yRIBb6Se+-q0iR5X7E zZD`@;&ZhISkFnrj!RqGgvO0=*J}_18V!_<+Ar8jx#vbX%mumY_#m=XIgL)@+k0r9Qqm`Eoixk(9_stT5P>uf4 zg-Ck(6noYU9S=MB3|EC)7vT{$ID2OF1dw{RL)2{-TuwTA?Bwz0(}KzA?a2uZ%kX>U zE@6}Qk8g!d$FK!P;X|;VT}9QSrr@qS5;xd{o-JbVe=;^%eM+D@$oQ;=vGLex#(Ex_ zh<_o2SX-?q-1A+$$CO+h?Zcl(Y8EpVxHoV^1XJV5S&MqZxbtc2peHZn<^5gyjgLGk zGGUVWu|Oq}Addlx+KE>Noc*y5w)rbyE7tdsRoj{5H_lj_Ilt${s8(u3K^CEgK3oPAy zoIEEm*VyCF5;(xfB|11_jc6zT$e^GZpz11!j63o~hPyTBncPE!8*?e%M)X7k6r+9& zS4%EvgMFvuFQcX9*EkKJJBDbHjvVQeavAQxIB)*3HqQBwGzg@(j@iV?Je%ryJq##i^2W(WujqFbqXS# z`DO`Y0gig(m)`fhG}^FUupA#;3Vwt;ik8=(d+(BlX}*HjZQ3D|iBolgEh8^4F9vKa{uGNEZndN}m<%p(*`Pwi zg@|BVR}B9gin_SK7Q=5QM$SL7#TX!p-=8IhjWUiV{$)h)8Q`jMKonoZ($vP+i{eYk z=kU~Pn8BzPmO-EH#K;1}s82U-Y@n%j>(h(}s`#U-HY5LQ{DG~ki0L!NS$mbP#)PG! z(6O(n1So1UfU743ie38RK7gUtqc?W(**Xmg0x6+?%*m1W<#-E z`%Nj`8P6`VfO{_5#>_rghxu#|3`kws#B8{NZv36r6E{PTyw%O>^R<^SD05q@Ws~F{ z1$Arl&`+X8D%RlzAD(2$tyba#(puvm)$<={ogF@SK5l#Vf(s)>9SbPyTw&WS4>2OSP#xt z&?e`Yq~vgYl~!W1xWM7>*2~qILE=#2Kce$b z^1$p~fX@vRFusHR=xw_t*9Ut&rvB&Yksi%q%5xvDwNw{bUzpGMgSic2XH>A)1htJ zNRaVA1F$YowEz1ldNT?SlI;THgg1}p?rNgFBe9829F3DXg?4cGMV&h`>dKK z-)2I?D$zkVNpr&NS0oKqmZ=5qhS@>Hyn|BbHbl=O+ld$v<67{8DC&(?C*mWsTbbj3 zmrE?$kyXOAt*IH8FvEbMBnu)6U}#R(K;vd0h5vu9xdF&1;bw+wZicVnsN#<%r+{Ch zOQ~^f+#0`}a)*Xz<{l$}{I;WUA1D|&D-xfF1oi>xgW-3bZ)#$j+COv$=s$~m;^@^0 zoY&$@Ci$s>zQ>!LT(By<32-G4T80h;>4*52TkI^&J(T2e(R(vlkr})0i-Dz2pnK4G z(D5f{`e^>M91kpsxh$p4`D`1iNb_glwzDO+AOcP|+fgmBd)RhjA4vf9;XP!V$$}}7 z8%%|0$qdI^GO(F%i+hHaAYm?#+hgo9YP4j7nAHeXbv?dgpi4x1>I@&<6#D?J8X7Y} z^LNv4Chqzw(*D@^hRx>EG$xx9N>?_~(D2*v@-S&N|C>0lo+{AL(EQtBkb~(o7={8l ztW*JV)P;tIMo2Ive(~@G1ZVU1U#v}ifp4Kp^PfZgaOFe?j7FOi`PUw z`yr;tx3VQf_2LHru;qCiF7CQ{{9TS^iA))Sh573+RJAZz)n6>qw%+?>)QsgW^%~!} zabZoJU+E`cumt{_RE;cKswJ+k9BH;*Qx@<{OmSW0Xb{n3dS+y0RkhFonR8(+75|nm zO9-@ZJMtvq{OE_#zUE;5$osi}Z;*L#+#&KsCosO_;}bLt7*l*)U%gq!lse?^;nffN zJ~`(4>d2VKac)h4y~5W$a3-V4!;=otUM6aHiqaksJHHDa&e_LH-5>V>*5tdccdc>L zGTX~xeVh%LoPOlww3-J49Uq_42i}s$kEROtx6)mI;=l?^>VQD3Ca2xz3O^-MWq9~W z>i(0cBLQRMUwtGlbWynezom=)Sj|6qWUY4U+K3&t8;47D-&Yh37wft6OzFa|Yn z*CLD8Hoyrv25`_D|M)Geu6T+`MlT205Qr;Ivz{k{q%C4wz=${lj_;$9W43P~F^#SgA}V0g zfeqT-@%JSv&jJ+*vCiZ|aH%fs`P0Kp<6!4@N~+;w)w+^NP_=rM(5-L0C&f#L&2U_07hqg{Z43u#zAk7DPVP8wnzHc;N48_Qcu6fy@9iL^<&3=7w}hM z>A=q>P)`^;4&o1ga5XeN_dMW)CRkli1J;o_F!9jwU~;)#?<4bFBezMx{5^JIePF8F z^Jk-gv1~2z#-1M27@%?dx$kl_=i<0)RhumW#?b*lBW{{X_)dTxL{(^)X`>P~PUO+U zHWt%9_F5K7_BHF=$cu$ZrRJi{W1}1o@&tL2j2_WblsrxZ*!q##I_gi`1S^p6+m5Xj z54Ohfhv#0o@T9_VPqHFFN@3sQbCChE;yxbRUYy{`g}*$0;mRSE{&6iqJ7NLA2}ii~ z>h$@G=UbRWj|AA}!Bq>d`x>v`gL4H7Sjz1fv^{Y8ab_Ed$R*emPUs`$eWvF*Z)MiA zggX!2gFCBSPCVYQ)%?FOJC0bcYabvE^F3XChV%A)&GsAtogTXT?UrI}J^v`o)W~ta zTf(kUkK!IRf&LG5Ve|RZ!NFqzTHf;TIZ3+Aq6a^}^&2el^7^ePmlgoyJw2W;Ed7aV zfq4vFo~)zu>{z?0u>+YN-!@r4jL;Bs_OKojeihcoSa-96>F=7T+P$998Wz4;+~Z7= z1vBKs!9n`L=Kv1HG%R9#X_hG%zMiJ=#I5hhu#3ELDMr8zI0mcHy&2@v!g1)~pk;aU z;n2?;Q#EW~uk3LmqZ8bA0!`lo?PkaI5;+?@eBy4s=~?SKH6#O4ow7cX<91HY*UiZNWae)kX;zW&dce9>{O%3@~Uh zm@F9kU=yKT?FIdIxvrN5vxVcIEd;H7_iv75K)V%6z?pgd##DTTjlJ^{we3BbMeG>-J-KsLqiQln8v^IDJ%H@XjhX=`+mDa$AQp)`fhMo4Ri8Lr zw=)BApKEQ~Tj+@aXXtY`!G^ugjwkxk#mP#2qQ*2?7HQtp>!ziup5NZ4y`$#AjpEH6 zBrTD9_ZgoeCiG0+54PzhaOLaz4p*Y(Wgnku-r?mAvL$Zz>`n(2`PhV!ouke|`=~|6 z6XN-~R%(ZNJREzUQ_^j;T120PC$~kQ?c09cQriQJPSRVM))8M~n`i=4BGf@OWDkH! z+z#-+jcdn-XnCm@8~HC%U$kDWf`yTy!!kSIRw$=+{|E!%y6%Bh$yB2`KD86T4JX(e zsRCT@v$*B*J1%UN~bazi%f*y%}KE?~NU7!AxjPRyA}`v?vH;nC;qEQYkhv6CF~z#1FGli z-XI={4V?2%Ffz&*u0CW!k7U!XZ|0k|x&M;CzUT(_XEX>eX0MOL+SuN$`=;$D&({v~ zG_i;Oiu^l{_xu(zov~syBPLD>!QXPrBpbyu2^X7UJvW1S(S~43tX1aTIR{>Z$<`vZ zf7fKJ!-l{<>%wt74a>u@Gu%G4SKn}bU^(xF4Ib30sY!ua09&5HfqQKHv9OBZ@*SzO zw_sDwJ;ysfQ@Xt(6Zlvr5=%xKfotz48t=?7R*S_-(uuih-2A4eyl&J)*c#nULC;Kd zK+Yn=QKQ%kGy1DlGKd9&l*dJeZu}U9kS+LM&KV;cH&tOU)3Uv25$n4=_0_qQO%e(m`1C|AOc-brH5t-1I zToQr#iLUj@sa888hf+Kry*kd+_3*ZP^12Ijjq|8+_m47RZocc?haQW?uHh~Ttl}*|J^=rCXP&~yXk)Oy z0?;MFY~cH6*az6mH#8mp!FrCg#V_Qmu=nlV2alhOCePOn)6N|??#m;MRW)RpqOM1< z@0>bhL^Kvy=Ok><_40I)7)$C|7mSjynR??O&d`V*AW3W zafLFmiG^<8&QieD#uY~aKOb6JmZX3XEUdO>T{n!Az_oetT(fStHn&xi!Ma6cJnWg+0ThF9 zmw@dRqJOr(4$vdPtoQ4-M8-uv_w5KhPsa_mujF=b{Do8JYln5-3+uV->)C8>Q#H<` z)V^|C(~Wi0cS&kExXHEAgXM|x<6bw1@$Y(z^R5Rq6`hgZ8-mHsf8_g&22YSFKF)e7 z5AEMTVcx!%BLCeWxsldwC!-*g$IlaajiLHvxYJ*IzZR7acqu> zidOVxW$m#F&6DSs?yezJ91k0hHpfkx898d9Gi(5EcC=%#>B#M2J4gfD+8xHV!@r^a zFfv=Yz%fafe#s6xW%k43dAVE;HyyAE>p6}xl3K+MA+o2o=@Wx{h-*&xgDi*=osei? z{(AM$;r)y>Bgl?f!bj-gF4Gc^EZ7$^MkwDw16liaxPITjgF>7Qne%>p$0ZSo6-~7Uif6`|jWl&){k3y|C>fjEj!ITpe})zFSwu@EG6cH|0dmyt&@+Pf`b- zUZM(Rv^f8!EmagcY`eH9D^L!y6JZR`>?RU@grOJU3B8l3tf3~!XT+Iyfii>Qn*l6) z(*~qnZo-sT0jm&H??y^-xGw;<=q(R|P}=>>#bukI za>rCf@9-dBzcVJ-5ZW5%{Opnz^p6i734>mExp?-1)3~pOPJR|3=Q0!E;58WNZ2+gR zZQaqYBXslhep<4LXYZKsq2jLCi&^tnoV6&_-QCfQ|3K{+wIY6AhS}5^?Zic04z-!q zmN+(@Is$h>$|L4=;ec{GG2H1)?al<{VN=^MfoVoI7UC}U4gbwX31?X<~^!@lLXXrnkdZ%cXnRsxY5Ay^T1o!&67&k102LxNxEp zDzSFnFG?8cHd7eBa@F)L^pgS@pM39P)D8};O}~0K&Kde*?~tTf_-hBpo z(fI!hqu<9MlcwrO{YrLz-&v+a1Kx3H>iO-FwoHahhRtogIM0m5(ha|CV(cfBM*SM z0l8vcn@m_D+Ju<%6>CB+|7!&Fqf0`as_{3t&Qw^#-qh9T6SaX~jVu&{*})5*5&o zvc*lw>Qjs4VM=EJ_QXyiLl2*sDGj1S&Boi!6yYv@8?uuK1R4_c=1?2xy65yvDUcs* zxn-Mx!#{sTb9Mu_m!Y8%CR`_UaMaUKP4TQZJBO;-zZf|_@&*`3UK_e|7VPuvKO}II z)Rm{!)68Y=IrN^|z+?(FAoKXO=SgFYdyh8y*h_0*J?lQWx8eCYS%;@AXpuCe^@Ah3 z5_f=vZ^Dgp=_`0EGDD9Lak67$vQD=eoOu0k!g;P%aFWwOGH;YHv3S-KwC0l$!!$I1 zADjnw#h~rGk(`wM0M>7;u}_*}uqYne*%D0>m&%I$6RGRqDh(j}?2a%8o+R9&jJVA8 zLCv|=uLsIT+QPP%O}Ks2tOlmFhSiaZk}6E@_LoxJP!Cnsi7;_7mu+O&EAzMuTRz|) zaTxj5N-gDq61U;OW76_Ocok8< zqyiBU$>cvrOa>n?SRg`7=8DQwv63`2je>~N4gig?g%T0t0T#q!7uhJL?>;9&yH=Ur zw;g=#rCU9VTrUmXo`)?bx84;BlFzo|Tl@60r?2IXmyMVJw^MNO?Qn&-mEe2=yVP^H zc>2lmUakOG949a0N?eUO?gpLHyWr*^aHT<{0J1BH*xr4zlnr{voE!%+L2A9r(|PPZ zyJfLAG5{to+Uwm`cDqhyNdPkwH38Zrw%z4TbT!@HjL|gG!WtHvopgW+ z(hJkJ@}DCFB%f`=J)uM3f&~l4DQQKGhX?)(7R(=~%&@y-7HJLLgD%Xw>MP3&SOc&; zPG0;OZiEOFJc#@~rG7JK~j{CrjO zmxqU4^lp@7S~N5y9LM;s;%hQZB@(6qw0gZ=OySZ?-q^emqL$qhpP!ThWi9d6;&9tT z$&3e2ov0@X9!XC^p@;oR^He`-BAoChY*{7@h;)7=4QE0CRtLz52CT(;j#UtGKTKRl z=$WCFumzhE8QruZ1kgX*z8`{bCnvX4(s_PREnzm1Kxavi8mPZq3@2l7V`mZH2P`8@ z0Z#dgDiUds0BmxI(RiCQ+^mSp_?!cf3E#?n^h5;Uh@X*S*Q|NOMKm;x0_S#$vun}{ zmU0B{-k1yG9yteCgUq=^*U&}KH~7gF&p9%ep4G+(r+L7B^HMr2Mu;;!Ys>lf!pNUdoLV0Pfzh1rq- z0}trnj&I@3En{X#u$Ni`bYCL{`bTb&S?`C>XM*UY%U2i5g5v7(dGPBCqt8=crRDLx z%*~rfbWZC@oLU;80?L7lz>Y{7L+IH$9)CPZpKbdbsl^DL9mAVVPa+n|sUfJ$&QI?tDnE>Lbcved8hxR$Wm9NR?4~I{2%FW$tEWo?`}sNkbL1y%nWKpt#zC8A;Kz&>tslY$ zPA}56mYcX~rB$OO$D^U4X$V$ngQyY>4b8uuRZha$OMr%krty)bI4X$c_SPL^S!(ruhPew@)nQ`5GOD6pF=S&xHow#A(?qwUmQ z;_5fEW)NGj2o|>O!!5t0UZtU-sTQT@I{_@>`iSm~dKz(G15P*}*m7h>H7 z`=FP@v)9LXV)xuaAL_Mz>Gv#tCTPE$2QsIg-ws~{oF&m7L5qjHDhS#x@aTG$J!6W-)&_kn-Li-O8jO@KZF!FWKg6T|sWqoMgf zM#5!}X-qrD)8n|jI85ibD}X_KZ*Zg13Nf#o2at3-0KO{$MyDD9$b`<)j+hHiLiQa! zzD{F@C%G@;suzT_Em&;)-{0)sIpp5nh-&J_OBXlVYQS>%7^9tW=YNdjDSlHTWo`@qy*47WY}N15lHrNAI{0lZj; z9opB!06M00*Tns^g9DkDZz&;haaa{eCJh%T%;f>fOs9L&&?RkxjQ0ye5n{kiH+el+ zBwOpnZ53tDeA~u2u_wUgyD;SEQVH5Pr=fu+;b+!`+1)=0G+TUz?kLg>bhSN`n!d@jR2Vw zQM&~`zP&0)UN4UDil3fP@?OtB2mO;fI_`m?X=Yf@@q9ho-GUpM)1OP*tp95T52j3W^&BC|RrevNZu_lBE%{36b1HCF( zi5F-G&@63|obN{Jq@wflmzL1x&1`@%neEilCxd#x4Hz9o=Psb3!E|_6(?AmI8Zq!) zk#5ft%&DSKSr?%W)3VNN2z(^17)GTD23UY@iGj$TH+y!*?G@oVM(w?odkrS0n^F(c z(EMLxwv?Z|r)n4j2LGbx&U?EyO0;&*Wm3QzanXLgI!G?*OPz!^?};?LV)L$Do{3Ec z-Tk*FjT#5$Yw3+}XlO9MpUbb|+5hSWKjk2YH1ruIZ_1dKid|=nC_mdD6W0$vS=u0ctvug55QBEX=`mhIEp103F{_M*vtQn|Fw91#tB~J~Jj>ZCtc^>m0{}$4^XBBa##Xa31d`?r3Oe{%Q=P zR{+dPH|U&T0kAVd8sI=EYhtvze#&(GD1+y55vy5@?Q)oZISmcXUyNR8_MBl+XF2_{ zEdeZ2E_a)rv=k;q>#)uQ+E|Pk1Pk6T?RC%wE=Ts(qZdHa(EQ~X2Hm(5az+!{*%K)X z2ReIuE)j)^(MF(g#M|}Bco1Lz;^lc`Xy^WNApZ$8G&FxL*ngHbz&$Tlj!gC~(UeGy zG&|V<-|Dm^qe|495J^lFjrrLMX=rHvUYaHRlB-Z`Zqik8s!T&e^DjbvRtu_B3UB5n zO{z#kL-TKk9{8f6p`oFnp`oFnp`oFnp`oFnp`oFnp`oFnp`oFnp`oD>5CH!JCr*l00000NkvXXu0mjfZB0Zo literal 0 HcmV?d00001 diff --git a/project-resources/security-hygiene-guide.md b/project-resources/security-hygiene-guide.md index 5758bcfc3..78914b211 100644 --- a/project-resources/security-hygiene-guide.md +++ b/project-resources/security-hygiene-guide.md @@ -15,7 +15,7 @@ Security Guidelines for New Projects aims to provide recommendations for new pro 4. Incident management 5. Badging -![](../images/SecurityGuidelines.png) +![](./SecurityGuidelines.png) **Figure 1**. An overview of security guidelines for new projects @@ -231,10 +231,10 @@ The [OpenSSF Scorecards](https://securityscorecards.dev/) project helps quickly This paper is influenced by the publications of CNCF Technical Advisory Group for Security, particularly the Cloud Native Security Whitepaper[[1]] and Software Supply Chain Security Best Practices Whitepaper,[[2]] and CNCF Cloud Native Security Map[[3]], programs and initiatives by OpenSSF[[4]] [[6]]. Our sincere gratitude for the contributors of these programs and publications, and to Emily Fox for suggesting the creation of this paper, to the contributors and reviewers of this paper. -[1]: https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md -[2]: https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf +[1]: /security-whitepaper/v2/cloud-native-security-whitepaper.md +[2]: /supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf [3]: https://cnsmap.github.io/ [4]: https://bestpractices.coreinfrastructure.org/en -[5]: https://github.com/cncf/tag-security/blob/main/PUBLICATIONS.md +[5]: /publications/README.md [6]: https://securityscorecards.dev/ [7]: https://clomonitor.io/ From 412492f06e7fb30bdc9d7a8864c4b988bef9b98b Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Tue, 25 Jun 2024 22:34:09 -0700 Subject: [PATCH 29/47] linting links Signed-off-by: Eddie Knight --- project-resources/security-hygiene-guide.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/project-resources/security-hygiene-guide.md b/project-resources/security-hygiene-guide.md index 78914b211..b29365753 100644 --- a/project-resources/security-hygiene-guide.md +++ b/project-resources/security-hygiene-guide.md @@ -65,7 +65,7 @@ We recommend that any change to the repository should be introduced as part of a ### Issue template -Any ideas, bugs or enhancement suggestions reported to the project need to be tracked, and can then be discussed, triaged and prioritized/de-prioritized for implementation. GitHub Issues are one such avenue that allows tracking and managing ideas until they are brought to fruition. We recommend the following template for proposing changes to the project [CNCF TAG Security Project Resouces - Issue Template](https://github.com/cncf/tag-security/blob/main/project-resources/templates/ISSUE_TEMPLATE.md). +Any ideas, bugs or enhancement suggestions reported to the project need to be tracked, and can then be discussed, triaged and prioritized/de-prioritized for implementation. GitHub Issues are one such avenue that allows tracking and managing ideas until they are brought to fruition. We recommend the following template for proposing changes to the project [CNCF TAG Security Project Resouces - Issue Template](/project-resources/templates/ISSUE_TEMPLATE.md). ### Commit signing @@ -85,7 +85,7 @@ Code scanning is an automated security test to identify vulnerabilities and erro In addition to scanning your code for identifying vulnerabilities and errors, managing the vulnerabilities dependencies is also important. [Dependabot](https://github.com/dependabot) is one tool that helps in managing vulnerabilities in dependencies by automatically raising a pull request to update vulnerable versions to secure versions of that dependency. These pull requests can be then analyzed, and further action can be taken. Further details of Dependabot and configuring it in your project code repository can be found at [GitHub Docs - Automatically updating dependencies with known vulnerabilities with Dependabot security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates). -For further information on securing the code repository, we recommend reviewing the **GitOps section** of the [CNCF Cloud Native Security Whitepaper](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#gitopsnew-in-v2) and the **Control Environments** sections of the [CNCF Software Supply Chain Best Practices paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) +For further information on securing the code repository, we recommend reviewing the **GitOps section** of the [CNCF Cloud Native Security Whitepaper](/security-whitepaper/v2/cloud-native-security-whitepaper.md#gitopsnew-in-v2) and the **Control Environments** sections of the [CNCF Software Supply Chain Best Practices paper](/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) ## 2. Self-assessment @@ -104,13 +104,13 @@ Self-assessment dives into the following aspects of the project to understand th 7. Secure development practices 8. Resolving security issues -A template to perform the self assessment is available at [CNCF TAG Security Project Resouces - Self-assessment](https://github.com/cncf/tag-security/blob/main/assessments/guide/self-assessment.md). All the assessments (self-assessment and joint assessment) conducted by TAG Security can be found at TAG Security GitHub repository. As an example, self assessments are available within the dedicated project folders at [Assessments folder of the CNCF TAG Security GitHub repository](https://github.com/cncf/tag-security/tree/main/assessments/projects). Further sections (SECURITY.md in particular) in this document provide some of the pointers to address the gaps and create the necessary process & documentation. +A template to perform the self assessment is available at [CNCF TAG Security Project Resouces - Self-assessment](/community/assessments/guide/self-assessment.md). All the assessments (self-assessment and joint assessment) conducted by TAG Security can be found at TAG Security GitHub repository. As an example, self assessments are available within the dedicated project folders at [Assessments folder of the CNCF TAG Security GitHub repository](/community/assessments/projects). Further sections (SECURITY.md in particular) in this document provide some of the pointers to address the gaps and create the necessary process & documentation. ## 3. SECURITY.md Awareness and processes are a big part of enforcing security in any project. A SECURITY.md file in your repository should talk about the security considerations of the project, and the efforts undertaken to ensure that there are policies and processes in place to report vulnerabilities to the project maintainers, and for project maintainers to notify the community of the status of the vulnerabilities. It should also list the dedicated personnel responsible to address these vulnerabilities in a timely manner. In GitHub, the SECURITY.md file creates a security policy, and when someone creates an issue in your repository, they will see a link to your project's security policy. Further information regarding security policy is available at [GitHub Docs - Adding a security policy to your repository](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository). -CNCF Technical Advisory Group for Security maintains a number of templates to assist projects in addressing these sections, which can be found at [CNCF TAG Security GitHub repository, under Project Resouces folder](https://github.com/cncf/tag-security/tree/main/project-resources). A special thank you to Google's OSS vulnerability guide folks for making the Security TAG aware of this collection of resources upon which much of this content was built on. +CNCF Technical Advisory Group for Security maintains a number of templates to assist projects in addressing these sections, which can be found at [CNCF TAG Security GitHub repository, under Project Resouces folder](/project-resources). A special thank you to Google's OSS vulnerability guide folks for making the Security TAG aware of this collection of resources upon which much of this content was built on. Disclaimer: These resources are designed to be helpful to projects and organizations, they require customization and configuration by the project intending to use them. It does not prevent security issues from being found in a project, will not automatically resolve them, and does not place CNCF Security TAG as the responsible party. If changes are made to these templates, projects are not required to pull in a new update. @@ -120,7 +120,7 @@ This document is an outcome of the self-assessment which articulates all the mea ## 3.2 Security contacts -This document states who are the personnel to reach out to in case of any security questions regarding the project, including but not limited to the triaging and handling of incoming security issues or security reports. Security contacts could be external participants and are not limited to being the maintainers of the projects. A template for this document is available at [CNCF TAG Security Project Resouces - Security Contacts](https://github.com/cncf/tag-security/blob/main/project-resources/templates/SECURITY_CONTACTS.md) +This document states who are the personnel to reach out to in case of any security questions regarding the project, including but not limited to the triaging and handling of incoming security issues or security reports. Security contacts could be external participants and are not limited to being the maintainers of the projects. A template for this document is available at [CNCF TAG Security Project Resouces - Security Contacts](/project-resources/templates/SECURITY_CONTACTS.md) **NOTE** @@ -130,7 +130,7 @@ CNCF could help create a mailing address (through service desk ticket) should pr Vulnerabilities are sensitive information and exposure of information regarding vulnerabilities without the availability of a patch generates unintended risk for all the consumers of this project, hence it should be handled with caution. -At a minimum, the vulnerability reporting policy projects should include is as follows, A template for this document is available at [CNCF TAG Security Project Resouces - Reporting a Vulnerability](https://github.com/cncf/tag-security/blob/main/project-resources/templates/SECURITY.md#reporting-a-vulnerability): +At a minimum, the vulnerability reporting policy projects should include is as follows, A template for this document is available at [CNCF TAG Security Project Resouces - Reporting a Vulnerability](/project-resources/templates/SECURITY.md#reporting-a-vulnerability): 1. The medium to report vulnerabilities - Email, Web form etc. 2. Disclosure timeline @@ -152,7 +152,7 @@ The vulnerabilities reported to the project are then handled by the security poi 5. The consequences of any violations 6. Disclosure timeline -A template for this document is available at [CNCF TAG Security Project Resouces - Embargo Policy](https://github.com/cncf/tag-security/blob/main/project-resources/templates/embargo-policy.md) +A template for this document is available at [CNCF TAG Security Project Resouces - Embargo Policy](/project-resources/templates/embargo-policy.md) ## 3.5 Security notifications @@ -168,7 +168,7 @@ The vulnerabilities may need to be reported to certain stakeholders, and for thi 8. Timeline of events associated with this notification 9. Any additional information relevant for this notification -A template for this notification is available at [CNCF TAG Security Project Resouces - Embargo](https://github.com/cncf/tag-security/blob/main/project-resources/templates/embargo.md) +A template for this notification is available at [CNCF TAG Security Project Resouces - Embargo](/project-resources/templates/embargo.md) ## 4. Incident Response @@ -188,7 +188,7 @@ Incidence response primarily states how the vulnerability is triaged, replicated 1. If a CVE is already present, request the CVE 4. Patch publication and Notification -In addition to the above, you could also consider adding relevant timelines, including but not limited to third party disclosure timelines. A template for the incident management process is available at [CNCF TAG Security Project Resouces - Incident Response](https://github.com/cncf/tag-security/blob/main/project-resources/templates/incident-response.md) +In addition to the above, you could also consider adding relevant timelines, including but not limited to third party disclosure timelines. A template for the incident management process is available at [CNCF TAG Security Project Resouces - Incident Response](/project-resources/templates/incident-response.md) ## 5. OpenSSF best practices badging From 16523ab670a78b566123459e18814977748b784e Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Wed, 26 Jun 2024 08:44:02 -0700 Subject: [PATCH 30/47] Spelling fixes Signed-off-by: Eddie Knight --- ci/spelling-config.json | 13 ++++++++++++- project-resources/security-hygiene-guide.md | 16 ++++++++-------- 2 files changed, 20 insertions(+), 9 deletions(-) diff --git a/ci/spelling-config.json b/ci/spelling-config.json index ec6bb0e55..4bb829b69 100644 --- a/ci/spelling-config.json +++ b/ci/spelling-config.json @@ -8,13 +8,16 @@ "words": [ "ABAC", "addfetnetgrent", + "Aniszczyk", "antifragile", "APAC", "archives", "ATT&CK", "backdoors", + "Benedictis", "Buildpacks", "BYOK", + "Cappos", "cgroups", "chainguard", "cisecurity", @@ -104,20 +107,25 @@ "pearweb", "PHP", "protobuf", + "Pronin", "ptree", "pyproject", + "Razzak", "RBAC", "Rego", "Roadmap", + "Ragashree", "runtimes", "sandboxed", "sandboxing", "Sarbanes", + "Sergey", "SAST", "SBOM", "sdlc", "seccomp", "semgrep", + "Shlomo", "Sigstore", "SLSA", "snyk", @@ -134,6 +142,7 @@ "Syft", "syscall", "TAR", + "timeframe", "TOCTOU", "toolset", "triage", @@ -151,6 +160,8 @@ "usecase", "venv", "Virtool", - "Wolt" + "Wolt", + "Yubi", + "Zalman" ] } diff --git a/project-resources/security-hygiene-guide.md b/project-resources/security-hygiene-guide.md index b29365753..87af35a9b 100644 --- a/project-resources/security-hygiene-guide.md +++ b/project-resources/security-hygiene-guide.md @@ -65,7 +65,7 @@ We recommend that any change to the repository should be introduced as part of a ### Issue template -Any ideas, bugs or enhancement suggestions reported to the project need to be tracked, and can then be discussed, triaged and prioritized/de-prioritized for implementation. GitHub Issues are one such avenue that allows tracking and managing ideas until they are brought to fruition. We recommend the following template for proposing changes to the project [CNCF TAG Security Project Resouces - Issue Template](/project-resources/templates/ISSUE_TEMPLATE.md). +Any ideas, bugs or enhancement suggestions reported to the project need to be tracked, and can then be discussed, triaged and prioritized/de-prioritized for implementation. GitHub Issues are one such avenue that allows tracking and managing ideas until they are brought to fruition. We recommend the following template for proposing changes to the project [CNCF TAG Security Project Resources - Issue Template](/project-resources/templates/ISSUE_TEMPLATE.md). ### Commit signing @@ -104,13 +104,13 @@ Self-assessment dives into the following aspects of the project to understand th 7. Secure development practices 8. Resolving security issues -A template to perform the self assessment is available at [CNCF TAG Security Project Resouces - Self-assessment](/community/assessments/guide/self-assessment.md). All the assessments (self-assessment and joint assessment) conducted by TAG Security can be found at TAG Security GitHub repository. As an example, self assessments are available within the dedicated project folders at [Assessments folder of the CNCF TAG Security GitHub repository](/community/assessments/projects). Further sections (SECURITY.md in particular) in this document provide some of the pointers to address the gaps and create the necessary process & documentation. +A template to perform the self assessment is available at [CNCF TAG Security Project Resources - Self-assessment](/community/assessments/guide/self-assessment.md). All the assessments (self-assessment and joint assessment) conducted by TAG Security can be found at TAG Security GitHub repository. As an example, self assessments are available within the dedicated project folders at [Assessments folder of the CNCF TAG Security GitHub repository](/community/assessments/projects). Further sections (SECURITY.md in particular) in this document provide some of the pointers to address the gaps and create the necessary process & documentation. ## 3. SECURITY.md Awareness and processes are a big part of enforcing security in any project. A SECURITY.md file in your repository should talk about the security considerations of the project, and the efforts undertaken to ensure that there are policies and processes in place to report vulnerabilities to the project maintainers, and for project maintainers to notify the community of the status of the vulnerabilities. It should also list the dedicated personnel responsible to address these vulnerabilities in a timely manner. In GitHub, the SECURITY.md file creates a security policy, and when someone creates an issue in your repository, they will see a link to your project's security policy. Further information regarding security policy is available at [GitHub Docs - Adding a security policy to your repository](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository). -CNCF Technical Advisory Group for Security maintains a number of templates to assist projects in addressing these sections, which can be found at [CNCF TAG Security GitHub repository, under Project Resouces folder](/project-resources). A special thank you to Google's OSS vulnerability guide folks for making the Security TAG aware of this collection of resources upon which much of this content was built on. +CNCF Technical Advisory Group for Security maintains a number of templates to assist projects in addressing these sections, which can be found at [CNCF TAG Security GitHub repository, under Project resources folder](/project-resources). A special thank you to Google's OSS vulnerability guide folks for making the Security TAG aware of this collection of resources upon which much of this content was built on. Disclaimer: These resources are designed to be helpful to projects and organizations, they require customization and configuration by the project intending to use them. It does not prevent security issues from being found in a project, will not automatically resolve them, and does not place CNCF Security TAG as the responsible party. If changes are made to these templates, projects are not required to pull in a new update. @@ -120,7 +120,7 @@ This document is an outcome of the self-assessment which articulates all the mea ## 3.2 Security contacts -This document states who are the personnel to reach out to in case of any security questions regarding the project, including but not limited to the triaging and handling of incoming security issues or security reports. Security contacts could be external participants and are not limited to being the maintainers of the projects. A template for this document is available at [CNCF TAG Security Project Resouces - Security Contacts](/project-resources/templates/SECURITY_CONTACTS.md) +This document states who are the personnel to reach out to in case of any security questions regarding the project, including but not limited to the triaging and handling of incoming security issues or security reports. Security contacts could be external participants and are not limited to being the maintainers of the projects. A template for this document is available at [CNCF TAG Security Project resources - Security Contacts](/project-resources/templates/SECURITY_CONTACTS.md) **NOTE** @@ -130,7 +130,7 @@ CNCF could help create a mailing address (through service desk ticket) should pr Vulnerabilities are sensitive information and exposure of information regarding vulnerabilities without the availability of a patch generates unintended risk for all the consumers of this project, hence it should be handled with caution. -At a minimum, the vulnerability reporting policy projects should include is as follows, A template for this document is available at [CNCF TAG Security Project Resouces - Reporting a Vulnerability](/project-resources/templates/SECURITY.md#reporting-a-vulnerability): +At a minimum, the vulnerability reporting policy projects should include is as follows, A template for this document is available at [CNCF TAG Security Project resources - Reporting a Vulnerability](/project-resources/templates/SECURITY.md#reporting-a-vulnerability): 1. The medium to report vulnerabilities - Email, Web form etc. 2. Disclosure timeline @@ -152,7 +152,7 @@ The vulnerabilities reported to the project are then handled by the security poi 5. The consequences of any violations 6. Disclosure timeline -A template for this document is available at [CNCF TAG Security Project Resouces - Embargo Policy](/project-resources/templates/embargo-policy.md) +A template for this document is available at [CNCF TAG Security Project resources - Embargo Policy](/project-resources/templates/embargo-policy.md) ## 3.5 Security notifications @@ -168,7 +168,7 @@ The vulnerabilities may need to be reported to certain stakeholders, and for thi 8. Timeline of events associated with this notification 9. Any additional information relevant for this notification -A template for this notification is available at [CNCF TAG Security Project Resouces - Embargo](/project-resources/templates/embargo.md) +A template for this notification is available at [CNCF TAG Security Project resources - Embargo](/project-resources/templates/embargo.md) ## 4. Incident Response @@ -188,7 +188,7 @@ Incidence response primarily states how the vulnerability is triaged, replicated 1. If a CVE is already present, request the CVE 4. Patch publication and Notification -In addition to the above, you could also consider adding relevant timelines, including but not limited to third party disclosure timelines. A template for the incident management process is available at [CNCF TAG Security Project Resouces - Incident Response](/project-resources/templates/incident-response.md) +In addition to the above, you could also consider adding relevant timelines, including but not limited to third party disclosure timelines. A template for the incident management process is available at [CNCF TAG Security Project resources - Incident Response](/project-resources/templates/incident-response.md) ## 5. OpenSSF best practices badging From 6ef5fb40de391c011e12c557cfd1dc787074961c Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Sat, 29 Jun 2024 00:04:27 -0700 Subject: [PATCH 31/47] removed linter line from blog post (#1305) --- website/content/blog/website-relaunch-2024.md | 1 - 1 file changed, 1 deletion(-) diff --git a/website/content/blog/website-relaunch-2024.md b/website/content/blog/website-relaunch-2024.md index 858bbc7eb..295a31725 100644 --- a/website/content/blog/website-relaunch-2024.md +++ b/website/content/blog/website-relaunch-2024.md @@ -3,7 +3,6 @@ title: "Website Re-Launch at CNSC '24" date: 2024-06-26 09:00:00 -0700 author: Eddie Knight --- - A lot is happening in the world of TAG Security recently! Most notably, this website is re-launching with a whole new set of content— thanks to contributions from the TAG leads and the special attention paid by TAG members **Brandt Keller** and **Marco De Benedictis**. From efd6dda450a9d07923fa2ae662b6452a3696bd35 Mon Sep 17 00:00:00 2001 From: Marco De Benedictis Date: Wed, 3 Jul 2024 14:21:58 +0200 Subject: [PATCH 32/47] style: fix publications table scss layout (#1307) Signed-off-by: Marco De Benedictis --- website/themes/docsy/assets/scss/_table.scss | 5 +++++ website/themes/docsy/assets/scss/main.scss | 1 + 2 files changed, 6 insertions(+) create mode 100644 website/themes/docsy/assets/scss/_table.scss diff --git a/website/themes/docsy/assets/scss/_table.scss b/website/themes/docsy/assets/scss/_table.scss new file mode 100644 index 000000000..c23d0acdb --- /dev/null +++ b/website/themes/docsy/assets/scss/_table.scss @@ -0,0 +1,5 @@ +#tag-security-publications ~ table { + td:nth-child(4) { + white-space: nowrap; + } +} \ No newline at end of file diff --git a/website/themes/docsy/assets/scss/main.scss b/website/themes/docsy/assets/scss/main.scss index 4a3c44610..8e28901e7 100644 --- a/website/themes/docsy/assets/scss/main.scss +++ b/website/themes/docsy/assets/scss/main.scss @@ -26,6 +26,7 @@ @import "blocks/blocks"; @import "section-index"; @import "pageinfo"; +@import "table"; @if $td-enable-google-fonts { @import url($web-font-path); From c977a016821182d3192ef32b677c1783d4729bf5 Mon Sep 17 00:00:00 2001 From: Shlomo Zalman Heigh Date: Fri, 5 Jul 2024 22:26:18 -0400 Subject: [PATCH 33/47] Remove outdated info about documenting members (#1310) * Remove outdated info about documenting members Signed-off-by: Shlomo Heigh * linting Signed-off-by: Eddie Knight --------- Signed-off-by: Shlomo Heigh Signed-off-by: Eddie Knight Co-authored-by: Eddie Knight --- governance/roles.md | 33 ++++++++++++++------------------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/governance/roles.md b/governance/roles.md index 9f877673d..ab3b1acec 100644 --- a/governance/roles.md +++ b/governance/roles.md @@ -20,12 +20,11 @@ The various roles are listed as follows: * [Facilitation roles](#facilitation-roles) * [Security assessment facilitator](#security-assessment-facilitator) * [Meeting facilitator](#meeting-facilitator) - * [Meeting scribe(s)](#meeting-scribe(s)) + * [Meeting scribe](#meeting-scribe) * [Triage team](#triage-team) * [Project teams](#project-teams) -All members are identified in the TAG [README](/README.md), with annotations -where they hold an additional role. +All chairs and leads are identified in the TAG [README](/README.md). Members fulfilling any Roles in Security TAG are responsible for understanding and abiding the by the [governance](./) and policies defined in this group. This @@ -41,8 +40,6 @@ consider their actions to support the group. ## Role of members * The primary role of a member is to contribute expertise to the group. -* To add yourself as a member, submit a Pull Request (PR) adding yourself to the - list of members. ### Maintaining active members @@ -62,7 +59,6 @@ consider their actions to support the group. ### Managing membership - * Membership disagreements may be escalated to the Chairs. Disagreements among the Chairs may be escalated to a Security TAG TOC Liaison. * Members *MAY* decide to step down at anytime and optionally propose a @@ -80,10 +76,10 @@ navigate a complex security landscape. * The Chairs are responsible for ensuring that group meetings are planned and have facilitators assigned, while also engaging group members in leadership roles. - * Chairs are responsible for approving Pull Requests, specifically for - top-level content of the repository - * Chairs may additionally perform any actions of technical leads as needed, - especially serving as the Security TAG leadership representative to a project. +* Chairs are responsible for approving Pull Requests, specifically for + top-level content of the repository +* Chairs may additionally perform any actions of technical leads as needed, + especially serving as the Security TAG leadership representative to a project. ## Role of technical leads @@ -126,7 +122,7 @@ After a [Chair](#role-of-chairs) finishes their term, they transition into a role of [Chair Emeritus](#role-of-chair-emeriti). This allows previous Chairs to continue to chime in and provide valuable context and contributions to the TAG. A [Chair Emeritus](#role-of-chair-emeriti) can assume a role of a [technical -lead](#roles-of-technical-leads), but in doing so, must be active in +lead](#role-of-technical-leads), but in doing so, must be active in communicating with the co-chairs and technical leads (i.e. participating in the chair/TL slack and meetings). A Chair Emeritus has the same permissions/access as technical leads. @@ -159,12 +155,13 @@ given the OWNER role of the directory or sub-directory along with 1 other nominated individual to ensure continuity in review and ongoing support of the project. - The nomination is typically open for a week (but may be shorter with LGTM + 1. The nomination is typically open for a week (but may be shorter with LGTM of at least two Chairs). 1. The issue is updated with the assignment of the project lead as "assignee" alongside the TAG Leadership member. - 1. Project Leads will be given the OWNER role of the directory or sub-directory - for their team's activities in order to empower merge/approve. + 1. Project Leads will be given the OWNER role of the directory or + sub-directory for their team's activities in order to empower + merge/approve. This role may be subject to [lead rotations](#lead-rotations). @@ -229,7 +226,6 @@ Examples are: ## Role of Team Leads - Team Leads lead larger streams of work that require sustained effort and coordination and remain ongoing. @@ -291,10 +287,9 @@ role for some time informally, then proposed as an on-going role by Pull Request which must be approved by a majority of Chairs. Process clarifications are welcome and PRs can be approved by any single Chair. - ### Security assessment facilitator -[Security Reviews](/assessments) are part of the ongoing work of the group +[Security Reviews](/community/assessments) are part of the ongoing work of the group and led by a security assessment facilitator (referred to in the rest of this sub-section as a facilitator). The facilitator is responsible for: @@ -368,6 +363,7 @@ goals, the meeting facilitator has the following responsibilities: Effective facilitation includes (but is not limited to) the following activities: + * Setting the agenda for meetings. * Extending discussion via asynchronous communication to be inclusive of members who cannot attend a specific meeting time. @@ -391,7 +387,7 @@ One or more of the following: Any member who meets the above qualifications is encouraged to add themselves to the [list of people in this role](/.github/settings.yml). -### Meeting scribe(s) +### Meeting scribe Each meeting must have at a minimal one scribe and preferable with two. @@ -407,7 +403,6 @@ Scribe is expected to perform the following: * Add links to issues being discussed if not already in Agenda. * Open new issues to track action items from meeting. - ### Triage team All members are expected to review Pull Requests (PRs), comment on issues, and From 40e2dbe21820eda8ebd78eb05b101ef7e5eb119c Mon Sep 17 00:00:00 2001 From: Brandt Keller <43887158+brandtkeller@users.noreply.github.com> Date: Fri, 5 Jul 2024 22:13:32 -0700 Subject: [PATCH 34/47] feat(blog): establish blog guidelines (#1311) * chore(blog): initial structure for guidelines Signed-off-by: Brandt Keller * feat(governance): create blog guidelines initial draft Signed-off-by: Brandt Keller * fix(lint): update to fix linting Signed-off-by: Brandt Keller * fix(cspell): update spelling config file Signed-off-by: Brandt Keller * fix(blog): add revisions to guidelines Signed-off-by: Brandt Keller * fix(lint): fix linting for blog guidelines Signed-off-by: Brandt Keller * Update governance/blog-guidelines.md Co-authored-by: Eddie Knight Signed-off-by: Brandt Keller <43887158+brandtkeller@users.noreply.github.com> * fix(blog): update for revisions in submissions Signed-off-by: Brandt Keller --------- Signed-off-by: Brandt Keller Signed-off-by: Brandt Keller <43887158+brandtkeller@users.noreply.github.com> Co-authored-by: Eddie Knight --- .github/ISSUE_TEMPLATE/blog-submission.md | 18 ++++ ci/spelling-config.json | 8 +- governance/blog-guidelines.md | 113 ++++++++++++++++++++++ 3 files changed, 136 insertions(+), 3 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/blog-submission.md create mode 100644 governance/blog-guidelines.md diff --git a/.github/ISSUE_TEMPLATE/blog-submission.md b/.github/ISSUE_TEMPLATE/blog-submission.md new file mode 100644 index 000000000..6fa402044 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/blog-submission.md @@ -0,0 +1,18 @@ +--- +name: Blog Submission +about: Propose and author a blog article for publication on the tag-security.cncf.io website +title: "[Blog] some descriptive title" +labels: "blog, triage-required" +assignees: '' + +--- + +Description: What's your idea? + +Impact: What is the purpose of this blog post? + +Sponsor: If applicable mention a related issue or the related working group this blog originates from. + +Additional info: +- Reference to supporting material +- Links to related site diff --git a/ci/spelling-config.json b/ci/spelling-config.json index 4bb829b69..ca98eb92f 100644 --- a/ci/spelling-config.json +++ b/ci/spelling-config.json @@ -54,6 +54,7 @@ "Fianu", "FIPS", "Flibble", + "frontmatter", "Gamal", "gconv", "helm", @@ -61,6 +62,7 @@ "HITRUST", "hotspots", "hyperconverged", + "Inclusivity", "intercompatible", "iscsi", "Istio", @@ -106,25 +108,25 @@ "PEAR", "pearweb", "PHP", - "protobuf", "Pronin", + "protobuf", "ptree", "pyproject", + "Ragashree", "Razzak", "RBAC", "Rego", "Roadmap", - "Ragashree", "runtimes", "sandboxed", "sandboxing", "Sarbanes", - "Sergey", "SAST", "SBOM", "sdlc", "seccomp", "semgrep", + "Sergey", "Shlomo", "Sigstore", "SLSA", diff --git a/governance/blog-guidelines.md b/governance/blog-guidelines.md new file mode 100644 index 000000000..601501580 --- /dev/null +++ b/governance/blog-guidelines.md @@ -0,0 +1,113 @@ +# Blog Guidelines + +## Introduction + +Welcome to the Security TAG (STAG) Blog! Our blog is a platform for sharing insights, experiences, and knowledge about Cloud Native software and the community. We encourage contributions from community members to help educate, inspire, and engage others. To ensure quality and consistency, we have established the following guidelines for content creation, submission review, and the overall value to the community. + +## Proposal + +Everyone is welcome to propose a new blog post using the [blog submission template](https://github.com/cncf/tag-security/blob/main/.github/ISSUE_TEMPLATE/blog-submission.md). Blog article proposals are meant to capture the intent of authoring one of many topics covered below. + +## Content Creation + +### Topics + +- **Cloud Native Projects**: Share updates, features, and success stories. +- **Technical Tutorials**: Provide how-to guides, coding tips, and best practices. +- **Community Stories**: Highlight contributors, events, and community achievements. +- **Working Groups**: Proposed initiatives, Updates, and calls to action. +- **Opinion Pieces**: Discuss trends, challenges, and the future of open source. + +### Writing Style + +- **Clarity**: Write in clear, concise language. Avoid jargon unless it's well-explained. +- **Engagement**: Make your post interesting and engaging. Use anecdotes and examples. +- **Accuracy**: Ensure all information is accurate and up-to-date. +- **Inclusivity**: Use inclusive language and be respectful to all readers. + +### Formatting + +- **File Name**: Blog Files should be dash-case `.md` markdown filetype. +- **Headings**: Use appropriate headings (H1, H2, H3, etc.) to structure your post. +- **Paragraphs**: Keep paragraphs short and focused. +- **Lists**: Use bullet points or numbered lists to highlight key points. +- **Tags**: Include relevant tags in the blog for filtering capabilities. +- **Code**: Use code blocks for any code snippets. +- **Images**: Include relevant images and graphics to enhance the content. + +### Front Matter + +The start of each blog document should contain the `frontmatter` information. + +Required `frontmatter` fields: + +- **title**: Title-case title for the blog post +- **author**: Name of blog post author + +Note: **date** can be included but will be appended to the `frontmatter` when publication date is decided. + +#### Example + +```yaml +--- +title: "New Informative Blog Post" +date: 2024-06-26 09:00:00 -0700 +author: R. Raccoon +--- +``` + +### Length + +- Aim for 500-1200 words. Ensure the content is comprehensive yet concise. + +## Submission Review Process + +### Submission + +1. **Draft**: Write your blog post in a markdown file under `tag-security/website/content/blog`. +2. **Pull Request**: Submit your draft in a pull request. + +### Review + +1. **Initial Review**: The collective team will perform an initial review. +2. **Feedback**: You may receive feedback and requests for revisions. +3. **Revisions**: Address the feedback and resubmit your revised draft. +4. **Final Review**: The team conducts a final review to ensure quality. + +### Reviewer Criteria + +1. **Content**: Submission abides by all `Content Creation` guidelines established above. +2. **Sponsor**: Submission is sponsored by a STAG Co-Chair, Tech Lead, or Project Lead. +3. **Existing Content**: Submission does not duplicate existing material. + +### Approval + +- **Acceptance**: Once approved, your post will be scheduled for publication. +- **Notification**: You will be notified of the publication date - a repo maintainer may update this field prior to merge. +- **Merge**: A repository maintainer will perform the merge once accepted. + +## Value to the Community + +### Education + +- **Knowledge Sharing**: Help others learn new skills and techniques. +- **Resources**: Provide valuable resources and references. + +### Inspiration + +- **Success Stories**: Inspire others with success stories and case studies. +- **Innovation**: Encourage innovative thinking and solutions. + +### Engagement + +- **Discussion**: Foster discussions and interactions within the community. +- **Support**: Offer support and encouragement to fellow community members. + +### Growth + +- **Visibility**: Gain visibility for your contributions and projects. +- **Network**: Call for contribution to get others involved in initiatives. + +## Conclusion + +Thank you for your interest in contributing to the STAG Blog. By following these guidelines, you help maintain the quality and integrity of our content, benefiting the entire community. We look forward to your valuable contributions! From 41bf4346b4e3ef7e7e6fb98599e5f933eadb6043 Mon Sep 17 00:00:00 2001 From: Shlomo Zalman Heigh Date: Wed, 10 Jul 2024 15:29:40 -0400 Subject: [PATCH 35/47] [Blog] CNSC 2024 Takeaways (#1315) * Blog post: CNSC 2024 takeaways Signed-off-by: Shlomo Heigh * Schedule blog post for Monday July 15th Signed-off-by: Eddie Knight * Update blog post datetime Signed-off-by: Eddie Knight * Update blog post datetime Signed-off-by: Eddie Knight --------- Signed-off-by: Shlomo Heigh Signed-off-by: Eddie Knight Co-authored-by: Eddie Knight --- ci/link-config.json | 2 +- ci/spelling-config.json | 8 ++ website/content/blog/cnsc-2024-takeaways.md | 105 ++++++++++++++++++++ 3 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 website/content/blog/cnsc-2024-takeaways.md diff --git a/ci/link-config.json b/ci/link-config.json index 0e43c9de4..95daf4d03 100644 --- a/ci/link-config.json +++ b/ci/link-config.json @@ -1,5 +1,5 @@ { - "aliveStatusCodes": [200,206,402], + "aliveStatusCodes": [200,206,402,999], "fallbackRetryDelay": "10s", "replacementPatterns": [ { diff --git a/ci/spelling-config.json b/ci/spelling-config.json index ca98eb92f..eabc7a458 100644 --- a/ci/spelling-config.json +++ b/ci/spelling-config.json @@ -12,6 +12,7 @@ "antifragile", "APAC", "archives", + "ARMO", "ATT&CK", "backdoors", "Benedictis", @@ -33,6 +34,7 @@ "CODEOWNERS", "Configu", "conftest", + "Conjur", "coreutils", "CrowdStrike", "cryptomining", @@ -50,6 +52,7 @@ "exfiltrate", "exfiltration", "explainability", + "exploitability", "Expressibility", "Fianu", "FIPS", @@ -57,9 +60,11 @@ "frontmatter", "Gamal", "gconv", + "GUAC", "helm", "HIPAA", "HITRUST", + "Hirschberg", "hotspots", "hyperconverged", "Inclusivity", @@ -75,6 +80,7 @@ "Kube", "kubecon", "Kubernetes", + "Kubescape", "Kyverno", "libc", "libgcrypt", @@ -115,7 +121,9 @@ "Ragashree", "Razzak", "RBAC", + "RCOS", "Rego", + "Rensselaer", "Roadmap", "runtimes", "sandboxed", diff --git a/website/content/blog/cnsc-2024-takeaways.md b/website/content/blog/cnsc-2024-takeaways.md new file mode 100644 index 000000000..8c2bee9c0 --- /dev/null +++ b/website/content/blog/cnsc-2024-takeaways.md @@ -0,0 +1,105 @@ +--- +title: "Securing the Cloud: Insights from CloudNativeSecurityCon 2024" +date: 2024-07-10T13:30:00-04:00 +author: Shlomo Zalman Heigh +--- + +I recently had the pleasure of attending and speaking at the CNCF's +[CloudNativeSecurityCon 2024](https://events.linuxfoundation.org/cloudnativesecuritycon-north-america/) +in Seattle, WA. The conference brought together security professionals, +developers, and industry experts to discuss the latest trends and advancements +in cloud native security. The keynotes, breakout sessions, and networking +opportunities provided valuable insights into the evolving landscape of security +practices. Here are some key takeaways I gathered from the event: + +## Industry Progress in Supply Chain Security + +At the conference, we witnessed significant advancements in supply chain +security. Three notable projects stood out to me: SLSA, GUAC, and VEX. + +- **SLSA and GUAC**: Both SLSA and GUAC aim to improve transparency and trust in +software supply chains. By defining different maturity levels of supply chain +security (SLSA), and providing a graph to visualize and reason about it (GUAC), +they helps organizations make informed decisions about the components they use. +It was clear to me that both SLSA and GUAC are gaining tremendous traction in +the industry, and their adoption will surely enhance visibility into security +posture across the software supply chain. + +- **VEX (Vulnerability Exploitability eXchange)**: VEX addresses the +overwhelming number of vulnerabilities detected during container scans. It aims +to allow teams to prioritize and handle vulnerabilities more effectively by +knowing which ones are more likely to be exploited and which should be treated +as false positives. There are a few implementations of the VEX standard, and +there were several talks at the conference discussing how to integrate VEX into +existing security workflows. We'll cover this more a bit later in this post. + +## Trends in Identity and Workload Security + +The industry is shifting away from long-lived credentials toward workload +identity. SPIFFE (Secure Production Identity Framework For Everyone) has gained +prominence as a standard for workload identity. This approach enhances security +by ensuring that services can only access resources they are explicitly +authorized to use, without the need for long-lived credentials which are +prone to leakage. + +[Session link](https://sched.co/1dCWN) + +## Lighter Systems: Operators Over Sidecars + +Traditionally, sidecars have been used to enhance container functionality, and +provide authentication between services. However, the trend is moving toward +lighter systems like operators, which don't require additional resources for +each pod and therefore scale more efficiently. In particular, we saw Istio's new +Ambient Mode demoed in the keynote by Lin Sun. This feature is still in beta, +and you can learn more on the +[Istio blog](https://istio.io/latest/blog/2024/ambient-reaches-beta/). + +[Keynote link](https://sched.co/1dCVF) + +## University Open Source Centers and Student Involvement + +One of my favorite breakout sessions was given by two students from Rensselaer +Polytechnic Institute, Ben Smith-Foley and Sam Begin. They discussed how +University Open Source Centers, such as RCOS (Rensselaer Center for Open +Source), provide students with valuable opportunities to learn and gain +real-world experience. These centers bridge the gap between classroom learning +and practical skills. Students can contribute to open-source projects, document +their processes, and tackle "good-first-issue" tasks. I always enjoy hearing +about initiatives that encourage student involvement in open source, and I was +inspired by the work these students are doing and hope to see more universities +adopt similar programs which are beneficial for both students and the +open-source community. + +[Session link](https://sched.co/1dCUW) + +## VEX: Automated Vulnerability Prioritization + +As mentioned earlier, VEX has been gaining traction as a way to prioritize +vulnerabilities detected during container scans. I had the privilege of +delivering a presentation on automated generation of VEX documents using +Kubescape along with Ben Hirschberg, CTO of [Armo](https://www.armosec.io/). We +discussed how [Kubescape](https://kubescape.io/) can be used to generate VEX +documents through runtime analysis of containers in Kubernetes, and how we +developed a new +[GitHub Action](https://github.com/kubescape/generate-vex-action) to automate +this process. + +[Session link](https://sched.co/1dCWE) + +## Conclusion + +There were many more valuable insights and takeaways from +CloudNativeSecurityCon, and I encourage you to explore the conference schedule +and watch the recorded sessions once they are available on the +[CNCF YouTube channel](https://www.youtube.com/@cncf). I'm excited to see +the continued progress in cloud native security and look forward to attending +future events to learn more about the latest trends and advancements in the +industry. + +## About the Author + +Shlomo Heigh is a Senior Software Engineer at CyberArk, where he maintains the +[Conjur](https://www.conjur.org/) open source secrets manager. He is a +contributor to the CNCF's TAG Security and an OWASP chapter leader. You can find +him on [LinkedIn](https://www.linkedin.com/in/szheigh) and +[GitHub](https://github.com/szh). From 69063b35c9697f3244d287e51852788da4bfa050 Mon Sep 17 00:00:00 2001 From: zerb4t <117054988+zerb4t@users.noreply.github.com> Date: Thu, 11 Jul 2024 17:45:21 -0700 Subject: [PATCH 36/47] compromises: polyfill.io publishing infrastructure (#1314) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zerb4t <117054988+zerb4t@users.noreply.github.com> Co-authored-by: Andrés Vega --- .../compromises/2024/polyfill.md | 26 +++++++++++++++++++ supply-chain-security/compromises/README.md | 1 + 2 files changed, 27 insertions(+) create mode 100644 supply-chain-security/compromises/2024/polyfill.md diff --git a/supply-chain-security/compromises/2024/polyfill.md b/supply-chain-security/compromises/2024/polyfill.md new file mode 100644 index 000000000..9bfaf0b60 --- /dev/null +++ b/supply-chain-security/compromises/2024/polyfill.md @@ -0,0 +1,26 @@ + +# Polyfill.io Infrastructure Takeover Leading to Malware Distribution + +In February 2024, a Chinese company acquired control of the `polyfill dot io,com` domains, and the `polyfillpolyfill` GitHub account. + +In June 2024, Sansec observed malware being served from the `cdn dot polyfill dot io` domain. Other researchers discovered some of the malware's functions referenced in other domains including BootCSS, BootCDN and Staticfile, and based on exposed API keys in public GitHub repositories, proposed the same threat actor is behind all the domains. + +## Impact + +* While the observed malware only performed site redirection, malicious control of `cdn dot polyfill dot io` could result in arbitrary malicious JavaScript code execution in users' browsers. +* Namecheap shut down the domain for a period of time, and some threat feeds flagged the domain as malicious +* While polyfills shouldn't be required in modern browsers, and despite the project's creator warning users since February to steer away from the `polyfill dot io` domain, this incident prompted Fastly and Cloudflare to offer safer drop-in replacements +* Google Ads started disapproving ads pointing to sites using the affected domains +* Sansec estimated this incident affects over 100,000 websites, and Cloudflare's CEO said about 4% of the web used `polyfill dot io` + +## Type of Compromise + +This is a _publishing infrastructure_ compromise. + +## References + +* [Sansec Research](https://sansec.io/research/polyfill-supply-chain-attack) +* [BleepingComputer](https://www.bleepingcomputer.com/news/security/polyfillio-bootcdn-bootcss-staticfile-attack-traced-to-1-operator/) +* [BleepingComputer](https://www.bleepingcomputer.com/news/security/polyfill-claims-it-has-been-defamed-returns-after-domain-shut-down/) +* [Fastly Community](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540) +* [Cloudflare Blog](https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet/) diff --git a/supply-chain-security/compromises/README.md b/supply-chain-security/compromises/README.md index 41abf6e4f..c6e805610 100644 --- a/supply-chain-security/compromises/README.md +++ b/supply-chain-security/compromises/README.md @@ -30,6 +30,7 @@ of compromise needs added, please include that as well. | Name | Year | Type of compromise | Link | | ----------------- | ------------------ | ------------------ | ----------- | +| [Polyfill.io Infrastructure Takeover Leading to Malware Distribution](2024/polyfill.md) | 2024 | Publishing Infrastructure | [1](https://sansec.io/research/polyfill-supply-chain-attack) | | [Malware Disguised as Installer used to target Korean Public Institution](2024/targeted-signed-endoor.md) | 2024 | Trust and Signing | [1](https://asec.ahnlab.com/en/63396/) | | [3proxy signing incident](2024/laixi-3proxy.md) | 2024 | Trust and Signing | [1](https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/) | | [xz backdoor incident](2024/xz.md) | 2024 | Malicious Maintainer | [1](https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide) | From 1f24478023d92c76372e92e478238a04cafd1658 Mon Sep 17 00:00:00 2001 From: Marco De Benedictis Date: Wed, 17 Jul 2024 16:28:37 +0200 Subject: [PATCH 37/47] style: tag-security logo max size (#1325) Signed-off-by: Marco De Benedictis --- website/themes/docsy/assets/scss/_logo.scss | 3 +++ website/themes/docsy/assets/scss/main.scss | 1 + 2 files changed, 4 insertions(+) create mode 100644 website/themes/docsy/assets/scss/_logo.scss diff --git a/website/themes/docsy/assets/scss/_logo.scss b/website/themes/docsy/assets/scss/_logo.scss new file mode 100644 index 000000000..67566e964 --- /dev/null +++ b/website/themes/docsy/assets/scss/_logo.scss @@ -0,0 +1,3 @@ +img[alt="Cloud Native Security Logo"] { + max-width: 500px; +} \ No newline at end of file diff --git a/website/themes/docsy/assets/scss/main.scss b/website/themes/docsy/assets/scss/main.scss index 8e28901e7..f85d894ba 100644 --- a/website/themes/docsy/assets/scss/main.scss +++ b/website/themes/docsy/assets/scss/main.scss @@ -27,6 +27,7 @@ @import "section-index"; @import "pageinfo"; @import "table"; +@import "logo"; @if $td-enable-google-fonts { @import url($web-font-path); From e9d4bddd794f25ed7bbe85ef67eb7cb6cb3d5254 Mon Sep 17 00:00:00 2001 From: Gaius Date: Wed, 31 Jul 2024 20:17:24 +0800 Subject: [PATCH 38/47] feat: add Dragonfly self-assessment (#1326) Signed-off-by: Gaius --- .../projects/dragonfly/images/arch.png | Bin 0 -> 22240 bytes .../projects/dragonfly/self-assessment.md | 367 ++++++++++++++++++ 2 files changed, 367 insertions(+) create mode 100644 community/assessments/projects/dragonfly/images/arch.png create mode 100644 community/assessments/projects/dragonfly/self-assessment.md diff --git a/community/assessments/projects/dragonfly/images/arch.png b/community/assessments/projects/dragonfly/images/arch.png new file mode 100644 index 0000000000000000000000000000000000000000..57f9617bec283a579f3ae49c008f435d551b3200 GIT binary patch literal 22240 zcmb@tWmFtN*DZ_$3m)9vW^gBHu;3Eh-F*m7aQ6U%ySux)3;_ZJcfugS!eAlTCC@8= z@BP;L=Fe20Q)kycyQFJ%bw{hIe8hZ9`W6lj4pUxE`V$-+A`}h|!5J0t)v`;WK?DZ} zKc}XoDf9C3LOOEx?c29kySTWxf`Y=z$_fby2_hn*g@r{ z5EBy3SbFfj1&@ML6U$jQmMxw&a+X-`j28yXr22ncFxYptxTP*70H%gZk>FWcMOsi>$V zBqXk`t~@h^Rd?Xz>s;sPh zLl2yvpKoev+S}VB?$~BzWF#mVzqz>?8X6iI89`GvB5GNCmrza8^Rv3T8pGW4=g*(W z+@gqNG}zu>F>M2I!wcVPSYbJbqXcA5}e`pfa)kbJT56dfUIQRcj9IwlL;>8_- zC(pkGau@M`_#jg8PL-21PGAe9OQ4QZY+CzO*P%vEA2^Sf1tvB5I}i$bY@LZiw!KE0 zXBhp)l&jo)-y6V_z3GK3C&b z1VGQE?(W`JpMbjm)cWl8{6W#VKd=I-PN=Rx#(Nt8Gb2_3028^$D>s(rW7GZdB1+bg zq1E{xC8^L#xyDppy5?i~qFpgo4MrWN)SetW!Tlaa-F0*Tm#x=|0`UK%_Vkly| zA(U)Zo05)^Df$Dy{z%4Gni@T!SX_Ascbd&JbJQ`e6(dD|5a+G2c-cTcq?@LKn)EkZXe4hPx``?T59i`OGoxA6i~#S2Gygj$&u;_vTQVB4_g< zc;}gLXJ?dsH_^9+2iy776YNss#vG>iRwLrnpE2bxX(O2jJ%BFElD!#!T1tgbehS~) zmtjva32iXv^CM!Ub6!c8n2vTp*p3y~imxv39PaT;l#nVft85 zj3gG@T5VBVcM1Z#5F7ZUp%(f~%*YgI8XEaf#%zJ0W<4%Aing(Jp#0#Oa;K6=f-iJ* zwMz|rRhvINb>W=`x=f8)^Yl4tavzL!w4a~h)+P)2pF6e?mPgih0rhreuzZOvO)<1s z*mxDBIHvNbs8Xc%Vr)=R(wGrFTu7&LRzlanlMA zt(tDo-H7p&5|jnWO2db;uY9N)peiXzs05|NKV27SUbIn@e}&M7*e#)$SLxjI2zD9t zglae)wqeCM#grXTD|e4BK0nua=$vo$EplsgVhr|F_P`yt7*ByuWaK{R9W;n!MrN4n zcR{{rtIz13C>DIs3|7gSv-#p$NAdU0i$x_`_&b-jYJ<-vxSPYS^_zBHIkPhKl6a&{ zy%GxH8Hjt9&qN#LHdEl%kCE^l)H)Y1P=Q{yBdcR_4EVD9QdjJ>2x0(G6Gyv%UghQi zjV@mOY@=@EN&U*1VQ90`B%Bc2$LZc5rD0!?%|l(&d5^~ zafXbdNm)Ur_33Q!w^uiP!0wv_h+fN!-2!Y*Ad>IF_GmthPMS>wGKX`o}fB z`;q+u>xkyXJOZ)0z0?_9&H39JYiC82k1ZaXgG3q%RP9|0U3S$|rQuwdaYsk&#|qLM zUW!clwm+=F@$$k&@2zpq;uX4*mZmclTJhe-1N9@7?AHD(fk)E|rR@2MB2ND?uOL~q z2x~mlC^D&zl8RHfSvVNzk7AUqaJ*95OC;9yL z`dC|^U1KXEf2PrG{~;h;zG)EeGmFhBv(cie_RLBx=hQF`_YdqVI7j@!0X`fu$yCov zn@00a^2@PyNn}R|dP~#~#=gBgL8T*pv+gKu{eX@B1Q6-4l`v~v^$pz8L|Q+h1CF69;WBIq(SbVbkD z*cfDLBikr)KMeB1-CdiEfj+q=5gn!Q8xQK(_~6UDG7%XW`n{?-)%wcA)0;y{`*U`K zk@OT>-~hSPUuz9i6;0M{RD@NT(;q5jr6wGmY_y~!I;0_-!Q5X4m2#nU;xjAm#uaJf zW^~QwK63FLY>{>-#XaFb;D6Cbiwqn1z>DL)x6XB-IYmM2g9stPw`WQre%_Nvh;l|C z?jF7D;Kh}xn}H#%;05_nwTn%|WHPjeiK*cq?(C(7l!PZtWB*GX)FAz^53MR=qVl|P1P4>YeH%Rr}c!RxcBsruoTaLzx%s(SbTJi93IXu>@sW+6x6FX>I)}V7e&;V7q%8DT zTt_7ti0wZp+OsX7h zU8`jt^p_$#Gzx!rgGd%kiOUbC6Qn~r%o+X5!phA@R-b9J+MW?yBen5fpxJK-afd*x5Nh{y|DmZZ%M8y_dg2BPhK)bhSAE#CeQ zKogRZdHyRv#ry1#lvjWu(66_wPK_Iph?83xcxVn$no|pFo9$u{)9xi$Rvs?F)FL6C zJ&pi@t zIJJpHF}o4Z1w)NMMq68fq*7P2_KB!fIN7wdxMBRoH*vP~_|+Pyj-0Na@F^PS6J|U5bI3+JczlEWv^t)3w31z8V{9RH4M6yzf54?c z&VOyuNpeI7D^La2d#WOISTWcA=v&sUeljkj#ud{U{{crZ3|AI7Gayyd0ngFi(`wl$ z^)JW=*;UgZAgVl`IqkUD)@n7rb&WNR;}lWG=UQSSp`ZbUc#$M>wdZo1wcT~fAQ(3g zClXUsx2`0Rusb+R*Xo`WdE)KttilOb{};yR&zG{+FY1i%y;C_Y7Xr}F?zdY2j-9N2 zkQ`K^vC8dzR;KirGJJavK~90vD{<4#A;8QNv$mdCjGz@&1OU8bHP9K# zy^2E|Zu)k(Xp?lQssVbTY*8M!$dCae-g4Hi-fRdi@Xh+m%eX^WAMbhQ>_5Udp{Bk@J{RlNJFAVuhw%IneNlM=qM~Ms7H~M zX&9Ab$k=@}0b11#r+uc1U{J5SKHSc=^Bc7nUAF)|2XOP#9#gQrCmf$k@-;*APGVVp z6caF%Q7P%DtFEd=EQ0kS6?2k!rwZTNKJ;l!ARF{gsvD98Xm zP(-m9M~u=J%+~K2T?O@NzAt=D5BzkAKty6VqTV1XM1i|O)bK$J!~W*y08T%<3xiY# z0~VQYgQ3a`B{jpqah2|K7=7(fnU;S4EQn}_z~ZNiYo0K!{XY#0!zli0h+6ckP*)m- zZ%g5@gfv4ue4wxTrHu#mLZR_wr)yWw;zh$nh-8)$_1f;pHCKM8wIy%FUj+<>QWtR$ z&se^3)M33d%`DrU1Jq{g_NjcepJIu-Cn6_umGBJvH$)sKhJ;$n^;P;Uq}+WCgTBgE zU-W79A~o0tenQ=PNMk`{O@vRe9Od3LS8p_|g+EMdPty5@8;RMgOBpQlT-$Gc4;VuC ztkDM4lCcE_ZRS)pZiJFx&sdutp*a5sALrv&G~2WX*NQlZ*s3*km_6I_7J_c8_&707 zK{`zBykA*^wAe3Xp<4HK1h`KbOzk=+U#z4a8t9o|AM^o^!!U&DD+da{@EBNM>~{czdVR7D_E6;!TC`_Q2E_j+JDAC zq8q+SWcp0dDS8rpI-)BUAhwnCcQktsJ5jrFJo{g&j8XdkEFIJH+r1u}E%W+xpLOyL z6S-)81Mst#Uni0``?rqr#(RO?P|es|!h!c~zlQt{WvYtEE*kp{;pBL$<<{Otpj44zHlNuDbZxLA}nE6@_AGj(Zj0-7VVtbs!Y~_dEF9&pd z18gtt`$6t=2&^yjF#kjXZ*$aMR75x8-L#jG#4G>Kga$aFEGi14f|YMFzxbJA104kj z%%z#!hugq0P#`@cb;qyt8);hk&;^dd(Rua>{#dBpgec#AM$ViB$QA`ZevX|0wV<4{mjo}TvP*qN2 z^$1y7F2cigd&w^K>v)%2QO(%j3@}o`Z?S~iA1~k}4}+}Ia4Jq|rLBL&Z2r-3ioas( zX;CjhuKnJnlXA;%KB6)Eym31x$1pZh!W20}Pft&14FLjt*SsC%^uDH#J>5>%bM1QE zA#{c5-+by>zYjy1F2+Y+3nrkJjzv5sHZ5Hl7x%liOF6`& zY;oU-qYV10weulvFGq>EPz<$DhB}{Z*V?7f7GQCXU`!;>r?jgvWT_V$)Y+K!Dd}Sncb+NT|;=OHipp zWzPmUPVz`6$=C!U6z@Dhdq8ydITReBblXzqY~NGeeJXiey2e!1C3!XL%8I*fjc%UK zVO7cb=YFfd#>Oa1iB()L&6~fSH|PH1(a@fp|Cl8~K!mctI`f6e25V zE*iBhz97!!K_%WSJM=y3-03n5n&uTF>Q6Vr!S(*lgdh{qb58jkPrk9P;s;sgZ&$Bw zfl)Xt9%OqOuQWLNqQi1$^Knr#z7MoF%8tnmB23qz!S4|TO(XRq*HI)UIHIpzaG92n z;3$cnFyUs=C_d!EAMJ7?sGY2!G&q;Mj77r_=$^2?#9sxz&K?Q4AKWo;e~ ztR|GyR6n2J=D&=93e`wb6N|oum(KpioOIXx?!2jb??IqUBsF3Q@!_8A?`BW_g=c}s zg#>f|4H^{B7I(!(LZ36O-W6iJ3V1Q>d@9Ksr(RvG&e*(m=)|^2XbAamTy|IaA0|v{ zBou80)Y|I~^cum|Zxzh^Tq2#I;9K{l&Gl2cXC!My!12U1fXUZ=NzF9%h!-+l3}xu5 zD}@?18){e)v*fjUN&i;@5;7UYQ$KZ)=;?EvI!o!9zfrp|# zn%^usDrDGrDTN^hx94s<9S++7VM>9wRSYq^^KGN5()6jSQj+&?UHs?>Zsy?bmB~pEdJbUJ013iL%q#{9sE~Kf61)thBrxBQF3KHU5 zn(PLb^#t3T@*zaPaBee2(4fmqsj3dISwQq~-^=7xCJ86a(k1yBx)ZTvYw2;NKBzar z3l$o^rfMVnF6ns)Tps)-O_6q#?_vuDUzjI#mPO9sI}t=i@;TDRO@X?w~>v_b{m;sV8O;plunOCm(g*SWp zL(!i(#jZL5po1G}{7Wg(tA<-5HyNoD1OufYC3#F1f z_xZLD%bKbP3Td)_Z_?Go_@P3-S=qYS#dCC&C7AOUWmAWhcJl!OLhqt_de+OU4U%hu zX;~#ZmoNe8T}X0bg@)H3AwXjpjeru!WS)V>IqG_49iu{I7YtQYijC+Tx0|l@Fe>Lv zI)en=7z@_zUF%uoLQJ$gPne=6rVS;8F}lglEH`xx4PpL@Xg?OrX$?O+zRoE#6ff$K zPsY|p!NY;rv`;})=PVwFFI3DmhDdduDJR=cypKK{W`o3I{I?%)*57@@fPEn+MyGxM zMlw=*EFxge>BBq8`wZ{`1+Nzk0kskJUuVQ7;V=)PntHRj)RT{W9mo);m`MQ!~dbcCgYZQNszSsHiXg*)*azyknk)pv&)egh)8db zU1p?Copq*zh$GH+z+^fm%2-razur32Nl^CRCBt}9D@g1`rP5g|j?if#d+_)8j>lww zN0BDZ>(s=op>9auf&sbaPDBHRZ+QPfzCCbX@vi)D86Jv`+@TH)BC50leEB76E|Rsh z(&?$=wR5?eym-ULMCD^4QEB)ql1bu6WPfE$5WHUdPZtb~$G>Hcy-w4@%9AeaS%+Im z0{xU5t42&k{_pfZzva<6*C@nqnB_~s!w$`3R$$x9#DJ~^Al#$+JO#DbvbOvpoOo_^ zDgQf40aQ_c2N|y*_qOe#u186-kT&~VfikLCdI5 z-#22Y-9c~fZmZ- zi)i5^@Zt70RT>|~)qnP0zs`Q;vZW6 zmZvIM)XHymt=EU;v?p3v?a(dwH4{7dr-ASuBf#wRJiMQJ6=)bRGQz7=4tUY1?fL>( zRsajcdsBP|-o^FT8KUIo#ATi4g8e=$59U>EaAH=QvymF%7w=ZkbvSB@5#5Z-hU?~{ zjp#6jp?<+=38#TsSz8-_oBh_q1IU-FaWNpE<;OEf&}aM`sC%zGkmfP=9!v#pBISlo zuw@%>2{Br|ESTE_gw}8{Pke@A@aG>jwf>M_^=j|vFjasEBe892&HUtp1#$rc)2dlk zRaJT&`vVp`I*zX5ee6kNer$+=3ZJjP7lzuWg=150Oo(vT9cAzC}hb^~mG}>TFJLXdogMMS;3v#n|`C17YHG$IR-*oZuoa zGQRgyK+Ypg%|xf_N3PGd`t9pavcj2jyMjykwV0_b^!zW$`nBEk)r()GtAP!r?JW-a zPf`YdbDQOjedJKSK&x?ZqrN08lmYUyBN=e%-*>{9h<$Kf>TibmWKhI6mn=ODUk%Yp zkj^moDgT6I>~Z~I#w;@~o!7MSE=16 zs4KY##B~CvOPU*+6g6606hF{_`kfzbcdnjO7`>Xdrx_-rOJ+n{2Qa})8++G;atezPm$@!#*;e}t#D^&0vhGthN*Z^;7{5SjDm-|pt|!*R502WTyT zZ0G9I%i1Mx4^a;GMH`br14s6|7iZ&1ZVbM2sNC$Y%LN;1;G!OF)tVz{`G3Z({zP zN^l`ZC(tD1PV$YZI_9qT?~hPC96UU9bcd-1fH@hMBLht47iekbk*~A$L&vg|=T`Pe z9J?0AevWMW6|=R~Y8@b6tU)_InD+(@?AFd(UT|0FevkTOPqs`MVb;g&j&P#@WHh)xqwDL*lKr~oL8Ly z$9C<4A#P00$Chfob7XB=?27Vt1d`g^IsvnSDgD?w&Ju~*=x1Yu&g&JAjr!j;v=(dZ z#r^h1ZuaXQfjDrq#qbDj8S6D7$RBds&AEeUnvjn&z=2phi9^dz2KOrybm(Fa+H4Mm zE%*vhH^H*LESLHo+>Q6XR;Wd`-wzI2Lo>hc z5BRvj8Dhawo>a1MF1D3Xhu2hJl+nN7KwND+?&|*eNKKN0`(ngY8&2Kr2mD-i;hyzP zIFJNk*l-=>vn!*uLT_r4~Rk+JMT}Q?)T0@D=seQdav$xEPe|ZN`->` z-k5xq(DgZL0EK}gv49`{Q*0qA9b#eDKIf<*clz|Bs&QCp{gsSuh==(YNubSY0;Y6qoZCLXCQVUumQAf3Z+qO zW}wlNmEY!8jJ{%;nj!qjW#kcOPz)^73bfATjo^s|KOh6KSMjmXkS63zFifI(5QBCd z_25c?w9CovZ4M7#HKuED*isOHcNp4~P1E366|9{w6~@%ZMAFLar3Qs-e)Ji8f#k$j zYCO6=6YPK&A;n~l{)wKAgz-9R@N@RJtL@2rvZdc=)bd7uO^>{1X5Z+u@kz zACu?w-iO}`fVg47=P9OL$pq?w55x3791AiPzGj|z6y;(%&26nVDO;sxdOO}N-x{+Y zppto3`yJoss33<;pl`c#^raI$m_hGrh)9So#2>%MuHU(K9jb4)Dto(9dSBug8F~Aw z*Ngbg*lqZ|z24ul(D98xc}O{9c~02$)b$ZN8QslJ)PzQFF_CT=Wrq&m)ms^-+W`9A zNsX3oAkBv&W8-hW^ZZ?J|Iqq@3RqY+y{>_#?JQ6uk{{p0elbkZx*&E|WdG#4=K%F8 zH?+u)(BZ>*#Y+Y4QtufRq?L_|opi_TU(gHs zavh0D-knnR#%A9vm7Cw^wNtHx;&qhR2))j;1`z2SI_A-Ip0`kv=6JhGNkX)IGicom zdc8QF?X{hFo?RV(Kk{uMRL1508T6`os==O9;4fubVdZB=C#8A<%@-S+(odno(IeS|`x03WqboST@(atlv`BeudJQSW$>(+{76KuiuqHYQrDhae7Heh% zh~9nw9mtzA^HZR4uM#%F4U>k;g5lkC8XT80#_!Yg?e=0)TPrAGk{mWReJt`1=Z9*` zPi$DDixg*QI1Ap(@OkF-k9jF4)xmf}5Vk@l(Hu>@Ls6+nr5JwDy<4;V#CyY#4B%D*3 z4CAhojs7C7+0cK77C>5*3vb>P0_M2{6XtF8^jsaS8nJnNb*?Aw+58F^2REP3 zK&L6p;?{coBcmEXWTsGlgo*s`pL$wxg}z;e|B~txnkeKyH>Qc11TW;%TJO+hrF@~R z>55p5O%K16(*N0aJA>#^lwsmSb2Q70&+{91dejqJ+w^6K59MwQ=s+s9sK{v^&Gf^& zh`Y~A^>XzI{$4&P32kjH45PMIvg}G=QEQR!-iloN*=zKtB>CG|b7)!AAAejLqlIJ! zWy!Q5i1IG-#;e2Op94Xi#z=EP5T9@uGW{K)R7TDcDfRWHHUybgLnxJ&vqVlM`FEwf z;}kZ3L;#B@3=_it2k|`uLnSk|g*H^<;NKlm(t6UDaazY~K4WO^NP-_Z(uW8;XB_-R>3Ad_QoleWQa?(j>Kg2tHD z`U>yE1NvZ5!@Dc2c$yR|G%12@MMHnqNUM`;-j2JGFu`sNd?~Q%mGlPw>@xB#oZy1lf?kw9dU!|NX}Y?6tXTC!sL;b_O^M-7tmZu;`s)UDX6|;G z5WH%Tz`#pid9Q}uaeavmub38N#$-Jy7_0W)I+H!K37L6@jXRSYKQ{TK4Op1UcYGIi zikuV&T>+%ej3w|DxndEfA)fFWR=!EgmDIg0+CqF27ElH{9K`FO{&~tQ1c-=sfvv~; z@MUn|CTeeCloLZ<454|VQ#)u%m9U{A`)}HJVdIVKSkxpkuF>37@t+WMgcPjcA&KxF zSGZ|sf~}$87e^@HJVK5`Or%tuv)}xc+ln%jqm^aPMe0uK$#WuXN|=9*gf%jYVjw zivQW$UfaEIqY7?Putewljzc=KL%qyJ$vR&9TzXJm`}qnyE7i*?+k)&@C$WzFP2-_c zcqi7OHT{O6EiU#zQfLVclT7*+5$xMO)#xO!Wa(A9rY4TQ-m4N8G|%ON&pVTE59OvH z^BQc%$TP@rZ$cDvVOUcrqzKli-{@d22pBuFo!Pjxg<9Ea-;J0gcAz96{2??oxg9}D z4d==S2bx_N2WCa=3C6wb4VTagdRaKXC*Ik}z>-EnB9IQA=$Q^C!oVFR=92wl@%TXD zbcm$h?gNBA__&LRW|*%t@z*%QBOSb#9OC{y-s6T?_wZqGAlk)EKhQY9#FB+ZgPiEy{n@TM`TZ~Yxv<_wL z6GCW<5C$*cF8vePvimoV?uT2TSMm)5+5SH9@C|V!o?-LhLg*H~GW(OU*XakO1K+%# z-x#sSQfde~nu=j0=2lu;e<>ccl7G6|czT+Fg#)0ToM&nQYZX1)25U1*v_E7?tj+DO zdvhbWCPoy0KJTi!fARFZWsq6_^D587l?qUN#xw*e_Pcu=JLOf-Wc@3ZcNSD*09lWLqUKL#Q))T9j(0d9~a*S#5c5RrsJL)*J<&gF>tbV|fya zb>{VJMX>MRBGxxG16jusyTIaA0mRG=B4a&1iq23xM?C_2i=3wCx5acy{Xc^P|6I6z zdv{EedV%c0KYkL%g)Pq|u-$pjklVvKG`JC$Xjl}CUJq>@x#8V!vAnb+oo-L_E!J`Ns zWX0a&^456=6+Ib|h$dR+91MDX0}NiiiCj7D+7O1N?GmPjm>c9xK}y7y|)=sNPcho`i4Bpbb|YOo|^n>=`8p`(TiHLu=65f z;t*2nk`axUrXc0`BmV~gXFB7Jh9Y=8a!I9!$L>OK>r|jyxAtZ^x5sHpwf|YVOr`FHDN~F3u>2q;mGv?*^LXmm=XEq(iaCP_8`=jM9T;OLulS{b*7i zra#r=TqZQ~OVVq_kWf@d9jbIJlet8;Qll!7sL$j#f%K59{V zcD;YWcy5epEvR>xCY7D_;CpNqAJ_ExUI7!Q8xpr>JBoQqgmnK^3XuU{$QSt8s6%(l zATr>{TmaE)bb+c6t`?>9fB(IADw<+A{k$ffuDEjC63w38uwaL0#BPT2_l)yj-15}_ z238qr`m9uf)S+hO|3S;M_y^~kVDxG}ZkaUcGdxGwcjm}w0ic#E-?BBdVeaa2+o|KI zWS<&PX!m&+5N&0&F#q$_Vgd7;y-Ap~vJC4Tjkz2Ws+s)KV?HW*79OsYdVHwtAv^S^ z0C8r)KE^s@d%c>Mr%FA7D|-IgBRe~O*uF^KpX|9AVBwHbOYB>RelLjSLwheuqQwh`GE$?^w8 zpMhR(_iJvzZPSFM^SI{55w9gmf>P%1#T(!MYSo>oPpp6Z=?edzS?#{xs$#Bq>ASCX z-KF}(_{X2Ai6cL*)GaJXzKDSbyi9%+N+nuLy}YjO{v!r{WHOlXy|tGjzPwlu89rvV zJEIt49@`W*NB5@8CbPUk)go8ShDZ2TpN-W7>-CsT$G#6?{1O`|lUIeP_4NtgFo20% z2RVNIHu)}4Pj$$Q#;2+^7W)RWHLq66u+}x0I7(toWtf5(`s0#UhQ0>puTa;|@@yMPAG43l*^DNHPcz#qRvnVoZhrk{W2M$5i^-Z z(#BV}=fxv8pbqkcJp|5OwfvEZ%?nH3a|5zG(&_%>%W8^O8*}LmYXqsfV~WD^PY;7E z$7}tSbA*@cKkhnYdDN1_8evAD1d4g@vL^GXr2fvmm9&ZBr?0j1cs|VIiKE%b`y;s$ zB~V*}V9&`IgZni>uR7yIgHCQSW1oi5{L-|t-W*{h0yTYwMtlw5)GYHZKeQaK>T@p* zb)cRb(1h%8X7S{e;Mhmt-Du^t0%k6@?Rtz&MNHrIh||wx{7=$e6`g_yl#Rlpo$hy0 zPum?};i?`7j?3Z?9e)vZ+UHpPxbc=%cJ)$F;O*N+H{1(M@LqD-0`?S8s5PH|GQr?J>oql#S!>~xw0bbn92-%^jamz~JNETcf{P+WDU;xm z!m8By8CRbEDH&G}}o_Nlg3PES(o8%BLC?KQh!0RdbH$*BDVDhc0>P zv1S8C5lU%K65xN;o3*YMq0$+Bl(LayH7_*(D{Ve(&ZC*zb3W0#A8w|H*bZxTJvZ#l zo7V39%YnDw&r+r-M%E6Bw9GlIrECXT1w9I2j{8BIUlWrX^V$0Ks&2%V=z_@DS`Ev> zPwhI4UcWM*xK=%lvhi9&65l(eD`JP{GNpf=CLt|pT;HzIq;X!GzWBpW_=$+aIK9Sy z+5!V6r#gU)b+`*Iy) z*=@T7MUrk+_Ymip4uJ3OS+mtjk5_N`La~uPhcq zq`=wCt3}_O3g7G?Aq&3x@iE2?$V;LY*IhjV-*O4*!0Fa6qDu)StmR$w!zxh4rIKO; zF+#Tt?dK_iUm^3UnXk+!f2*;4VeFsheRK2LQ^HkQ${M4YEpDIUNT$B)`kdzo*NYU} zqghjtRr{bP!U|wBXX}ZvhTC0V9@O&cT;sJQC^DWFOIDI=9wQ8cOhC`IK>raAJvpZs ztypCXCGCcj>(C29>V%0eP^OES%-^6@@L#}esrw<=MswO!h4fzE2mN#G55yZE{d-l{ z(S8E`Y8vj}P81`_V3Saa0KR-}mZF&wInc!A?UxVbU~#@Uqzs;OcC4&fLRrk8i%NT| z^BtGY*4F3Bd;23JlY@=om_IMGrT31FhP}D3ECW1$PgV?*Pzvf&lYJQLyn^slS-<1t zG5eN?A*P>|`Iq{1Q9i>+KN8X_`mg~>Zzc#xrqj}zUQ}ZQ;lzv}wgaNDqFP$C-YAgr z_kmu#(!Dm*4d+n^bbKjv#Nagq^39q}dl2wsPk~Ozc#{rP7AeF6D#`oUOg!XbxWVkJ zsN6HTI(h2h(;L8K)&QKep1*o^KuXV*&VY24u!Q=f}fk-5dusu>PG%;Xf9ilTyY|n^UfSJ0r+$B@WC#ge^W| zgmMs>Zq+@`S?E5Vl2AG`CxjT?N9^^$;;M+4qWdU~!p1Ec{(M+@&}sNhTMmBU$g2yz zsTNtn`qLIB9Rmmwy_q-58vo*7+zqNnvvzxlgglsKd&2=FX{W!hV~@LQc5a({|M`1k z$|=Z;|2F)5)1jrJz8;&YvMqXbqk)-&BR{Y2OZUQF)U+9yOT@m+!(Wxy^@W9{>Dqq$ z=E^p-b={X150txey*obqmJTry$Frd($Y4vt#_P918xb^%;=sX;H%cVv zzn9+neV1#n-S+<0mDFKp^!`4RN5r)OXW|9oq&0?tHtaoC!-W=0V%8a8bbeO(W~mwG z8I{#wbQ??(iNyl{-MG^b9j;}$9B>iNRtfQ;29fvG`TUTl9Oip|;&RAnndfdeZnMy*G|~ zgnjq~{Cxc3@&KoRhDwF`#YK<9nb(0)f4<>!nBYOOk=_ny&BI1UfNEv-itah;p9u?W+n?04hr^I@XV1n}i?kiF({UMKHm+ z*AK;(ozZsi?n%zm2WW1p&7CnY4Da$oZCUkv5Df{j9oNzOW4)(>x-R10M&<7a60ZPcbVxXM2b*8=~a1lm3}VK+nFdr`fJE8W%V z=fOU=j^wxC0jV2sxygWZsmCp_j*0+IdF8X?XE(Je)zDDcG zA-5dywtmVQCO6T$XKfas8ZK6XW?yc$w^V6DV>!iZhqar;HEn=eLNaO2WL62)MDHwy1xg$H@luEv^M z*nff|>_3sGYC?$$VdR<~gXi@Ppz&&RS@?G@2esny0}~qGCbJdMGQPA|!6vy(U56%K zTc|ew*8=$RN8Lt-un@PvMDpc_jK++VD=0}1$}&{+7QW*56kA0!1@jSJy*xEB!%q4^ zT^*f|dZ&mZ!rKRWj2#C6`1-x4U5MhS#LmuGeT-gwGFQM;`PYN>{@UXi_XxhyKlArh}Us_y?#6# zfiWY!!`qvbgxSXz$iGId|7g2dZ29*+nsk6&1pn<>npXp2!v1n-T;$nNS~xAG9{+#X z(OjQr9&jyLD`!%+!}?c++w&NQs4=irz(}fRZy76s>TvZn5*JAuN13yBDy2(hm2tij zhem_wc2SakcRLCByoqH!y`>06eSTF<8|N^wR@;We`aL+%2lQp zdJInrt0hJpFjs0uUO?pCXA^*9{ZAzcsV&g|yV=e!<$z7qGR|(v)OWs(;OGCAmq6Pw z^8amL0zD>9{tt;Q5b;LJSBrnm{$z{%UvB?*b4pt+abQZ?1o1-6;58iPy>=YD>HlPs zMg~V{k;RumSy1TNA~K&$&0qSI6R-dFj^L z)#F@Cdh}jn-bc`vAG5R)YH$Zg1d+xsOQ^0XwqDA)n}knIIvdeN8P}rc=;o_b_y%#K6O^mW(hZ7}>h^sTs6n5ZdwhbNLAc?@% z8ZY52q?;X;mvv{&T@*pLDIIiM%-$#I>n4KA3_*_2+>+a!tR_O*)d3ArBJROl> zX+PN|Eb}-!NN$!-*u34w3?dKFT^Wa=o&z7)-#!3*`Qqdg5ylai zuL6m$Ip(fwF#@{RjNVH>d7w zTarG*l+v;q?PHtg;=c#K2_Z`RuAJWB6X)VSxy{60%Ibq_ufZRGH})Ps9g>b9ItFsG81ipD<1V2*G{`r2=K#?fR=?9B%d!e}CBj`mpEtE!Fj zDCDK|tATaF+`P9Dut*lb636b>1UF)zpcMQaDZ0dL7lgcM+TB*n(eoF)l%E(w z49z%xR;P1?gSi5V*Kb8)2PNqjPbAV@i3}1<49QRDeSiB{^GFZAImOL`==C+d>Ljt3 zc>$b*)E_*npLG3$Kfp7&ytAV z!47uwb}Z+g(!{^K79o-N78ObK+DaRCkA{}9n<{~tavE$gAn({~(K{Btb#Y!0)5SS* zH2(!Iw|lJPDBEvbcSY@q6%1mdyO)f~;l!9b@M{8HzuWGXNVg{MgT@cRbWwZNCs)}@ z@rmA$u9e#g{)rk!tZajp0IvLvY;n;VSH44pm7*)laxlROjZANyhrA0Yt>Z?OepTw62zV6J?VXs8O;F?_Y0GWjZSn+<>L`*Q zQE!Fn%6)!SIG*`5a-(d^gLmLcs)mePE!L23Ady?wwcQvveGS`-!w_;8#wYuhM+XpT zsL>=9Zx9(e#!SIf65LrPjMQmP)0S*sYc>%CZ$e3i*C^0K7JXGhVsiQpD|M}v{sdun zN3Uf#OxzI4_kWHhI~(0kJhkj=h+|g#OwcQX{ns}9PRh<&wQV-x{hh;$sGUILW&)OM z3oY6a_HRYAQH^bq(^dni0-^~B>p>p`JXa&vVy3E2a_pBwiOIqJy;tk9K6>(tRd!YJ z!lQzqsX=lm_k5sR5Z4e-wXE9Y`2BYaiOneD<$G?U8JY2q6US(qG?&u@xwEc+?RWF0 z1EUyL=czRAjLLU@5MH#+C%6ul|I`&|e#AJo7GLs*^&9ac1E&c!B@zZjDV^wM%q5)- zg=H&?Xqh#`49^?Q_P7Ii^6veg#&RVNwhsnQVLMcUApI6bf?NCL=!W2qT#E`+O@lg% z_7pRuP^e3;W|`YJwv|b@w`!bNtg2@znRvJ*6+=jJxq4^T`p_$%Ku_@;^P; zz!;xS%Z^Uj$jG%ry47hdPcc|c< z@F_n&^y0`B46K&e?`Lw+w5Yo*9DuSxP|lA|npb+ZjS1nt%+N_Mi$_6hH(pzYPY7*=wl6T}wl zLNlt;WXEkw%4p@|b1+fN_KH$QdfATTH3G!l;4HQx=4-ybuvpiXNihkxiJEKbOsf;o zp{X~%jjGIc`F>T!nc0d&Hu^|k&O)|Dp^i1=+T?De4AX^E-~I|;YGksvKO#3UwMc(N zW0pOQyOFt*tee&`o#8wmSi8NnuWSF#$ym{~>G0NBjZqfJ@Z$s*@pvF~Hr!XH$m zooIB#f3pstvD90oglY#z$*AbdCUrj#7UvW;Cpw|-8d{@>^jLVHz!5oahSrIFnxFv1 zzQgExka}n(O!Kq5WLV8R>$uz3=QfkUcKMzFxq)oa-q#h&lkg)kDrvy@$bvUKnx&Ow~SAmmf<6fr?#YBmMvd0_x zW0@f^PXv5I>Up!?k>4iohDA=h<_+1WMX1G2e0c=Ca|G!OJmo) z==TM7GGYTOfRqY2Lo~aiJ1_x3Y|{sJ=||p2)8Ektl;IW40 z@57XWvtS^E$46_@hW2mg`vS6^;G66*vv26 zK`ON1@EXhZ2`!Ql>k6oQy_7M|uW+JYj(k~%Uqp6+`!38*(gG0Cp*}B&pO1iOP_1*Z z9b6FQ@?1t_N+7<|N8vYR5aF=0=G9}xDzebiI1t8q1Jx+R4??k7GuDmsS=`%dk+IV9*AE|P2*j@E;3Kw z^gn65R^9aT-L}s)l^~! z-e5D{wPM$JJ%sR7;L*iDki61VgYoHe7$CiNdMC!j)p#xLr2zI8pT)M+V7w3r=YfMx zJnF`4u^&|6VVm*6Z}na{l^TpPsK+Xm3LFl^dk_DmRX}D*d*KS)3Y@A=y0!p2^eoLT zmGcH><8|Y90qH*GBAfdSG+pA%X)kgkzrfJ=5;u3Nv-8R zUIi3%HSgaWV-Odn@;Lho48Bpd8Rw<*GI9wGoy4AA$g1c7pO(=XUKS>yw^)69@a&5C z8_@RQM7a;|`U-mW&yG?*`>m|h@5_bZkMTM|6!&pb?V&f){1Lxkt*kufPhS;2ErKte zV+fzDcvmPJy_jG1&=A#Otzw?^ai46DFGN$S$2S^WN-;MK?|lYuE83$$(7*HeF1kW^ zR{p7a1Rl>GgB~G*aqGOM3yl`wLQ&d(OIxzL z><4+{wS$9al`;(8^@x}X61Q%(E4noM0+ znhv$yrCT#PeB+{{^I#tKB%YOPx?&O@{WxCsB&TK?mxM$C{f*qx;rISi5<~bVbE|I5 zlf}?wj)ULRsKRy_j1? z5hS-RQrB|+y)irJfDRNf34-cy>m$DyuEt%P?+dF%p1bZ3%v`J%-p=Uv@G>6U zk064W>etA=1vxC0Onua~EKMlBR<((3DYb?EL!+L)O0#wJJ@1kq#W^ zx#}C%L7YYQtd4rjQGpn5wqeoiqBtxo#E?DkAsZ2|qx#g+B?_vwndC@3@S)Pun-D|s zr2=w*0+~~_F7dbZphBLZfFzV6!TBVb(Qj!`K>ophpG8u?-Swr!obca?v3Z1X8$#Fu zGUhiS1o8`nWClZfheUi%iT7QcA-R6zRJnO|er=$Lw8uK*(2CY`S8Fb4-s7doX&jSW z7^+~6mD~Bjy0XxQ-ZyFb0QJBV>4DJwT;)TDQUjn{_r5#kF8{qlZN1NSY>+de9bX6 zi~x8_gO5sS@VYA{1~b6OeapgZsv{|=>qm5iAgOt-94Gnz98e4>wxQCf!7k|;Hn0T78yBgixp%j6Vr1k=+mjW757UyT`?7lR_`?tnv-ZzP|`zs zJ_TAK-t!juNTUB?YNI&RVb;C$u3q=e1n4ZkT99mPRl8w=5gCDQHX+SA5rZzb>UmIb zOCG)Z-cUtA88igWdQ|2^W_d$)v75GPo??QrcFugNo_M2bZF)J2Jf%woY?>jOZ*elK ze3x;L!6j1&Pj)8*>1^y*n$Cre5Gh&sRVPJmo95f#MEH&_ZgiERBr(D|+_F-aw$j?i z7BL1_Djy3bfw8OU33+KZuoA+m%_VC6mV^sFRja?Y2X~}mrpvRy%D@f37qvSdN?YqT zDSb$`LIvn*I5;PS1VY=sipqfmO zStK`p=t8_RO6bnk%8Inp2-3C#czJH9!;^4PVMW)ZqTlgUf%04CL|#;rz*_9E zEyA&?B(dwB?~j8fMA(A%SuU%CNkD-FU^1uLDepLJ7awM}9mE;)${Jowidf6{G{aZM zFzW6FBqRx5k1vvr-}9Dur+UAZj{zV*2a#^Jw``Aeq& zlC!C3mBu3sG5!rty`O(KO34iqDli0D5&gTN{%&zKKJAHxzfAlKKa5wf_M#N5m!H&P z+p8krJ2+yI2me{|**_pRfNJSN9T*@6Tx+Q_=W8xI&~Hw!dq@kfpat+->!43&a3DCK zd0qv5TR5HQk#nr=qmJC%m@@F^^O#+PPnMC4a^Wz}ke zt-_4fr2`VjqHcKUsIptH0pOm3}FE|<2FInrieh%}rCF}HIBB#v9?pKKpoQ0caVV3I3Bx~d|-$pjU zsp&y-;Xp*3R5w`_pNN`_PS1aAj!0*B=&8Hwv*62rYetk5-a8t#LL4IUPt%KBF+Fc) zVCyysbL$V#7mTiFukI>@$7ZWIYVD6iU5!<7(EsfsN`SSyMeP*9qKOFmKQEB}|1PD@ Z9mH*#e**VQR1^Q240KGjt2CWo{~tBds*wNy literal 0 HcmV?d00001 diff --git a/community/assessments/projects/dragonfly/self-assessment.md b/community/assessments/projects/dragonfly/self-assessment.md new file mode 100644 index 000000000..e59a19939 --- /dev/null +++ b/community/assessments/projects/dragonfly/self-assessment.md @@ -0,0 +1,367 @@ +# Dragonfly Security Self-Assessment + +The Self-assessment is the initial document for Dragonfly to begin thinking +about the security of the project, determining gaps in its security, and preparing +any security documentation for their users. + +Authors: Wenbo Qi(@gaius-qi) + +Security reviewers: Tao Peng(@bergwolf), Wenbo Qi(@gaius-qi), Song Yan(@imeoer), Akash HR(akashhr), Xiongxiong Yuan(@yxxhero), Yiyang Huang(@hyy0322) + +## Table of contents + +- [Metadata](#metadata) + - [Security links](#security-links) +- [Overview](#overview) + - [Actors](#actors) + - [Actions](#actions) + - [Background](#background) + - [Goals](#goals) + - [Non-goals](#non-goals) +- [Self-assessment use](#self-assessment-use) +- [Security functions and features](#security-functions-and-features) +- [Project compliance](#project-compliance) +- [Secure development practices](#secure-development-practices) +- [Security issue resolution](#security-issue-resolution) +- [Appendix](#appendix) + +## Metadata + +| | | +| ----------------- | ----------------------------------------------------------------------------------------------------------- | +| Assessment Stage | Complete | +| Software | [Dragonfly](https://github.com/dragonflyoss/Dragonfly2) | +| Website | https://d7y.io | +| Security Provider | No | +| Languages | Go, Rust | +| SBOM | [FOSSA Scan](https://app.fossa.com/projects/git%2Bgithub.com%2Fdragonflyoss%2FDragonfly2/refs/branch/main/) | + +### Security links + +| Doc | url | +| ---------------------------- | ------------------------------------------------------------------ | +| Security file | | +| Default and optional configs | | + +## Overview + +Dragonfly provides efficient, stable, secure file distribution and image acceleration based on p2p technology +to be the best practice and standard solution in cloud native architectures. It is hosted by +the Cloud Native Computing Foundation(CNCF) as an Incubating Level Project. + +### Background + +Dragonfly 1.x has been open source in November 2017 and used in production environments by many companies. And joined +the CNCF as a sandbox project in October 2018. In April 2020, The CNCF Technical Oversight Committee (TOC) voted to +accept Dragonfly as an Incubating Project. In April 2021, Dragonfly 2.0 was released after architectural optimization and +code refactoring. + +Dragonfly provides efficient, stable and secure file distribution and image acceleration based on P2P technology +to be the best practice and standard solution in cloud native architectures. +It is designed to improve the efficiency and speed of large-scale file distribution and used in the fields of file distribution, +AI model distribution, cache distribution, log distribution and image distribution. + +With the production practice, Dragonfly based on P2P technology to accelerate the image is insufficient to support +faster container launching, such as the Function as a Service (FaaS). +Therefore, we created Nydus as a sub-project of Dragonfly to address this need +and [Nydus Snapshotter](https://github.com/containerd/nydus-snapshotter) become a sub-project of containerd +which is an external plugin of containerd for Nydus. +Nydus implements a content-addressable file system that enhances the current OCI image format with +faster container launch speed, better image space and network bandwidth efficiency, and end-to-end data integrity. + +### Actors + +Dragonfly services could be divided into four categories: Manager, Scheduler, Seed Peer and Peer. + +![arch](./images/arch.png) + +#### Manager + +- Stores dynamic configuration for consumption by seed peer cluster, scheduler cluster and client. +- Maintain the relationship between seed peer cluster and scheduler cluster. +- Provide async task management features for image preheat combined with harbor. +- Keepalive with scheduler instance and seed peer instance. +- Filter the optimal scheduler cluster for client. +- Provides a visual console, which is helpful for users to manage the P2P cluster. +- Clearing P2P task cache. + +#### Scheduler + +- Based on the multi-feature intelligent scheduling system selects the optimal parent peer. +- Build a scheduling directed acyclic graph for the P2P cluster. +- Remove abnormal peer based on peer multi-feature evaluation results. +- In the case of scheduling failure, notice peer back-to-source download. +- Provide metadata storage to support file writing and seeding. + +#### Client + +- Serve gRPC for `dfget` with downloading feature, + and provide adaptation to different source protocols. +- It can be used as seed peer. Turning on the Seed Peer mode can be used as + a back-to-source download peer in a P2P cluster, + which is the root peer for download in the entire cluster. +- Serve proxy for container registry mirror and any other http backend. +- Download object like via `http`, `https` and other custom protocol. +- Supports RDMA for faster network transmission in the P2P network. + It can better support the loading of AI inference models into memory. + +### Actions + +#### Download Task + +- Actors: Scheduler, Seed Peer, Peer +- Description: When downloading a task , the download request is proxied to Dragonfly via the Peer HTTP Proxy. + Peer will first register the Task with the Scheduler, and the Scheduler will check the Task metadata to + determine whether the Task is downloaded for the first time in the P2P cluster. If this is the first + time downloading, the Seed Peer will be triggered to download back-to-source, and the Task will be divided based + on the piece level. After successful registration, The peer establishes a connection to the scheduler based on + this task, and then schedule the Seed Peer to the Peer for streaming based on piece level. when a piece is successfully + downloaded, the piece metadata will be reported to the Scheduler for next scheduling. If this is not the first time + downloading, the Scheduler will schedule other Peers for the download. The Peer will download pieces from different Peers, + splices and returns the entire file, then the P2P download is completed. +- Security Checks: Peer HTTP Proxy should be protected from basic authentication and authorization. + Each piece of the task should be verified by the hash algorithm to ensure the integrity of the data. + The data transmission between the Peers has been encrypted to ensure the security of the + data when enable the security feature. + +#### Preheat Task + +- Actors: Manager, Scheduler, Seed Peer +- Description: Preheat task is a feature that allows users to preheat the task in the P2P cluster. The Manager + will first receive the preheat request from the client, and then the Manager will call scheduler to schedule + the Seed Peer to download the task back-to-source. After the task is downloaded, the Scheduler will record the + metadata of the task, and the Seed Peer will be scheduled to download the task to the Peer. +- Security Checks: The preheat task API in manager should be protected by the Personal Access Token (PAT) to + ensure the security. If user uses the console to preheat the task, user should login with the username and password + to access the console. The console integrated with the RBAC to control the user's access. + +#### Services Communication + +- Actors: Manager, Scheduler, Seed Peer, Peer +- Description: Services communication via gRPC. Peer and Seed Peer will call the Manager to update dynamic configuration. + Peer and Seed Peer will call the Scheduler to register the task and report the task status. Scheduler will call the + Seed Peer to download the task back-to-source. Peer exchange piece information with each other. +- Security Checks: The gRPC communication should be protected by the TLS to ensure the security of the data transmission. + +### Goals + +**General** + +- P2P technology: Based on P2P technology, use the idle bandwidth of Peer to improve download speed. +- Non-invasive: Non-intrusive support for multiple container runtimes, download tools, AI infrastructure, etc. +- Peer configuration: Load limit, concurrent limit, traffic limit, etc. can be configured. +- Consistency: Ensures downloaded files are consistent even if the user does not check for consistency. +- Exception isolation: Isolate exceptions based on Service level, Peer level and Task level to improve download stability. +- Ecosystem: Provides simple integration with AI infrastructure, container runtimes, container registry, + download tools, etc. + +**Security** + +- Data integrity: Ensure the integrity of the data by verifying the hash algorithm. +- Data transmission: Ensure the security of the data transmission by encrypting the data. +- Access control: Ensure the security of the access by the Personal Access Token (PAT). +- User authentication: Ensure the security of the user by the username and password. + +### Non-Goals + +**General** + +- Data Storage: Dragonfly does not store any data, it only caches the data temporarily. The data will be evicted after + the task reaches the expiration time. +- Data Visualization: Dragonfly does not provide data visualization, but provides a visual console to manage the P2P cluster. +- Container Runtime: Dragonfly does not provide container runtime, but provides a Nydus Snapshotter to + enhance the container launch speed. + +**Security** + +- Sensitivite Data: Dragonfly does not handle sensitive data, such as user's personal information, + user's password, etc. The data only caches the file data temporarily. +- Download Access Control: Dragonfly does not provide download access control, if you want to control the download + access, you need to control the access from the source side. + +## Self-Assessment Use + +This self-assessment is created by the Dragonfly team to perform an internal analysis of the project's security. +It is not intended to provide a security audit of Dragonfly or function as an independent assessment or +attestation of Dragonfly's security health. The document is intended to be used by the Dragonfly team to +identify areas of improvement in the project's security posture. + +## Security Functions and Features + +### Critical + +A listing critical security components of the project with a brief +description of their importance. It is recommended these be used for threat modeling. +These are considered critical design elements that make the product itself secure and +are not configurable. Projects are encouraged to track these as primary impact items +for changes to the project. + +- Transport-Layer Security (TLS): The services communication is encrypted by the TLS to ensure the security of the data transmission. + Dragonfly uses the OpenSSL library to provide the TLS support for the gRPC communication. +- Authentication and Authorization: The Peer HTTP Proxy should be protected from basic authentication and authorization. + The preheat task API in manager should be protected by the Personal Access Token (PAT) to ensure the security. + The console integrated with the RBAC to control the user's access. +- Data Verification: Each piece of the task should be verified by the hash algorithm(blake3) to ensure the + integrity of the data. +- Control Access: The console integrated with the RBAC to control the user's access for operating the P2P cluster, + dynamic configuration, preheat task, etc. + +### Security Relevant + +A listing of security relevant components of the project with +brief description. These are considered important to enhance the overall security of +the project, such as deployment configurations, settings, etc. These should also be +included in threat modeling. + +- Logging and Monitoring: Dragonfly provides the log and metrics for monitoring the P2P cluster. + The log and metrics can be used to monitor the P2P cluster, detect the abnormal behavior, and + analyze the performance of the P2P cluster. +- Dynamic Configuration: Dragonfly provides dynamic configuration for consumption by Seed Peer, + Scheduler and Peer. The dynamic configuration can be used to configure the P2P cluster, + such as load limit, concurrent limit, traffic limit, etc. If DDoS attack occurs, the dynamic configuration + can be used to limit the traffic of the P2P cluster. +- Scan and Analysis: Dragonfly uses the FOSSA to scan the dependencies of the project to ensure the security of the dependencies. + The FOSSA can be used to detect the vulnerabilities of the dependencies and provide the solution to fix the vulnerabilities. + +## Project compliance + +Dragonfly does not document meeting particular compliance standards. + +## Secure Development Practices + +### Development Pipeline + +All code is maintained on [Github](https://github.com/dragonflyoss/Dragonfly2). + +- Contributions and Changes + - Code changes are submitted via Pull Requests (PRs) and must be signed and verified. + - Commits to the main branch directly are not allowed. +- Code Review + - Changes must be reviewed and merged by the project maintainers. + - The code is reviewed by multiple members from various teams and then approved by all of the reviewers before + passing the check. +- Automated Testing + - In each PR, the code has to pass through various security checks and vulnerability analysis, to find if the code is + secure and would not fail basic testing. + - Tools like CodeQL and GoSec have been adopted for security scanning. + - The project utilizes various vulnerability tests, unit tests and neutral tests to quantify whether the changes + would be safe in basic context, before the reviews done by the project maintainers. +- Dependency Management + - The project regularly updates its dependencies and check for vulnerabilities and keeps its github + updated at all times asynchronously. + +### Communication Channels + +- Internal + - The Dragonfly team mostly uses platforms like GitHub, Slack, or email lists for internal communications within the teams. +- Inbound + - Users and contributors to the Dragonfly project can communicate with the Dragonfly team via GitHub issues, mailing lists, + CNCF and through Slack channels as well. +- Outbound + - The updates and announcements from Dragonfly are made through Dragonfly Blog, GitHub, CNCF mailing lists, + and social media channels. + +### Ecosystem + +Dragonfly is integrated with various cloud-native projects and container runtimes, such as containerd, Docker, CRI-O, etc. +It is widely used in the fields of file distribution, AI model distribution, cache distribution, +log distribution and image distribution. + +Reference to the first integrations that offer-first party support for Dragonfly is present here in [Integrations](https://d7y.io/docs/next/operations/integrations/container-runtime/containerd/). + +#### Image Acceleration + +Dragonfly supports various container clients such as containerd, Docker, cri-o, ORAS, etc. +It provides three solutions for image acceleration. The first solution is to use Dragonfly to distribute +images based on P2P technology, which is suitable for large-scale cluster. The second solution is to use Dragonfly and +Nydus to distribute accelerated images, which is suitable for large-scale cluster and faster container launching. +The third solution is to use Nydus to distribute accelerated images, which is suitable for faster container launching. + +Production practice and statistical data can refer to: + +- [Dragonfly integrates nydus for image acceleration practice](https://www.cncf.io/blog/2022/11/21/dragonfly-integrates-nydus-for-image-acceleration-practice/) +- [The evolution of the Nydus Image Acceleration](https://www.cncf.io/blog/2022/11/15/the-evolution-of-the-nydus-image-acceleration/) +- [Volcano Engine: distributed image acceleration practice based on Dragonfly](https://www.cncf.io/blog/2023/04/13/volcano-engine-distributed-image-acceleration-practice-based-on-dragonfly/) +- [Ant Group security technology’s Nydus and Dragonfly image acceleration practices](https://www.cncf.io/blog/2023/05/01/ant-group-security-technologys-nydus-and-dragonfly-image-acceleration-practices/) +- [Stable and efficient image distribution for 1 billion monthly users with Dragonfly](https://www.cncf.io/case-studies/kuaishou-technology/) + +#### File Distribution + +Dragonfly supports large-scale file distribution and uses P2P technology to eliminate the impact of +origin bandwidth limitations. It supports file distribution of protocols including HTTP, HDFS, etc. +Additionally, it also supports different object storage protocols includes S3, OSS, OBS, etc. + +Add [Dfstore](https://d7y.io/docs/concepts/terminology/dfstore) to expand the file distribution capability, +it can depend on different types of object storage, such as S3, OSS, OBS, etc. to provide stable object storage capabilities. +Dfstore uses the entire P2P network as a cache when storing objects. Depend on object storage as +the backend to ensure storage reliability. In the process of object storage, P2P cache is effectively +used for fast read and write storage. + +#### AI Infrastructure + +Dragonfly supports distributing data during AI training and AI inference. +In the AI inference, Dragonfly supports [Triton Server](https://github.com/triton-inference-server/server) and [TorchServe](https://github.com/pytorch/serve) +to use Dragonfly distribution model. In the AI training, [Fluid](https://github.com/fluid-cloudnative/fluid) downloads +dataset through Dragonfly when running based on [JuiceFS](https://github.com/juicedata/juicefs). + +There are many use cases in the community, using Dragonfly to distribute data based on P2P technology. +In the inference, the concurrent download model of the inference service can effectively relieve the bandwidth pressure of +the model registry through Dragonfly, and improving the download speed. Users can embed the model into the +accelerated image and use Dragonfly and Nydus for faster container launching. + +Production practice and statistical data can refer to: + +- [Dragonfly: Intro, Updates and AI Model Distribution in the Practice of Kuaishou - Wenbo Qi, Ant Group & Zekun Liu, Kuaishou Technology](https://sched.co/1PTJb) +- [Dragonfly helps Volcano Engine AIGC inference to accelerate image through p2p technology](https://mp.weixin.qq.com/s/kY6DxRFspAgOO23Na4dvTQ) +- [Get faster pull times with Nydus on CoreWeave](https://docs.coreweave.com/cloud-tools/nydus) + +## Security Issue Resolution + +### Responsible Disclosure Process + +Dragonfly has a security policy and process in place for responsible disclosure of security vulnerabilities, refer to the +[SECURITY.md](https://github.com/dragonflyoss/Dragonfly2/blob/main/SECURITY.md). + +- Security researchers can report vulnerabilities confidentially by emailing the Dragonfly maintainers at . +- Report the security issue with the detailed information, such as the description of the vulnerability, + the steps to reproduce the vulnerability through the . +- The Dragonfly maintainers will acknowledge the report within 48 hours and provide an estimated timeline for a fix. +- Patch releases are made available as soon as possible after the vulnerability is confirmed and a fix is available. + +### Incident Response + +The Dragonfly maintainers will respond to security incidents within 48 hours of being notified. In practice, +the response time is usually much faster. The Dragonfly maintainers will work with the reporter to understand +the issue and develop a fix. + +## Appendix + +### Known Issues Over Time + +There haven't been any known security issues in the project. If you find any security issues, +please report them tools like GitHub issues, mailing lists, CNCF and through Slack channels. + +### CII Best Practices + +Dragonfly has attained the Open Source Security Foundation(OpenSSF) Best Practices Badge, +refer to . + +### Case Studies + +- Volcano Engine - +- KuaiShou - +- Ant Group - +- CoreWeave - + +### Related Projects/Vendors + +- **Harbor** provides a registry for storing and distributing container images. It can be integrated with Dragonfly to + accelerate image distribution. Dragonfly will help Harbor to distribute images based on P2P technology in + a large-scale cluster. +- **Containerd** is a container runtime. Dragonfly integrates with containerd to provide + image acceleration and container launching based on P2P technology. Dragonfly will become an mirror for containerd + to intercept the image download traffic to accelerate the image download. If user uses Nydus Snapshotter, the containerd will + download image on-demand and launch container faster. +- **Docker** is a container runtime. Dragonfly integrates with Docker to provide image acceleration and + container launching based on P2P technology. Dragonfly will intercept the Docker image download traffic by HTTP Proxy + to accelerate the image download. From c5fe5b14a1fe9032e8eab6d1997f1f2c7cff8abd Mon Sep 17 00:00:00 2001 From: Krishna <82863+krishnakv@users.noreply.github.com> Date: Wed, 31 Jul 2024 23:27:52 +0530 Subject: [PATCH 39/47] Create joint-assessment for OpenFGA (#1289) --- .../projects/openfga/joint-assessment.md | 792 ++++++++++++++++++ 1 file changed, 792 insertions(+) create mode 100644 community/assessments/projects/openfga/joint-assessment.md diff --git a/community/assessments/projects/openfga/joint-assessment.md b/community/assessments/projects/openfga/joint-assessment.md new file mode 100644 index 000000000..b182501d9 --- /dev/null +++ b/community/assessments/projects/openfga/joint-assessment.md @@ -0,0 +1,792 @@ +# Joint-assessment Outline + +The joint-assessment is built on top of the [self-assessment.md](https://tag-security.cncf.io/assessments/projects/openfga/self-assessment/) to +collaboratively assess the current security state of a project. + +The burden is primarily on the proposing project to demonstrate it is secure in +a manner that is understandable to the broader community. The +reviewers will help to assess and probe the design and supporting project documentation. + +The proposing project must provide a written document that describes the project +and its security. In the case of OpenFGA, there is structured information present +in the [Security-Insights](https://github.com/openfga/openfga/blob/main/SECURITY-INSIGHTS.yml) page. The project [self assessment](https://github.com/cncf/tag-security/blob/main/community/assessments/projects/openfga/self-assessment.md) has been completed. + +Projects are encouraged to cross link additional supporting documents or details +from their repo into the self-assessment. + +## Joint-assessment of OpenFGA + +## Table of Contents + +* [Metadata](#metadata) + * [Security links](#security-links) +* [Overview](#overview) + * [Background](#background) + * [Goals](#goal) + * [Non-goals](#non-goals) +* [Joint-assessment use](#joint-assessment-use) +* [Intended use](#intended-use) +* [Project design](#project-design) + * [Functions and features](#functions-and-features) + * [Security functions and features](#security-functions-and-features) +* [Configuration and set-up](#configuration-and-set-up) +* [Project compliance](#project-compliance) +* [Security analysis](#security-analysis) +* [Secure development practices](#secure-development-practices) +* [Security issue resolution](#security-issue-resolution) + * [Closed security issues and + vulnerabilities](#closed-security-issues-and-vulnerabilities) +* [Hands-on assessment](#hands-on-assessment) +* [Roadmap](#roadmap) +* [Appendix](#appendix) + +## Metadata + +A table at the top for quick reference information, later used for indexing. + + + +| | | +| -- | -- | +| Assessment Stage | Complete | +| Software | [https://github.com/openfga](https://github.com/openfga) | +| Security Provider | Yes. OpenFGA is used to decide if a subject (user, application) user can perform a specific action on a resource or not.| +| Languages | Go, Java, Javascript, Python, C# | +| SBOM | The Software Bill of Materials is not publicly available, but is included in each GitHub release using Syft, which is a CLI tool, and Go library for generating an SBOM from container images and file systems, since [pull/683](https://github.com/openfga/openfga/pull/683) | + +### Security links + +These are link to existing security documentation for the project. + +| Doc | url | +| -- | -- | +| Security Policy | [OpenFGA Security Policy](https://github.com/openfga/openfga/security/policy) | +| Security Insights | [OpenFGA Security Insights](https://github.com/openfga/openfga/blob/main/SECURITY-INSIGHTS.yml) | +| Security risks | [OpenFGA Security risks](https://github.com/orgs/openfga/security/risk) | +| -- | -- | + +## Overview + +The overview sections are pulled from the [self-assessment](https://tag-security.cncf.io/assessments/projects/openfga/self-assessment/) and updated. + +Implementing access control and authorization is a requirement when developing secure and compliant applications, to explicitly check permissions +such that a subjects can perform authorized actions on specific resources. + +OpenFGA is a high performance and flexible authorization/permission engine that can be used to implement fine grained access control in any +application component. + +Developers can use OpenFGA to craft authorization and permission policies based on the resource access and authorization model +specific to their own project(s). They can further use the APIs provided by the project to confirm users have the permissions +required to access a given resource. + +### Background + +OpenFGA is an authorization/permission engine that incorporates Relationship-Based Access Control (ReBAC) and Attribute Based Access Control (ABAC) +concepts with a domain-specific language that enables crafting authorizations solutions that can grow and evolve to any use case. + +Its inspired on the idea described in the [Google Zanzibar paper](https://research.google/pubs/pub48190). + +Fine-Grained Authorization refers to individual users having access to specific objects and resources within a system. Google Drive is an example of this, +as owners of resources can grant different users to have different levels of access to their resources. + +OpenFGA makes helps developers make authorization decisions by combining two concepts: + +- An Authorization Model, where developers define their authorization policies + +- A set of relationship tuples that instantiate the model and OpenFGA uses to answer access control queries. + +An authorization model looks like: + +```python +model + schema 1.1 + +type user +type group + relations + define member: [user] +type folder + relations + define owner: [user] + define parent: [folder] + define viewer: [user, group#member] or owner or viewer from parent + +type document + relations + define parent: [folder] + define owner: [user] + define viewer: [user, group#member] or owner or viewer from parent +``` + +Relationship tuples look like: + +| Subject | Relation | Object | +| --- | --- | --- | +| user:alice | member | group:engineering | +| folder:root | parent | document:readme | +| group#engineering:member | viewer | folder:root | + +With this information, OpenFGA can be queried in different ways: + +- Using the [/check](https://openfga.dev/api/service#/Relationship%20Queries/Check) endpoint to ask questions like "Is `user:alice` a `viewer` for `document:readme`?". With the data provided above, OpenFGA will return `{allowed : "true"}`, as Alice is a member of the engineering team, which has viewer access on the 'readme' document's parent folder. + +- Using the [/list-objects](https://openfga.dev/api/service#/Relationship%20Queries/ListObjects) endpoint to ask questions like "What are all the documents for which `user:alice` is a `viewer`. With the data provided above, OpenFGA will return `{object_ids { "document:readme" }` + +### Goal + +- Simplify and standardize authorization processes, making them more consistent across various applications and systems. + +- Establish patterns and standards for externalized authorization. + +- Create architectural patterns, terminologies, and protocols that enable interoperability among different authorization systems. + +- Deliver an authorization service for any application component. + +- Enable centralized authorization decisions and permits diverse teams to implement authorization using a shared framework across various application components. + +### Non-goals + +- Tools for management of groups/roles/permissions not inherently provided to the end-users. + +- Does not intend to serve as a comprehensive data repository for non-authorization related data. + +- Does not aim to provide a complete authentication and Access Control Solution. + +## Joint-assessment use + +The joint-assessment is initially created by the project team and then +collaboratively developed with the security reviewers as +part of the project's TAG-Security Security Assessment (TSSA) Process. +Information about the TAG-Security Review can be found in the [CNCF TAG-Security +Review Process Guide](https://tag-security.cncf.io/assessments/guide/). + +This document does not intend to provide a security audit of OpenFGA and is +not intended to be used in lieu of a security audit. This document provides +users of the project with a security focused understanding of OpenFGA and, when +taken with the [self-assessment](./self-assessment.md), provide the community with +the TAG-Security Review of the project. Both of these documents may be used and +referenced as inputs to a separate security audit. + +OpenFGA is a project that provides a security service and as such, any defect +in the project may be a security issue. This document does not look to enumerate +all the possible quality issues (e.g. undetected circular references in model +definitions) that could lead to security issues for users of OpenFGA. + +Taken together, this document and the [self-assessment](./self-assessment.md) serve as a +context for the TOC and community when OpenFGA seeks graduation and is preparing for a security audit. + +## Intended Use + +* Target Users and Use Cases. The key users of this project are users who define authorization models, application developers that integrate the API + into their application for externalizing authorization and operators. + + OpenFGA can be used in any environment and has helm charts defined for install on a Kubernetes platform. + 1. OpenFGA is used by applications to externalize authorization decisions + 2. The project implements the [Google Zanzibar paper](https://research.google/pubs/pub48190) paper for effective, performant authorization + 3. Administrators can program authorization models into the system for use by application teams + +* Operation. OpenFGA supports both MySQL and Postgres as its datastore. An in-memory store is implemented as the default. + +## Project Design + +* Design. OpenFGA provides rich documentation around its core [concepts](https://openfga.dev/docs/concepts) and usage of the project. Some project + decisions are documented under the [rfcs repository](https://github.com/openfga/rfcs), however, this does not have a comprehensive list of all + project decisions. + +### Functions and features + +The list below describes the functionality provided by OpenFGA. This assessment +did not segregate these into critical and other levels but focused on the server +component as a priority. + +```yaml +actions: + system.users: + - Request access to [system.resources] through [openfga.clients|system.applications] + + system.developers: + - Integrate [openfga.sdks] in [openfga.clients|system.applications] + - Validate and verify semantically [openfga.authz_models] + + system.operators: + - Migrate [openfga.datastore] + - Deploy [openfga.server] + + system.external.idp: + - Provide [jwks_uri] through oidc /.well-known/openid-configuration + - Sign [token] with [rs256] algorithm + + openfga.language: + - Provide a domain specific language to describe authorization policies + - Describe the authorization model with [types], [relations] and [conditions] + + openfga.datastore: + - Store authorization models [openfga.authz_models] + - Store authorization data [openfga.relationships.tuples] + - Support for [MySQL, Postgres] database + + openfga.clients|system.applications: + - Authenticate against [openfga.server] with [openfga.psk] secret or through [external.idp] + - Execute authorization checks with [openfga.relationships.queries] + - Manage the authorization model [openfga.authz_models] + + openfga.server: + - Write authorization model [openfga.authz_models] to [openfga.datastore] + - Write authorization data [openfga.relationships.tuples] to [openfga.datastore] + - Provide [grpc|http] messaging protocol + - Authenticate trusted [openfga.clients] with 3 options [none|psk|oidc] + - Validate and verify [payload] + - Evaluate access control decisions [openfga.relationships.queries] + + openfga.server.api: + stores: + - list + - create + - get + - delete + - assertions.read + - assertions.upsert + authz-models: + - list + - create + - get + relationships.tuples: + - read + - write + - delete + - list.changes + relationships.queries: + - check + - expand + - list-objects + - streamed-list-objects + - list-users +``` + +#### Security functions and features + +OpenFGA, as an Open-Source project, requires the community to review and evaluate the security implementation per the Principle of Open Design. + +OpenFGA models authorization systems by providing authorization methods such as Role-based Access Control, Relationship-based Access Control and Attribute-based Access Control. + +OpenFGA was designed for speed in processing secure authorization check call. This swift authorization mechanism not only enhances efficiency +but also reinforces the security posture, assuring robust protection for applications and platforms for diverse scales. + +OpenFGA provides a wide variety of SDKs, as well as easy API integration for new SDKs. + +## Configuration and Set-Up + +* Default. The default configuration of the project is described under the [getting started](https://openfga.dev/docs/getting-started) section of the documentation. + +* Secure. The recommended [production configuration](https://openfga.dev/docs/getting-started/running-in-production) of the project is described under a + separate part of the documentation. It is not explicitly secure by default. + +## Project Compliance + +There are no specific security standards or sub-sections the project is documented +as meeting (e.g. NIST 800-53, CSA, etc.). + +### Existing Audits + +A self-assessment has been performed but there are no project audits currently +for OpenFGA. + +## Security Analysis + +### Attacker Motivations + +OpenFGA is an authorization/ permission engine that secures sensitive information +including users of the systems referenced by the permission model as well as +permissions and access levels for each. Attackers may have multiple motivations +including: +* Exfiltrating relationship, condition and user data from the service +* Tampering with data to assign, elevate permissions or remove access to authorized users +* Studying the data to understand the application design and operation for further attack steps +* Denial of service by rendering OpenFGA unable to respond to auth requests + +### Predisposing Conditions + +There are multiple potential configurations of the project that could be exploited, +this includes permissive settings for API tokens and other secrets, running the +server in elevated/privileged mode, exposing vulnerable endpoints such as the profiler accessible to +an attacker and exfiltration of secret tokens from interfacing applications and CLI. + +In addition vulnerabilities may be discovered in the server code or dependent libraries +that can be exploited by an attacker. + +### Expected Attacker Capabilities + +While the attacker is not expected to possess the capability to break well-known +encryption standards, eg AES256, or hashes such as SHA256, they will have sufficient capabilities +and motivation to use well-known tools and techniques for their work. Attackers +are not just assumed to be external to the OpenFGA project, or client application vendor/project, but may also +be insiders who are contributors, maintainers, or repo admins, or developers or operators with privileged access +inside the client application environment that are looking to gain a foothold for +further exploits. The latter scenarios assume that the attacker has breached or already has access through +several layers of defense and has direct access to OpenFGA components and +endpoints to further their position within the company perimeter. + +### Attack Risks and Effects + +While not storing PII (as per project recommendations), OpenFGA does have sensitive +information pertaining to the application and permissions within +the organization. This data could be used by attackers to better understand +the attack landscape and also perform more destructive actions such as escalating +their permissions and locking out users from system access. + +### Security Impact Assessment + +A compromise of the OpenFGA server in production would lead to +downstream effects in the application landscape. Attackers could assign +themselves arbitraty permissions to sensitive resources or data and also lock out +legitimate users. This could lead to effects from a denial of service +and degradation of customer experience to exfiltration of critical data +from sensitive systems. OpenFGA deals directly with authorization and is +a critical part of any application, as such, compromising this system +could have catastrophic consequences to the organization. + +#### Security Risks and Security Impact of Using/Operating OpenFGA +- Access Control: OpenFGA by definition is designed to enforce: (i) information system access to authorized users, or + processes acting on behalf of authorized users or devices (including other information systems); + and (ii) the types of transactions and functions that authorized users are permitted to exercise. As such, a failure + in either access to OpenFGA data or code itself, or the functioning of OpenFGA exposes the application to critical access + control risks. +- Awareness and Training: Using OpenFGA will requrire developer, operator, security team, auditor and end user training to ensure + that personnel are adequately prepared to deploy, maintain, and use OpenFGA and design appropriate relationships and models. + Security staff need to understand the failure modes and threat model and how to monitor the components and produce audit artifacts. + Even end users need to understand how permissions are modeled and managed, for example, understanfing Google Drive permissions can have a steep + learning curve for those used to more traditional RBAC rules found in Windows or Linux file systems. +- Audit Support: Introducing OpenFGA will impact system/application audit requirements and require OpenFGA developers, app developers, + and operators to consider how to: + - create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, + and reporting of unlawful, unauthorized, or inappropriate information system activity; and + - ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. +- Change Management: OpenFGA project developers and app developers need to consider how changes to the OpenFGA code, configuration, model syntax and features, + and the application's specific model(s) will impact the: + - baseline configuration and relate to the current inventory of organizational users, resources, and condition attributes; + - establishment and enforcement of secure configuration settings of the OpenFGA components and the app using OpenFGA; and + - ability to monitor and control changes to the baseline configurations of the specific app models and to the OpenFGA components +- Identity: How will change(s) to the underlying Identity Provider(s) and identity establishment impact how OpenFGA: + - identifies users, processes acting on behalf of users, or other subjects (eg IoT devices, etc.); and + - authenticates (or verifies) the identities of those users, processes, or devices, as a prerequisite to allowing access. +- Maintenance: How will periodic and timely maintenance be performed including critical security patches in OpenFGA's code and dependencies; + how will the project and the app developers provide effective controls on the tools, techniques, mechanisms, and personnel performing maintenance + of the OpenFGA code and apps using it. For example, how would the project control for a malicious contributor trying to subtly introduce leaks or + back doors? How would app developers identify these potential flaws? How is the repo secured and maintained over time? Other dependencies? etc. +- Securing Data In Transit, At Rest and In Use: While OpenFGA doesn't directly implement encryption, authentication, or integrity of data flows, + the maintainers and devs using OpenFGA must consider: + - communications (i.e., information transmitted or received by OpenFGA components, and the app) are monitored, controlled, and protected at the + internal and external boundaries; eg encrypting communication between OpenFGA and the database, or the shared keys, or the audit logs, etc. and + - architectural designs, software development techniques, and systems engineering principles that promote effective data security are implemented +- Risk Assessment and Vulnerability Management: How will OpenFGA maintainers and app devs and operators define how: + - OpenFGA and SDK flaws are identified, reported, and corrected in a timely manner; + - malicious code protection is employed; + - component and OpenFGA app related events are monitored and detected; + - the correct configuration and operation of security features is tested and verified; + - information is checked for accuracy, completeness, validity, and authenticity. This is especially imporant in verifying and testing the model + syntax and semantics +- Supply Chain Integrity and Attacks: How will risks related to OpenFGA itself, and its dependencies be assessed and tracked and remediated? +- Incident Response, Disaster Recovery, Continuity, SRE: How will use of OpenFGA affect existing plans for responding to, investigating, and remediating + incidents - whether security or availability related? What playbooks should be created specific to OpenFGA failure modes or attacks? What alerts are + useful? What forensic data is required? How are logs collected, aggregated, correlated, and retained? +- Compliance and Regulatory Requirements: What documentation, processes, approvals, and legal requirements are in scope for either certification or audit + by a 3rd party or government agency or customer? + +#### Failure Modes Considered + +- Project/Repo/Code Failures + - Key admins or maintainers abandon the project or are unavailable + - The repository is deleted or defaced or compromised + - Bugs exist in the core validation of the relationships and conditions + - Bugs exist in the dependencies used + - Leakage of data in the logs or by contacting existing services + - Timing attacks, side channel telemetry + - shared key or OIDC TLS cert compromises (is OSCP or CRL being checked?) + - Lack of, or insecure use of, cryptographic code or protocols + - Release process failures + - Failures to respond to, or analyze, reported vulnerabilities or known exploits + - Malicious developers injecting malicious code or designs +- Developer/App Design Failures + - incorrect use of OpenFGA outside its intended design/goals + - incorrect confiuration of OpenFGA store, keys, certs, etc + - incorrect definition of app code using OpenFGA to check relationships, conditions + - incorrect or missing error handling code or corner cases + - logging or leaking sensitive information + - lack of stress and performance testing + - not using the latest secure releases +- OpenFGA/App Operations Failures + - failure to check the provenance and integrity of code used + - failure to check the provenance and integrity of confiuration used + - failure to check the provenance and integrity of model(s) used + - failure to secure keys, OIDC TLS, or database encryption and access control and auditing + - failute to plan for continuity and disaster recovery + - failure to plan for security incident response + - OpenFGA API service unavailable at runtime, either failing in a secure closed way, or due to DoS attack + - Store database unavailable at runtime, either failing in a secure closed way, or due to DoS attack + - Capacity planning for the service, networking, and database + - Messaging and communications to end users in the case of outages or failures or breach + +### Compensating Mechanisms + +Compensating mechanisms are covered in detail in the [Threat Model](#threat-model) +section. These cover steps such as architecture changes for a more +fine-grained permissions system, hardening the default deployment +instructions, changes to user documentation and changes in functionality to +address common exploits. + +## Threat Model + +Threat modelling was done by threat hunting using the MITRE Att&ck framework. Findings are listed below +along with the Att&ck technique associated with the finding. The findings +are categorized into logical sections. The values for the **Impact** and **Likelihood** +ratings can be High, Med or Low. + +NOTE: The OpenFGA server code is managed separately from the "language" parser code. +This review focused on the server code, and so a separate review (perhaps formal modeling exercise) +would be beneficial for the "language" parser project. As such language parser threats/attacks +should be considered outside the scope of this review. + +Opportunities for improvement identified include: + +- Implement FGA for server API +- Relook at user-defined API tokens as an authentication mechanism for API +- Make all installation scripts "secure by default" +- Validate best practices such as using strong API token and avoiding PII + +Further opportunities for improvement are listed under the [Secure Development](#security-hygiene-and-secure-sevelopment-practices) section. + +### Methods of authentication for server API + +Access to OpenFGA API is via oauth or pre-determined API tokens. Pre-shared +tokens present several weak points that result in the findings below. + +The project recommends oauth for secure authentication to the API. The recommendation +is to mark shared API tokens as a relatively insecure method of authentication and +that his be avoided in a production environment. This recommendation can be +updated both in the documentation as well as a WARNING can be emmitted in the logs +when authentication via shared API tokens is enabled. + +The recommendation to enable Fine Grained Authorization for the API is being +implemented under a [project issue](https://github.com/openfga/roadmap/issues/30). +This risk is currently being mitigated by OpenFGA users by proxying requests +and performing authorization on the proxy. + + +|Summary|When authenticating using pre-shared keys, these are exposed in container env vars.| +|--|--| +|Discovered in self-assessment?|No| +|Weakness|Env vars are accessible to anyone with access to the container. There cannot be further permissions set on these like files. Keys further give access to stores and models.| +|MITRE classification|TA0001: Initial Access -> T1078: Valid Accounts
TA0003: Persistence -> T1078: Valid Accounts
TA0004: Privilege Escalation -> T1078: Valid Accounts| +|Actors|openfga.server| +|Suggested Mitigation|Secrets mounted in filesystem can be restricted with permissions. Alternatively,
SPIFFE/ Spire integration may offer a much high level of security (specifically using x.509 SVIDs).| +|Impact (High/ Med/ Low)|High| +|Likelihood (High/ Med/ Low)|Low| + +|Summary|Authenticating with shared keys allows keys to be added to the list.| +|--|--| +|Discovered in self-assessment?|No| +|Weakness|Shared API keys are open to manipulation and bruteforcing since they are fixed keys.| +|MITRE classification|TA0003: Persistence -> T1136: Create Account| +|Actors|openfga.server| +|Suggested Mitigation|Being able to manipulate keys in the container requires access to container. However, impact will be high as openfga access will allow attackers to assign themselves arbitrary privileges.
Mitigations include, the ability to rotate keys on a frequent basis and forcing these API tokens to be mounted as files (can be permission controlled) instead of environment variables. Don't use shared keys. Use OAuth or SPIFFE.| +|Impact (High/ Med/ Low)|High| +|Likelihood (High/ Med/ Low)|Low| + +|Summary|The openfga API endpoint does not support fga, so admins can modify models they may not own.| +|--|--| +|Discovered in self-assessment?|No| +|Weakness|Broad permissions allow an admin to modify any model, not just ones that they own.| +|MITRE classification|TA0042: Resource Development -> T1585: Establish Accounts| +|Actors|openfga.server| +|Suggested Mitigation|Can the API endpoint for openfga server support more fine grained permissions so that only owners of stores/ models can modify them? Permissions can be set at a module level.
This is being implemented under this [issue](https://github.com/openfga/roadmap/issues/30) by the project.| +|Impact (High/ Med/ Low)|High| +|Likelihood (High/ Med/ Low)|Low| + + +### Setting secure defaults for install + +This section has findings related to default install options that can be made more +secure. The artifacts analysed in this section include the helm chart for installation +and default configuration options. + + +|Summary|Open playground link - clients can access the playground (enabled by default) without authorization and access openfga models.| +|--|--| +|Discovered in self-assessment?|Yes| +|Weakness|Unauthorized access to openfga data. Ability to both view and manipulate data.| +|MITRE classification|TA0043: Reconnaissance -> T1595: Active Scanning
TA0001: Initial Access -> T1189: Drive-by Compromise| +|Actors|openfga.server| +|Suggested Mitigation|Already bring addresed by project team -
https://github.com/openfga/roadmap/issues/7.
Documentation is clear to disable playground for prod deployments.
When enabled, the playground can be accessed only from localhost. Thus, the attacker must have access to the host where the server is running.| +|Impact (High/ Med/ Low)|High| +|Likelihood (High/ Med/ Low)|Low| + +|Summary|Helm chart runs containers with higher privilege by default.| +|--|--| +|Discovered in self-assessment?|No| +|Weakness|Unauthorized access to openfga data. Ability to both view and manipulate data.| +|MITRE classification|TA0002: Execution -> T1203: Exploitation for Client Execution
TA0003: Persistence -> T1098: Account Manipulation
TA0004: Privilege Escalation -> T1548: Abuse Elevation Control Mechanism
TA0004: Privilege Escalation -> T1134: Access Token Manipulation
TA0004: Privilege Escalation -> T1098: Account Manipulation
TA0004: Privilege Escalation -> T1611: Escape to Host
TA0005: Defense Evasion -> T1548: Abuse Elevation Control Mechanism
TA0005: Defense Evasion -> T1134: Access Token Manipulation| +|Actors|openfga.server| +|Suggested Mitigation|Could the defaults for all install scripts be set to run the openfga server with limited permissions?
In the case of helm chart, this would achieve:
  1. Not running server as root
  2. Not allowing privilege escalation
  3. Not allowing access to system calls unless required
  4. Setting filesystem to readonly
  5. Limiting access to mounted filesystems

This would greatly reduce the attack surface area. | +|Impact (High/ Med/ Low)|High| +|Likelihood (High/ Med/ Low)|Low| + +|Summary|An external dependency to groundnuty/k8s-wait-for is pinned using tag.| +|--|--| +|Discovered in self-assessment?|No| +|Weakness|Source tags can be overwritten in case of a supply chain attack and a compromised image may be pulled down. The risk is greater in the case of external, third party dependencies not under the projects control.| +|MITRE classification|TA0001: Initial Access -> T1195: Supply Chain Compromise| +|Actors|openfga.server| +|Suggested Mitigation|Pin the dependency using SHA tag for the container image.| +|Impact (High/ Med/ Low)|Low| +|Likelihood (High/ Med/ Low)|Low| + +### Other findings + +This section has other findings that could not be classified +in earlier parts. It includes exploits such as server DDOS and +potential leakage of information about application landscape. + +|Summary|INFORMATIONAL: Fixed API access tokens are susceptible to brute force attacks.| +|--|--| +|Discovered in self-assessment?|No| +|Weakness|Having a fixed set of API tokens with no set TTL to rotate allows attackers to brute-force user created API tokens.| +|MITRE classification|TA0006: Credential Access -> T1110: Brute Force| +|Actors|openfga.server| +|Suggested Mitigation|Support for rotation may mitigate the impact. Also, is this to be disabled in production? Also, can there be a minimal requirement for length and entropy that the server checks for API tokens?
SPIFFE/ Spire integration may offer a much high level of security| +|Impact (High/ Med/ Low)|High| +|Likelihood (High/ Med/ Low)|Med| + +|Summary|INFORMATIONAL: Playground link as well as shape of API identifies the openfga server.| +|--|--| +|Discovered in self-assessment?|No| +|Weakness|An attacker performing reconnaissance will be able to identify if a service is the openfga server, a high-value target.| +|MITRE classification|TA0043: Reconnaissance -> T1592: Gather Victim Host Information| +|Actors|openfga.server| +|Suggested Mitigation|Not sure if there is a remediation, given it’s the case for any API server that endpoints will return a 403 rather than 404 for unauthenticated access. An attacker iterating through the expected shape of the API will be able to identify an openfga server.| +|Impact (High/ Med/ Low)|Low| +|Likelihood (High/ Med/ Low)|Low| + +|Summary|INFORMATIONAL: Usage of PII as part of Tuples.| +|--|--| +|Discovered in self-assessment?|Yes| +|Weakness|PII can be exfiltrated if present as a part of the Tuples.| +|MITRE classification|TA0042: Resource Development -> T1586: Compromise Accounts| +|Actors|openfga.server| +|Suggested Mitigation|Specifically called out in documentation that PII is not to be used as a part of tuples but not enforced.
Also, many sites will use email ID as primary login, documentation may need to address how to handle this situation.
A change to detect PII such as email ID's as part of relationships/ tuples and warn the user may tackle this finding at a code level.| +|Impact (High/ Med/ Low)|Med| +|Likelihood (High/ Med/ Low)|Low| + +|Summary|INFORMATIONAL: Turning off audit logs will let an attacker mask operations on the server.| +|--|--| +|Discovered in self-assessment?|No| +|Weakness|Allowing audit logs to be turned off completely via configuration would allow attackers to mask their trail.| +|MITRE classification|TA0005: Defense Evasion -> T1562: Impair Defenses| +|Actors|openfga.server| +|Suggested Mitigation|A possible mitigation is to log a warning message when logs are completely turned off?| +|Impact (High/ Med/ Low)|Med| +|Likelihood (High/ Med/ Low)|Low| + +|Summary|INFORMATIONAL: DDOS attack on openfga server would impact overall application landscape.| +|--|--| +|Discovered in self-assessment?|Yes| +|Weakness|A DDOS attack on the server endpoint is not handled by the server and will result in widespread impact on all dependent applications.| +|MITRE classification|TA0005: Defense Evasion -> T1562: Impair Defenses| +|Actors|openfga.server| +|Suggested Mitigation|Documentation can be created for production configuration using an API Gateway/ other DDOS prevention mechanism.
The likelihood is rated low as OpenFGA is designed to be run within an intranet environment and not exposed to public internet.| +|Impact (High/ Med/ Low)|High| +|Likelihood (High/ Med/ Low)|Low| + +|Summary|INFORMATIONAL: Further review needed on tuple evaluation and crypto guarantees.| +|--|--| +|Discovered in self-assessment?|No| +|Weakness|Potential ordering and collision attacks possible.| +|MITRE classification|[TA0004](https://attack.mitre.org/tactics/TA0004/): Privilege Escalation | +|Actors|openfga.server| +|Discussion| There seem to be minimal/no guarantees on order of permission tuples when evaluated, combined with not truly random ids, might lead to various timing/sequencing attacks. Nation states, sophisticated attackers, and insider attackers, may have elevated privileges but might not want to directly attack the OpenFGA server in a detectable manner. They may also want to stealthily stage capabilities for future attacks and remain undetected and evade forensic analysis. These attackers will look for more complex attacks that are harder to detect. Object and tuple ids are not guaranteed to be cryptographically random, nor are there cryptographically strong assurances of object/tuple content, so collisons may be craftable by attackers and thus the combo of malicious insertions and collision crafting could potentially lead to attcks where a malicious tuple that allows an unauthorized action replaces the correct expected tuple, or malicious tuples are inserted in different orders. For example when a tuple is written to storage it deletes an existing tuple with the same unique id. If an attacker can craft collisions they might be able to subtly replace a good tuple with a malicious tuple. Also there is a tuple iterator "continuation token". The server uses the continuation token so that it does not "have to restart from scratch on system restart or on error". This seems also succeptible to specially crafted attacks where changes can be introduced that make insertion and collision attacks possible. More review and testing and ideally formal validation would be needed to prove that such insertion and collision attacks are impossible. Review of all code comments in the golang crypto libraries used, and support of true random number generation would be appropriate for high security environments. Given the limited time available, neither empirical testing nor formal analysis was possible. This should be a focus for further (post-doc/intern funding?) testing and review.| +|Suggested Mitigation|Ensure true random ids, add model/tuple/object hashes or signatures, enforce strict ordering guarantees to ensure evaluation in order, and add crypto safe uniqueness guarantees to make collision insertion attacks impossible.| +|Impact (High/ Med/ Low)|High| +|Likelihood (High/ Med/ Low)|Low| + + +|Summary|INFORMATIONAL: AES and SH256 crypo use is subject to side channel attacks and speculative execution attaks.| +|--|--| +|Discovered in self-assessment?|No| +|Weakness|golang crypto lib AES256-GCM + SHA256 hashing of key material used by encryptor function is subject to side channel attacks and speculative execution attacks.| +|MITRE classification|TA0006: Credential Access -> T1110: Brute Force| +|Actors|openfga.server| +|Discussion|The golang AES GCM code says "If you want to convert a passphrase to a key, use a suitable package like bcrypt or scrypt." Simply hashing a secret and using that as a key is not sufficient. A good overview id [discussed here.](https://crypto.stackexchange.com/questions/68545/aes-why-is-it-a-good-practice-to-use-only-the-first-16-bytes-of-a-hash-for-encr). In short, hashes are specially designed for (quick) hashing, key derivation functions are designed specially and carefully for key derivation. Don't mix those use scenarios up. Further, while golang [has some special options](https://github.com/golang/go/wiki/Spectre/dac828df865fc0eb0fed2b7c477ef2c7863ee17d) - not compiled by default - for minimal defenses, golang's crypto package is not specifically defensive against side channel and [speculative execution](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/mitigate-timing-side-channel-crypto-implementation.html) [attacks](https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/tuning-guides/software-techniques-for-managing-speculation.pdf). While this is not an OpenFGA specific weakness, given the central importance of an authorization service, it is easy to presume that attackers, especially nation state or inside attackers, would focus energy on the OpenFGA service and use these techniques. Using hardware crypo offloading and also hardening OpenFGA and contributing upstream crypto and golang hardening would improve the overall robustness.| +|Suggested Mitigation|Use a proper key derivation function for converting key material to an actual key for AES-GCM, eg. Argon2 or PBKDF. Support hardware offloading of all crypto operations. Review defensive recommendations for software side-channel and speculative execution attacks.| +|Impact (High/ Med/ Low)|High| +|Likelihood (High/ Med/ Low)|Low| + +## Security Hygiene and Secure Development Practices + +This section addresses questions related to project-level security decisions. + +|Summary|Core maintainers are all currently from Okta.| +|--|--| +|Discovered in self-assessment?|No| +|Weakness|Dependence on a single organization can impact governance and long term leadership of the project.| +|MITRE classification|N/A| +|Actors|N/A| +|Suggested Mitigation|CNCF should provide resources and support for the project to recruit and train additional maintainers who can both help improve security and participate longer term in project governance and design leadership. Additionally, CNCF member companies who use OpenFGA should consider investing staff time and funds to OpenFGA governance and security.| +|Impact (High/ Med/ Low)|N/A| +|Likelihood (High/ Med/ Low)|N/A| + +Opportunities for improvement include: + +- Multi-organizational ownership of security reporting +- A roadmap that demonstrates a strong consideration for security features +- Public documentation of the project's release versioning policy / Easily understandable release process +- Public release of security and vulnerability scans, eg. Snyk, after appropriate embargo + +### Release and Update Process + +#### Release Documentation + +| Aspect | Status | +|-------------------------------------|--------| +| Easily understandable release process | GitHub Actions Workflow `release.yml` is used for GitHub releases. Action fails but release succeeds. | +| Release versioning policy | Reportedly in progress. | + +#### Provenance Artifacts + +Artifacts included with each release: + +- Checksums +- Checksum.sig/pem +- in-toto + +#### User Instructions for Validating Artifact Signatures + +| Aspect | Status | +|---------------------------------|--------| +| Clear instructions are provided | Yes | +| Instructions are maintained independently from the release process. | [OpenFGA Provenance Implementation](https://github.com/openfga/community/blob/main/provenance-implementation/openfga.md) | + +### Reporting Security Incidents + +#### Security Reporting Method +| Aspect | Status | +|----------------------------|--------| +| Documentation Location | Project’s Security tab | +| Email | [security@openfga.dev](mailto:security@openfga.dev) | +| SLA | 5-day | +| Visibility Test Response | 2 minutes | + +#### Security Reporting Ownership + +| Aspect | Status | +|-------------------------------|--------------------------------------------| +| Bus-Proofing | Checked by at least 2 users, available to more | +| Layoff-Proofing | Not implemented; core maintainers are all currently from Okta | + +### Reducing Vulnerabilities Through Development + +| Aspect | Details | +|--------|---------| +| Secure Development Practices | Optional secure development training is provided by Okta. | Security Review is done for every feature addition. | +| Code Quality and Testing | CodeQL is used on every pull request. The team is confident in the test coverage. | +| Binary Management | CLOMonitor check passes, and the team is aware of the dangers of allowing binaries in the project. | +| OpenSSF Scorecard | Badge present. Score is 9.3, well above the average of 4. | +| OpenSSF Best Practices | Badge present. Passing grade. | +| CLOMonitor | 100% security score. | + +### Dependency Management + +| Aspect | Status | +|-----------------------------|--------| +| Lifecycle Policy | [Dependency Lifecycle Policy](https://github.com/openfga/openfga/blob/main/docs/dependencies-policy.md) | +| SCA Checks | - [Semgrep Workflow](https://github.com/openfga/openfga/blob/main/.github/workflows/semgrep.yaml)
- [Pull Request Workflow](https://github.com/openfga/openfga/blob/main/.github/workflows/pull_request.yaml)
- Dependabot | +| SCA Findings Review Process | Recommendations from Dependabot, Snyk, etc., are reviewed during a weekly meeting | + +### Security Champions + +The following maintainers take a special interest in project security: + +- Louis Jette +- Maria Ines Parnisari + +### Roadmapped Security Improvements + +- Increase OpenSSF Best Practices badge level. +- Implement a singleflight CheckResolver to avoid concurrent evaluation of overlapping subproblems. [#1301](https://github.com/openfga/openfga/issues/1301) + +## Security Issue Resolution + +### Responsible Disclosure + +OpenFGA vulnerability management is described in the official project security documentation [SECURITY.md](https://github.com/openfga/.github/blob/main/SECURITY.md). + +### Incident Response + +The OpenFGA maintainers bear the responsibility of monitoring and addressing reported vulnerabilities. Identified issues undergo prioritized triage, with immediate escalation upon confirmation. The triage process is conducted in private channels. + +Adhering to the GitHub security advisory process, OpenFGA initiates the CVE (Common Vulnerabilities and Exposures) request upon issue identification. The resolution is developed in a private branch associated with the CVE. + +Upon confirmation of the fix's effectiveness, it is released through a new patch for each major supported version of OpenFGA. + +The changelog will link to the CVE, which will describe the vulnerability and its mitigation. Any public announcements sent for these fixes will be linked to [the release notes](https://github.com/openfga/openfga/releases/tag/v1.3.2). + +All OpenFGA security issues can be found on the [Github advisories page](https://github.com/openfga/openfga/security/advisories). + +### Closed security issues and vulnerabilities + +At the time of the joint assessment, OpenFGA listed closed issues under the +[security](https://github.com/openfga/openfga/security) tab of the OpenFGA repo. + +## Hands-on assessment + +The hands-on assessment is a lightweight review of the project's internal security as +well as the current recommendation configuration, deployment, and interaction +with regard to security. Hands-on assessments are subject to security reviewer +availability and expertise. They are not intended to serve as an audit or +formal assessment and are no guarantee of the actual security of the project. + +**OpenFGA did not receive a hands-assessment from TAG-Security.** + + + +## Roadmap + +* Project Next Steps. The team has created a [project](https://github.com/orgs/openfga/projects/8) under the OpenFGA organization to +track remediations for the findings from this joint assessment. The required +fixes are being undertaken by the project team. +* CNCF Requests. In the initial draft, please include whatever you believe the + CNCF could assist with that would increase security of the ecosystem. + +## Appendix + +* Known Issues Over Time. Past issues that have been publicly reported are listed +under [security issues](https://github.com/openfga/openfga/security) tab in the repository. This is not +a comprehensive list of all security issues. + +### Case Studies + +The [list](https://github.com/openfga/community/blob/main/ADOPTERS.md) of projects that utilize OpenFGA include Okta FGA, Twintag, Mapped, Procure Ai,Canonical (Juju & LFX), Wolt, Italarchivi, Read AI, Virtool, Configu, Fianu Labs, and ExcID. + +### Related Projects/Vendors + +The list of related projects is available as a [community resource](https://github.com/openfga/community/blob/main/related-projects.md) From affa4624cda22a26295b8b9c3c6cff6f129b3465 Mon Sep 17 00:00:00 2001 From: Justin Cappos Date: Wed, 31 Jul 2024 16:29:54 -0400 Subject: [PATCH 40/47] Update joint-review.md (#1329) Fixing broken links in the issue template Signed-off-by: Justin Cappos --- .github/ISSUE_TEMPLATE/joint-review.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/joint-review.md b/.github/ISSUE_TEMPLATE/joint-review.md index 33e49e268..0528092aa 100644 --- a/.github/ISSUE_TEMPLATE/joint-review.md +++ b/.github/ISSUE_TEMPLATE/joint-review.md @@ -23,10 +23,10 @@ Security Provider: yes/no (e.g. Is the primary function of the project to suppor - [ ] Project security lead - [ ] Lead security reviewer - [ ] 1 or more additional reviewer(s) - - [ ] Every reviewer has read [security reviewer guidelines](/community/assessments/guide/security-reviewer.md) and stated declaration of conflict + - [ ] Every reviewer has read [security reviewer guidelines](/community/assessments/guide/joint-assessment.md) and stated declaration of conflict - [ ] Sign off by facilitator on reviewer conflicts - [ ] Create slack channel (e.g. #sec-assess-projectname) -- [ ] Project lead provides draft document - see [outline](/community/assessments/guide/joint-review.md) +- [ ] Project lead provides draft document - see [outline](/community/assessments/guide/joint-assessment.md) - [ ] "Naive question phase" Lead Security Reviewer asks clarifying questions - [ ] Assign issue to security reviewers - [ ] Initial review From 8db0a2d95b6ea2e2066bb17e5056eec7c17b1e08 Mon Sep 17 00:00:00 2001 From: Riaan Kleinhans <61125752+riaankleinhans@users.noreply.github.com> Date: Wed, 31 Jul 2024 17:05:42 -0400 Subject: [PATCH 41/47] Update TAG Security Documents: README and Charter (#1316) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * update tag documents Signed-off-by: riaan kleinhans md lint Signed-off-by: riaan kleinhans rename file Signed-off-by: riaan kleinhans lint fix Signed-off-by: riaan kleinhans spell file Signed-off-by: riaan kleinhans spell Signed-off-by: riaan kleinhans spell Signed-off-by: riaan kleinhans spell Signed-off-by: riaan kleinhans * Update README.md Signed-off-by: Eddie Knight * Update tag-emeritus-leaders.md Signed-off-by: Eddie Knight * Update tag-emeritus-leaders.md Signed-off-by: Eddie Knight * Update README.md Signed-off-by: Eddie Knight * lint error Signed-off-by: riaan kleinhans * lint Signed-off-by: riaan kleinhans * lint Signed-off-by: riaan kleinhans * Update README.md Co-authored-by: Andrés Vega Signed-off-by: Riaan Kleinhans <61125752+riaankleinhans@users.noreply.github.com> * nits Signed-off-by: riaan kleinhans * nits Signed-off-by: riaan kleinhans * nit Signed-off-by: riaan kleinhans --------- Signed-off-by: riaan kleinhans Signed-off-by: Eddie Knight Signed-off-by: Riaan Kleinhans <61125752+riaankleinhans@users.noreply.github.com> Co-authored-by: riaan kleinhans Co-authored-by: Eddie Knight Co-authored-by: Andrés Vega Co-authored-by: Eddie Knight --- README.md | 40 ++----- community/assets/tag-emeritus-leaders.md | 17 +++ governance/README.md | 2 +- governance/charter.md | 141 ----------------------- 4 files changed, 26 insertions(+), 174 deletions(-) create mode 100644 community/assets/tag-emeritus-leaders.md delete mode 100644 governance/charter.md diff --git a/README.md b/README.md index 83d4bd165..94e4ddb32 100644 --- a/README.md +++ b/README.md @@ -74,36 +74,13 @@ Explore groups affiliated with or relevant to Security TAG [here](governance/rel -### Security TAG Chairs - -| Name | Organization | Term | Handle | -|-----------------------|------------------------|---------------------|-----------| -| Pushkar Joglekar | Independent | June, 2023 - June, 2025 | @PushkarJ | -| Marina Moore | Independent | October, 2023 - October, 2025 | @mnm678 | -| Eddie Knight | Sonatype | May, 2024 - May, 2026 | @eddie-knight | - -### Tech Leads - -| Name | Organization | Handle | -|-----------------------|------------------------|---------------------| -| Justin Cappos | New York University | @JustinCappos | -| Ash Narkar | Styra | @ashutosh-narkar | -| Andrés Vega | M42 | @anvega | -| Ragashree Shekar | Independent | @ragashreeshekar | -| Michael Lieberman | Kusari | @mlieberman85 | -| John Kjell | TestifySec | @jkjell | - -### Security TAG Chair Emeriti - -| Name | Organization | Term | Handle | -|-----------------------|------------------------|---------------------|-----------| -| Dan Shaw | PayPal | June, 2019 - September, 2020 | @dshaw | -| Sarah Allen | | June, 2019 - June, 2021 | @ultrasaurus | -| Jeyappragash JJ | Tetrate.io | June, 2019 - June, 2021 | @pragashj | -| Emily Fox | Apple | September, 2020 - February, 2022 | @TheFoxAtWork | -| Brandon Lum | Google | June, 2021 - June, 2023 | @lumjjb | -| Aradhana Chetal | TIAA | June, 2021 - September, 2023 | @achetal01 | -| Andrew Martin | ControlPlane | March, 2022 - March, 2024 | @sublimino| +## Leadership + +Details about the TAG Chairs, Tech Leads, and TOC Liaisons can be found on the [CNCF Technical Advisory Groups (TAGs) information page](https://github.com/cncf/toc/blob/main/tags/cncf-tags.md) + +## TAG Emeritus Leaders + +Thank you to all the [tag emeritus leaders](/community/assets/tag-emeritus-leaders.md) for your contributions to the success of this community. ### Working Groups @@ -129,5 +106,4 @@ For [CNCF project proposal process](https://github.com/cncf/toc/blob/main/proces create a new [security review issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=assessment&template=security-assessment.md&title=%5BAssessment%5D+Project+Name) with a -[self-assessment](/community/assessments/guide/self-assessment.md) -. +[self-assessment](/community/assessments/guide/self-assessment.md). diff --git a/community/assets/tag-emeritus-leaders.md b/community/assets/tag-emeritus-leaders.md new file mode 100644 index 000000000..84cf3bc8f --- /dev/null +++ b/community/assets/tag-emeritus-leaders.md @@ -0,0 +1,17 @@ +# TAG Security Chair Emeriti + +A big thank you to all the [tag emeritus leaders](/tag-emeritus-leaders.md) of this TAG! Your hard work and dedication have helped to make this project a success. Your valuable contributions have enabled us to develop a strong contributor strategy and build a thriving open-source community. Thank you for all that you have done! + + + +| Name | Organization | Term | Handle | +|-----------------------|------------------------|---------------------|-----------| +| Dan Shaw | PayPal | June, 2019 - September, 2020 | @dshaw | +| Sarah Allen | | June, 2019 - June, 2021 | @ultrasaurus | +| Jeyappragash JJ | Tetrate.io | June, 2019 - June, 2021 | @pragashj | +| Emily Fox | Apple | September, 2020 - February, 2022 | @TheFoxAtWork | +| Brandon Lum | Google | June, 2021 - June, 2023 | @lumjjb | +| Aradhana Chetal | TIAA | June, 2021 - September, 2023 | @achetal01 | +| Andrew Martin | ControlPlane | March, 2022 - March, 2024 | @sublimino| + + diff --git a/governance/README.md b/governance/README.md index 0e2159d00..6ca5f5db6 100644 --- a/governance/README.md +++ b/governance/README.md @@ -3,7 +3,7 @@ Security TAG is a [CNCF Technical Advisory Group](https://github.com/cncf/toc/tree/main/tags). -* [Charter](charter.md) - mission and scope +* [Charter](https://github.com/cncf/toc/tree/main/tags/tag-charters/security-charter.md) - mission and scope * [Roles](roles.md) - the work of the group is facilitated by Chairs, Technical Leads, and active group members * [Process](process.md) - how projects are proposed and work is tracked diff --git a/governance/charter.md b/governance/charter.md deleted file mode 100644 index 72238b5e5..000000000 --- a/governance/charter.md +++ /dev/null @@ -1,141 +0,0 @@ -# Security TAG Charter - -This charter describes operations as a [CNCF TAG](https://github.com/cncf/toc/tree/main/tags). -The [Focus](#focus) section below describes what is in and out of scope, -and [Governance](#governance) section describes how our operations are consistent -with CNCF policies with links to more detailed documents. - -**Mission:** to reduce risk that cloud native -applications expose end user data or allow other unauthorized access. - -## Motivation - -Security has been an area in which open source can flourish and sometimes -has done so; however, with cloud native platforms and applications, security -has received less attention than other areas of the cloud native landscape. - -This means that there is less visibility about the internals of security -projects, and fewer projects being deeply integrated into cloud native tooling. -While there are many open source security projects, there are fewer security -experts focused on the cloud native ecosystem. This has contributed to a culture -where people feel they cannot understand how to securely set up and operate -cloud native systems, due to obscurity and uncertainty. Cloud native principles -have encouraged the development of tools that help manage fast changing -environments, and which have the promise of both simplifying and improving -security. - -Making security more open and understandable is an essential part of this -change. Talking to customers, security is the most important and least -understood part of the cloud native transition. Security is not an easy field, -and it is difficult to measure and value the inputs precisely, which can also -cause issues with evaluation of security software and designs. - -Distributed deployments across heterogeneous infrastructure are increasingly -common for cloud native applications. -Without common ways to programmatically ensure consistent policy, -it is increasingly difficult to evaluate system architecture security at scale. -Emerging common architectural patterns offer the opportunity -improve overall security in cloud native systems. - -## Focus - -In addition to the [CNCF security-related projects](https://landscape.cncf.io/?group=projects-and-products&view-mode=grid&tag=security), there -are three key focus areas: - -* Protection of heterogeneous, distributed and fast changing systems, while -providing needed access -* Common understanding and common tooling to help developers meet security -requirements -* Common tooling for audit and reasoning about system properties. - -### In scope - -Terminology note: Security TAG uses the term "end user" to describe the humans -who use cloud native applications, whereas CNCF refers to companies that operate -cloud native systems as CNCF End Users. In the context of security, we often -need to discuss how a particular control affects the people who use the software -deployed by a company or organization. - -When we use the word "security" within this group, it is defined to be inclusive -of concerns that affect the integrity of the a cloud native -system or the privacy of its users, specifically how to enable secure -access, policy control and safety for operators, administrators, -developers, and end-users across the cloud native ecosystem. - -Security TAG will consider [proposals](process.md) from its members or delegated -tasks from the CNCF TOC that are consistent with the mission, including -the following activities: - -* Publish educational resources on cloud native security - * Videos and/or slides from invited presentations by security providers and - use cases - * Answer the following questions (referring to already existing resources - where possible): - * What is different about cloud security? (including hybrid and multi-cloud) - * What are effective practices for implementing policy controls? - * How can we test, validate, explain, audit our systems? - * What additional measures are needed, specific to cloud, in highly - regulated environments? - * Personas and use cases - * Common vocabulary to talk about and understand cloud native security - * CNCF project ecosystem & landscape - * Define security scenarios (e.g. network configuration, application security, - service orchestration) - * Block architecture(s) for secure access - * Highlight trade-offs (e.g. Expressibility vs Explainability) - * Best practices and anti-patterns (potentially highlighting where there is - disagreement on these) -* Security assessments of specific proposals or projects -* Identify projects for consideration for CNCF -* Cross-pollinate knowledge by participating and inviting people from other projects and TAGs to share security practices -* Integrate relevant external standards, such as from OpenSSF or NIST, as part of educational resources and/or TAG processes - -Given that the group is comprised of volunteers, specific requests from the TOC -may be queued according to the bandwidth of the group. The co-chairs will -facilitate prioritization under the guidance of the Security TAG TOC liaison. - -### Out of scope - -* Not a standards body: We won't be creating standards. -* Not an umbrella organization: We interact with other groups for knowledge - sharing, not decision-making. -* Not a compliance body -* Not a certification board for security of individual projects -* We will not - * answer any specific questions regarding the state of security of any project - or product - * consider device security unless there is some impact to cloud systems. - * explore trust and safety concerns that are not specific to cloud - (e.g. fraud detection, user generated content moderation, spam filtering, - phishing, cross-site scripting attacks, SQL injection, etc.) -* We will not ensure the safety of any operational system. -* This is not related to vulnerability detection and handling any specific - security vulnerability or attack. - -## Governance - -Security must be addressed at all levels of the stack and across the whole -ecosystem, so the group seeks to encourage participation and membership across -a wide range of roles, from diverse companies and organizations. - -### Cross-group relationships - -To focus our efforts, we avoid duplication by developing relationships with -other groups that -focus on a particular technology (such as Kubernetes SIGs) or have a broader -mandate (such as government organizations). - -As a guide to visitors, we maintain the list of groups in the TAG -[README](https://github.com/cncf/tag-security#related-groups). - -Co-chairs are responsible to ensure periodic cross-group knowledge sharing, -which is accomplished by cross-group membership, invitation to present at -a TAG meeting and/or offering to present to the related group. - -## Operations - -Security TAG operations are consistent with standard TAG operating guidelines -provided by the CNCF Technical Oversight Committee -[TOC](https://github.com/cncf/toc). - -Full details of process and roles are linked from [governance README](/governance). From 282719f876b235c9dcb80698c3da7a1ab7469c76 Mon Sep 17 00:00:00 2001 From: Marina Moore Date: Thu, 1 Aug 2024 10:52:06 -0400 Subject: [PATCH 42/47] Add moving levels template (#1331) * Add initial template for projects moving levels Signed-off-by: Marina Moore * Add moving levels template to presentation template Signed-off-by: Marina Moore * Fix linting errors Signed-off-by: Marina Moore * More linting fixes Signed-off-by: Marina Moore --------- Signed-off-by: Marina Moore --- .github/ISSUE_TEMPLATE/presentation.md | 1 + .../moving-levels-review-template.md | 37 +++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 project-resources/moving-levels-review-template.md diff --git a/.github/ISSUE_TEMPLATE/presentation.md b/.github/ISSUE_TEMPLATE/presentation.md index 82695288e..f8dd02d04 100644 --- a/.github/ISSUE_TEMPLATE/presentation.md +++ b/.github/ISSUE_TEMPLATE/presentation.md @@ -20,3 +20,4 @@ TO DO - [ ] TAG Representative - [ ] Schedule date - [ ] By opening this issue, I, (Insert Github Handle/Name) acknowledge that the presentation topic and speaker will follow the [presentation guidelines](../CONTRIBUTING.md#present-to-the-tag) +- [ ] If this is a presentation for a project moving levels, the TAG Representative should complete the [Moving Levels Recommendation](../project-resources/moving-levels-review-template.md) diff --git a/project-resources/moving-levels-review-template.md b/project-resources/moving-levels-review-template.md new file mode 100644 index 000000000..a160e5b7d --- /dev/null +++ b/project-resources/moving-levels-review-template.md @@ -0,0 +1,37 @@ +# Template for TAG recommendation to TOC + +## Project Overview + +### Ecosystem Adoption + +What ecosystem adoption has the project seen? + +### Past TOC Reviews + +How has the project addressed comments from previous reviews (incubation if graduation, sandbox if incubating, etc)? + +## Security Reviews + +### TAG Security Assessments + +Has the project completed a TAG Security Self-Assessment and/or Joint Assessment? If yes, please add a link and discuss how this has impacted their security posture. + +### Security Audit + +Has the project completed an external security audit? If yes, how have they addressed the findings? + +## Best Practices + +### Metrics + +Which security best practices does the project follow (for example CNCF best practices badge, OpenSSF Best Practices, CLO monitor), and how does it rate by these metrics? + +### Static Analysis + +Does the project perform static analysis? + +## Sub-project Considerations + +If the project has sub-projects, how does their security posture compare to the base project? + +## TAG Recommendation to the TOC From b3c06f16941c49b3f9461ec5d70668de1d2052ce Mon Sep 17 00:00:00 2001 From: Chris Abraham Date: Wed, 7 Aug 2024 09:48:11 +0700 Subject: [PATCH 43/47] Add pages for Supply Chain Security Tools Mappings (#1319) * Don't store search increments in the browser history Signed-off-by: Chris Abraham * Add pages for Supply Chain Security Tools Mappings Signed-off-by: Chris Abraham * update copy Signed-off-by: Chris Abraham * fix lint and spelling Signed-off-by: Chris Abraham * Reformat requirements sections Signed-off-by: Chris Abraham * Fill out requirements Signed-off-by: Chris Abraham --------- Signed-off-by: Chris Abraham --- ci/spelling-config.json | 2 + .../supply-chain-security-tools/README.md | 11 + .../securing-artifacts.md | 108 +++++++ .../securing-build-pipelines.md | 272 ++++++++++++++++++ .../securing-deployments.md | 42 +++ .../securing-materials.md | 109 +++++++ .../securing-source-code.md | 156 ++++++++++ website/layouts/_default/search.html | 2 +- 8 files changed, 701 insertions(+), 1 deletion(-) create mode 100644 publications/supply-chain-security-tools/README.md create mode 100644 publications/supply-chain-security-tools/securing-artifacts.md create mode 100644 publications/supply-chain-security-tools/securing-build-pipelines.md create mode 100644 publications/supply-chain-security-tools/securing-deployments.md create mode 100644 publications/supply-chain-security-tools/securing-materials.md create mode 100644 publications/supply-chain-security-tools/securing-source-code.md diff --git a/ci/spelling-config.json b/ci/spelling-config.json index eabc7a458..2d2989db1 100644 --- a/ci/spelling-config.json +++ b/ci/spelling-config.json @@ -60,6 +60,8 @@ "frontmatter", "Gamal", "gconv", + "gitsign", + "gittuf", "GUAC", "helm", "HIPAA", diff --git a/publications/supply-chain-security-tools/README.md b/publications/supply-chain-security-tools/README.md new file mode 100644 index 000000000..1d80eade9 --- /dev/null +++ b/publications/supply-chain-security-tools/README.md @@ -0,0 +1,11 @@ +# Supply Chain Security Tools Mappings + +{{% blocks/lead color="white" align="left" %}} +Find out what tools are used to secure the supply chain. Explore the general requirement categories below. +{{% /blocks/lead %}} + +1. [Securing the Source Code](securing-source-code.md) +2. [Securing Materials](securing-materials.md) +3. [Securing Build Pipelines](securing-build-pipelines.md) +4. [Securing Artifacts](securing-artifacts.md) +5. [Securing Deployments](securing-deployments.md) diff --git a/publications/supply-chain-security-tools/securing-artifacts.md b/publications/supply-chain-security-tools/securing-artifacts.md new file mode 100644 index 000000000..91bbdbf33 --- /dev/null +++ b/publications/supply-chain-security-tools/securing-artifacts.md @@ -0,0 +1,108 @@ +# Securing Artifacts + +{{% blocks/lead color="white" align="left" %}} +Here are the list of requirements for securing artifacts. Each one has a list of tools used to achieve it. +{{% /blocks/lead %}} + +## 1. Sign Every Step in the Build Process + +### Tool capability + +- sign attestations for every step in the build process +- define all expected steps in the build process with identities + +### Tools + +- SLSA (level 1) +- in-toto +- Tekton (chains) + +## 2. Validate the Signatures Generated at Each Step + +### Tool capability + +- verify attestations of every step + +### Tools + +- in-toto +- Kyverno (signatures of output images are verified before running containers) + +## 3. Use TUF/Notary to manage signing of artefacts + +### Tool capability + +- delegate trust for specific artifacts to specific developers +- enable developer signing of metadata +- prevent rollback attacks on developer signatures + +### Tools + +- TUF +- Tekton (chains uses Sigstore) +- Kyverno (Kyverno supports Sigstore) + +## 4. Use a store to manage metadata from in-toto + +### Tool capability + +- store in-toto metadata + +### Tools + +- Sigstore (Rekor?) +- in-toto (integrated with Rekor, Grafeas, Archivist etc.) +- Tekton (chains) + + +## 5. Limit which artefacts any given party is authorized to certify + +### Tool capability + +- specify trusted entities for each artifact in policy +- enforce this limitation + +### Tools + +- in-toto +- TUF +- Kyverno (Kyverno policy on who is trusted for each signature) + + +## 6. Build in a system for rotating and revoking private keys + +### Tool capability + +- change policy to revoke a trusted key +- change policy to rotate a trusted key +- communicate these changes to users + +### Tools + +- Sigstore (Fulcio) +- in-toto (in-toto layouts can rotate and revoke keys for attestations, layout keys are managed separately such as by using TUF) +- TUF +- SPIFFE + +## 7. Use a container registry that supports OCI image-spec images + +### Tool capability + +- follow the OCI spec + +### Tools + +- Sigstore (cosign) +- Tekton (Pipelines and Chains) +- Kyverno (Kyverno works with OCI registries) + +## 8. Encrypt artefacts before distribution & ensure only authorized platforms have decryption capabilities + +### Tool capability + +- create policy for which platforms have decryption capabilities +- enforce this policy + +### Tools + +- _none_ diff --git a/publications/supply-chain-security-tools/securing-build-pipelines.md b/publications/supply-chain-security-tools/securing-build-pipelines.md new file mode 100644 index 000000000..760f9ed05 --- /dev/null +++ b/publications/supply-chain-security-tools/securing-build-pipelines.md @@ -0,0 +1,272 @@ +# Securing Build Pipelines + +{{% blocks/lead color="white" align="left" %}} +Here are the list of requirements for securing build pipelines. Each one has a list of tools used to achieve it. +{{% /blocks/lead %}} + +## 1. Cryptographically guarantee policy adherence + +### Tool capability + +- attest to steps +- verify policy adherence +- define the policy + +### Tools + +- SLSA (level 1) +- in-toto + + +## 2. Validate environments and dependencies before usage + +### Tool capability + +- validate dependencies +- validate environments +- verify signatures on build images + +### Tools + +- in-toto (in-toto can wrap the fetch / bootstrap processes and metadata can be consumed by upper-turtle processes via sublayouts) +- SPIFFE (validates environments) +- Tekton (there is an open TEP to integrate with SPIFFE to validate node/workload) +- Kyverno (If the environment is a container, Kyverno can verify the policy (allowed source, signer)) + +## 3. Validate runtime security of build workers + +### Tool capability + +- monitor runtime processes +- attest to runtime operations +- verify runtime attestations +- trusted execution environment + +### Tools + +- in-toto (runtime trace attestations) + +## 4. Validate Build artifacts through verifiably reproducible builds + +### Tool capability + +- make reproducible build +- re-build images in isolated environments (security enclaves/trust boundaries) +- validate builds from multiple sources + +### Tools + +- in-toto +- apko + +## 5. Lock and Verify External Requirements From The Build Process + +### Tool capability + +- lock and record external requirements +- verify external requirements + +### Tools + +- apko + +## 6. Find and Eliminate Sources Of Non-Determinism + +### Tool capability + +- make diffs of builds + +### Tools + +- apko + +## 7. Record The Build Environment + +### Tool capability + +- record the build environment + +### Tools + +- SLSA (level 3) +- in-toto (in-toto provides the formats, it's unopinionated about what's recorded) +- apko +- Tekton (Chains) + +## 8. Automate Creation Of The Build Environment + +### Tool capability + +- environment creation automation + +### Tools + +- apko +- Tekton (Pipelines) + +## 9. Distribute Builds Across Different Infrastructure + +### Tool capability + +- define multiple infrastructure setups +- run builds in multiple environments + +### Tools + +- Tekton (Pipelines) + +## 10. Build and related continuous integration/continuous delivery steps should all be automated through a pipeline defined as code + +### Tool capability + +- define pipeline in code +- run pipeline as code + +### Tools + +- SLSA (level 1) +- apko +- Tekton (Pipelines) + +## 11. Standardize pipelines across projects + +### Tool capability + +- _none_ + +### Tools + +- Tekton (Pipelines) + +## 12. Provision a secured orchestration platform to host software factory + +### Tool capability + +- perform secure orchestration + +### Tools + +- Tekton (Pipelines) + +## 13. Build Workers Should be Single Use + +### Tool capability + +- single-use containerized builders +- verify that builders are single use +- attest to build identity + +### Tools + +- SLSA (level 3) +- in-toto (can be validated via runtime trace attestations) +- Tekton (Pipelines) + +## 14. Ensure Software Factory has minimal network connectivity. + +### Tool capability + +- check for and monitor network connections + +### Tools + +- SLSA (level 3) +- in-toto (can be validated via runtime trace attestations) + +## 15. Segregate the Duties of Each Build Worker + +### Tool capability + +- define scope of each build worker +- attest to which build worker performs each action +- verify that build workers follow the policy + +### Tools + +- in-toto +- Tekton (Pipelines) + +## 15. Pass in Build Worker Environment and Commands + +### Tool capability + +- provision build workers with environment and commands within a hermetic build environment + +### Tools + +- in-toto (can be validated via runtime trace attestations) +- Tekton (Pipelines) + +## 16. Write Output to a Separate Secured Storage Repo + +### Tool capability + +- secured storage repo + +### Tools + +- Sigstore (Rekor) +- in-toto (depending on where you put the in-toto metadata) + +## 17. Only allow pipeline modifications through "pipeline as code" + +### Tool capability + +- attest to pipeline state and modifications +- verify that pipeline modifications are made through pipeline as code +- ensure pipeline goes through source control + +### Tools + +- SLSA (level 3) +- Tekton (Pipelines) + +## 18. Define user roles + +### Tool capability + +- define user roles +- attest to role for each action +- enforce user roles + +### Tools + +- in-toto + +## 19. Follow established practices for establishing a root of trust from an offline source + +### Tool capability + +- securely distribute root of trust +- chain from existing trusted root + +### Tools + +- TUF + +## 20. Use short-lived Workload Certificates + +### Tool capability + +- create short-lived certificates +- verify short-lived certificates using their validity period +- verify that workload certificates are short-lived + +### Tools + +- in-toto (integrates with SPIFFE/SPIRE) +- SPIFFE +- Tekton (TEP to integrate with SPIRE) + +## 21. Deploy monitoring tools to software factory to detect malicious behaviour + +### Tool capability + +- runtime monitoring +- analysis of built artifacts + +### Tools + +- in-toto (runtime trace attestations generated using tools like tetragon) +- SPIFFE +- Tekton (TEP to integrate with SPIRE) diff --git a/publications/supply-chain-security-tools/securing-deployments.md b/publications/supply-chain-security-tools/securing-deployments.md new file mode 100644 index 000000000..f37396ebc --- /dev/null +++ b/publications/supply-chain-security-tools/securing-deployments.md @@ -0,0 +1,42 @@ +# Securing Deployments + +{{% blocks/lead color="white" align="left" %}} +Here are the list of requirements for securing deployments. Each one has a list of tools used to achieve it. +{{% /blocks/lead %}} + +## 1. Ensure clients can perform Verification of Artefacts and associated metadata + +### Tool capability + +- perform client verification + +### Tools + +- Sigstore (cosign) +- in-toto (in-toto implementations support verification of metadata against layouts) +- TUF +- Tekton (chains with sigstore) +- Kyverno (Kyverno policies validate artifacts and metadata) + + +## 2. Ensure clients can verify the "freshness" of files + +### Tool capability + +- verify freshness of files + +### Tools + +- Sigstore (Rekor) +- TUF + +## 3. Use The Update Framework + +### Tool capability + +- support TUF metadata creation +- support TUF metadata verification + +### Tools + +- TUF diff --git a/publications/supply-chain-security-tools/securing-materials.md b/publications/supply-chain-security-tools/securing-materials.md new file mode 100644 index 000000000..78b8e2a37 --- /dev/null +++ b/publications/supply-chain-security-tools/securing-materials.md @@ -0,0 +1,109 @@ +# Securing Materials + +{{% blocks/lead color="white" align="left" %}} +Here are the list of requirements for securing materials. Each one has a list of tools used to achieve it. +{{% /blocks/lead %}} + +## 1. Verify third party artefacts and open source libraries + +### Tool capability + +- attest to review +- verify review attestations + +### Tools + +- in-toto (can be validated via alpha-omega attestations, review attestations) + + +## 2. Require SBOM from third party supplier + +### Tool capability + +- generate accurate SBOM +- verify SBOM existence +- verify SBOM accuracy + +### Tools + +- _none_ + +## 3. Track dependencies between open source components + +### Tool capability + +- create accurate SBOM +- update SBOM + +### Tools + +- _none_ + +## 4. Build libraries based upon source code + +### Tool capability + +- attest to build +- verify attestation of build +- maintain list of trusted sources for built software +- attestation from third-party builder/distributor +- publish hashes for pre-built software + +### Tools + +- in-toto +- apko + +## 5. Define and prioritize trusted package managers and repositories + +### Tool capability + +- define trusted/prioritized repositories +- enforce the priority + +### Tools + +- TUF + +## 6. Generate an immutable SBOM of the code + +### Tool capability + +- generate an accurate SBOM (signed) + +### Tools + +- in-toto (SBOM attestations) +- apko + +## 7. Scan software for vulnerabilities + +### Tool capability + +- scan the software + +### Tools + +- in-toto + +## 8. Scan software for license implications + +### Tool capability + +- scan the software + +### Tools + +- _none_ + +## 9. Run software composition analysis on ingested software + +### Tool capability + +- run software composition analysis +- ingest an SBOM +- verify an SBOM's claims + +### Tools + +- _none_ diff --git a/publications/supply-chain-security-tools/securing-source-code.md b/publications/supply-chain-security-tools/securing-source-code.md new file mode 100644 index 000000000..7476b7305 --- /dev/null +++ b/publications/supply-chain-security-tools/securing-source-code.md @@ -0,0 +1,156 @@ +# Securing the Source Code + +{{% blocks/lead color="white" align="left" %}} +Here are the list of requirements for securing the source code, which is a subcategory of the overall requirements for supply chain security. For each requirement is a list of tools used to meet that requirement. +{{% /blocks/lead %}} + +## 1. Require signed commits + +### Tool capability + +- sign commits +- verify signed commits + +### Tools + +- Sigstore (gitsign) +- gittuf +- GUAC + +## 2. Enforce full attestation and verification for protected branches + +### Tool capability + +- monitor protected branches + +### Tools + +- gittuf + +## 3. Prevent committing secrets to the source code repository + +### Tool capability + +- check commits +- verify that no secrets are in the repository + +### Tools + +- _none_ + +## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions + +### Tool capability + +- verifying coding conventions + +### Tools + +- GitHub +- gittuf +- GUAC + +## 5. Automate software security scanning and testing + +### Tool capability + +- scan software +- perform tests +- automation at build time +- automation at production time +- determine what to do with scan results + +### Tools + +- in-toto (test result attestations) + +## 6. Establish and adhere to contribution policies + +### Tool capability + +- check for contribution guidelines +- DCO + +### Tools + +- GitHub + +## 7. Define roles aligned to functional responsibilities + +### Tool capability + +- none + +### Tools + +- GitHub +- gittuf + +## 8. Enforce an independent four-eyes principle + +### Tool capability + +- require review before merge +- attest to a review +- verify attestation of review + +### Tools + +- SLSA (level 4) +- in-toto (threshold of human review attestations) +- GitHub + + +## 9. Use branch protection rules + +### Tool capability + +- verify branch protection is turned on over time + +### Tools + +- GitHub +- gittuf + +## 10. Enforce MFA for accessing source code repositories + +### Tool capability + +- enable MFA +- verify MFA is enabled for all contributors + +### Tools + +- GitHub + +## 11. Use SSH keys to provide developers access to source code repositories + +### Tool capability + +- enforce that ssh keys are used (and disable https) + +### Tools + +- GitHub + +## 12. Have a Key Rotation Policy + +### Tool capability + +- key expiration +- key distribution/PKI for ssh + +### Tools + +- gittuf + +## 13. Use short-lived/ephemeral credentials for machine/service access + +### Tool capability + +- require short-lived credentials + +### Tools + +- SPIFFE (maybe, spiffe does short-lived credentials, but not sure if anyone is using this for source code repos) + diff --git a/website/layouts/_default/search.html b/website/layouts/_default/search.html index bbd1ecf8a..c778147c4 100644 --- a/website/layouts/_default/search.html +++ b/website/layouts/_default/search.html @@ -55,7 +55,7 @@

{{ .Title }}

var newUrl = baseUrl + "?" + urlParams.toString(); // Update the browser history (optional) - window.history.pushState({}, null, newUrl); + history.replaceState(null, '', newUrl); } From bd48bea2c05f9afe8f3014245272c5347c08d7e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Vega?= Date: Wed, 14 Aug 2024 10:15:06 -0700 Subject: [PATCH 44/47] Update README to updated meeting link on LFX platform (#1345) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Vega --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 94e4ddb32..5d2d3ee48 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ Join our open discussions and share news: ## Meeting Information -- **Americas**: Weekly on Wednesdays at 10 am (UTC-7). [Zoom link](https://zoom.us/j/99809474566), Meeting ID: 998 0947 4566. +- **Americas**: Weekly on Wednesdays at 10 am (UTC-7). [Zoom link](https://zoom-lfx.platform.linuxfoundation.org/meeting/92340369657?password=76e24ffd-69f2-41a8-8aed-13796805225d), Meeting ID: 923 4036 9657. - **EMEA**: Bi-weekly on Wednesdays at 1 pm UTC+0 (adjusts for daylight saving). [Zoom link](https://zoom.us/j/99917523142), Meeting ID: 999 1752 3142. Check your local timezone [here](https://time.is/). Meetings are listed on the [CNCF calendar](https://www.cncf.io/calendar/) and the [TAG Security Calendar](https://calendar.google.com/calendar/u/0?cid=MGI4dTVlbDh0YTRzOTN0MmNtNzJ0dXZoaGtAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ). From ba3732fa7d8cac56015bf704649a191c11216dad Mon Sep 17 00:00:00 2001 From: Brandt Keller <43887158+brandtkeller@users.noreply.github.com> Date: Thu, 15 Aug 2024 14:32:12 -0700 Subject: [PATCH 45/47] fix(ci): update Makefile to docker compose v2 (#1347) * fix(ci): update to docker compose v2 Signed-off-by: Brandt Keller * fix(ci): test file to reproduce issue Signed-off-by: Brandt Keller * fix(ci): revert tested changes and remove obsolete version Signed-off-by: Brandt Keller * fix(ci): update checkout action and pin to checksum Signed-off-by: Brandt Keller --------- Signed-off-by: Brandt Keller --- .github/workflows/sig-sec-check.yml | 8 ++++---- Makefile | 16 ++++++++-------- docker-compose.yml | 1 - 3 files changed, 12 insertions(+), 13 deletions(-) diff --git a/.github/workflows/sig-sec-check.yml b/.github/workflows/sig-sec-check.yml index 415194275..c0cede4b2 100644 --- a/.github/workflows/sig-sec-check.yml +++ b/.github/workflows/sig-sec-check.yml @@ -11,27 +11,27 @@ jobs: Setup: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup run: make setup Lint: runs-on: ubuntu-latest needs: Setup steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Lint run: make lint Spelling: runs-on: ubuntu-latest needs: Setup steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Spelling run: make spelling Links: runs-on: ubuntu-latest needs: Setup steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Links run: make links diff --git a/Makefile b/Makefile index 702776dab..788d76203 100644 --- a/Makefile +++ b/Makefile @@ -4,24 +4,24 @@ all: setup lint spelling links .PHONY: setup setup: @echo "Running $@...\n\n" - @docker-compose run $@ ci/$@.sh - @docker-compose down + @docker compose run $@ ci/$@.sh + @docker compose down .PHONY: lint lint: @echo "Running $@...\n\n" - @docker-compose run $@ ci/$@.sh - @docker-compose down + @docker compose run $@ ci/$@.sh + @docker compose down .PHONY: spelling spelling: @echo "Running $@...\n\n" - @docker-compose run $@ ci/$@.sh - @docker-compose down + @docker compose run $@ ci/$@.sh + @docker compose down .PHONY: links links: @echo "Running $@...\n\n" - @docker-compose run $@ ci/$@.sh - @docker-compose down + @docker compose run $@ ci/$@.sh + @docker compose down diff --git a/docker-compose.yml b/docker-compose.yml index 09a11250b..a35f2433a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,4 @@ --- -version: '2' services: setup: image: node:18 From 7e6c64f0bc76531e796ceada472e5a983a42dce9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Vega?= Date: Thu, 15 Aug 2024 14:37:00 -0700 Subject: [PATCH 46/47] Swap anvega for matthewflannery in AG Working Group (#1344) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Vega Co-authored-by: Eddie Knight --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5d2d3ee48..581f76fe4 100644 --- a/README.md +++ b/README.md @@ -91,7 +91,7 @@ Each group, led by a responsible leader, reaches consensus on issues and manages | Project | Leads | |---------------------------------|---------------------------------------------| | [Research](/community/research/README.md) | Andrés Vega | -| [Automated Governance](/community/automated-governance/README.md) | Andrés Vega, Brandt Keller | +| [Automated Governance](/community/automated-governance/README.md) | Matthew Flannery, Brandt Keller | | [Catalog of Supply Chain Compromises](/community/catalog/README.md) | Santiago Arias Torres | | [Compliance](/community/compliance/README.md) | Anca Sailer, Robert Ficcaglia | | [Controls](/community/controls/README.md) | Jon Zeolla | From a3c9fedd1ec9e32c09788db535c4d1da42001bf1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Vega?= Date: Fri, 16 Aug 2024 11:35:56 -0700 Subject: [PATCH 47/47] Repository Reorganization: Directory Structure, License Consolidation, and File Cleanup (#1283) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Created new directories, moved directories, merged readme - Created directories: community/working-groups, community/events, community/resources. - Moved `audio-versions` to `community/publications/`. - Moved `supply-chain-security`, `compliance`, `policy` to `community/working-groups`. - Moved `design`, `security-lexicon`, `security-whitepaper`, `landscape`, `security-fuzzing-handbook` to `community/resources/`. - Moved `cloud_native_security.md` and `past-events.md` to `community/events/`. - Deleted unused files: `policy-wg-merging.md`, `roadmap.md`, `safe_kubecon.md`, - Merged readmes for working groups and old folders Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega * Merged LICENSE files into a single `LICENSE.md`. Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega * Deadlinks and asterisks in events folder Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega * Fix deadlinks in past events Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega * Update README.md with new links to community subdirectory Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega * Update links to publications to new relative paths Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega * Update links to new relative paths under project resources Signed-off-by: Andrés Vega * Handful of deadlinks in compromises folder and one readme typo on relpath Signed-off-by: Andrés Vega * Update Hugo build configuration and content paths - Adjust rsync commands to include community publications and move resources to the correct paths. - Ensure the `rsync` command creates necessary directories with `--mkpath`. - Maintain the structure and readability of markdown files. - Update commands to move graphics and logos. - Preserve Hugo's ability to serve content and generate the site effectively. Co-authored-by: Brandt Keller Signed-off-by: Andrés Vega * Fix build error and update Hugo build configuration - Remove unsupported `--mkpath` option from `rsync` command. - Ensure directories are created before moving resources. - Adjust `rsync` commands to include community publications and move resources to correct paths Co-authored-by: Brandt Keller Signed-off-by: Andrés Vega * Fix in link in compromises/README.md Signed-off-by: Andrés Vega * Resolve merge conflicts in README Signed-off-by: Andrés Vega * Fix URL parsing error in Spanish security whitepaper - Resolved Netlify build failure caused by incorrect URL formatting - Removed extra parentheses around URLs in cloud-native-security-whitepaper-spanish.md Signed-off-by: Andrés Vega * Corrected malformed URL in cloud-native-security-whitepaper-spanish.md Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega --------- Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega --- LICENSE-code | 201 ------ LICENSE-document | 395 ------------ LICENSE.md | 604 +++++++++++++++++- README.md | 34 +- community/catalog/README.md | 2 +- .../catalog}/compromises/1975/login-bell.md | 0 .../catalog}/compromises/2003/debian.md | 0 .../catalog}/compromises/2003/gentoo-rsync.md | 0 .../compromises/2003/kernel-repository.md | 0 .../catalog}/compromises/2007/squirrelmail.md | 0 .../catalog}/compromises/2007/wordpress.md | 0 .../catalog}/compromises/2008/fedora.md | 0 .../catalog}/compromises/2010/apache.md | 0 .../catalog}/compromises/2010/aurora.md | 0 .../catalog}/compromises/2010/fsf-website.md | 0 .../catalog}/compromises/2010/proftpd.md | 0 .../catalog}/compromises/2011/kernelorg.md | 0 .../compromises/2012/ruby-on-rails-github.md | 0 .../catalog}/compromises/2013/apt.md | 0 .../catalog}/compromises/2014/code-spaces.md | 0 .../catalog}/compromises/2014/monju.md | 0 .../compromises/2015/ceph-and-inktank.md | 0 .../catalog}/compromises/2015/juniper.md | 0 .../catalog}/compromises/2015/xcodeghost.md | 0 .../catalog}/compromises/2016/fosshub.md | 0 .../catalog}/compromises/2016/gh-unicode.md | 0 .../catalog}/compromises/2016/keydnap.md | 0 .../catalog}/compromises/2016/mint.md | 0 .../catalog}/compromises/2017/bitcoingold.md | 0 .../catalog}/compromises/2017/ccleaner.md | 0 .../catalog}/compromises/2017/elmedia.md | 0 .../compromises/2017/expensivewall.md | 0 .../catalog}/compromises/2017/hacktask.md | 0 .../catalog}/compromises/2017/handbrake.md | 0 .../catalog}/compromises/2017/kingslayer.md | 0 .../catalog}/compromises/2017/notpetya.md | 0 .../catalog}/compromises/2018/aur.md | 0 .../catalog}/compromises/2018/colourama.md | 0 .../catalog}/compromises/2018/dofoil.md | 0 .../catalog}/compromises/2018/event_stream.md | 0 .../catalog}/compromises/2018/gentoo.md | 0 .../catalog}/compromises/2018/gogetu.md | 0 .../compromises/2018/operation-red.md | 0 .../compromises/2018/unnamed-maker.md | 0 .../compromises/2019/canonical-github.md | 0 .../2019/electron-native-notify.md | 0 .../catalog}/compromises/2019/monero.md | 2 +- .../catalog}/compromises/2019/pear.md | 0 .../compromises/2019/purescript-npm.md | 0 .../catalog}/compromises/2019/pypi.md | 0 .../catalog}/compromises/2019/ros.md | 0 .../catalog}/compromises/2019/shadowhammer.md | 0 .../compromises/2019/webmin-backdoor.md | 0 .../catalog}/compromises/2020/nodejs.md | 0 .../compromises/2020/octopus_scanner.md | 0 .../catalog}/compromises/2020/solarwinds.md | 0 .../catalog}/compromises/2020/sonarqube.md | 0 .../compromises/2020/thegreatsuspender.md | 4 +- .../compromises/2020/trojanized-fdm.md | 0 .../catalog}/compromises/2021/coa-rc.md | 0 .../catalog}/compromises/2021/codecov.md | 0 .../catalog}/compromises/2021/homebrew.md | 0 .../compromises/2021/klow-klown-okhsa.md | 0 .../catalog}/compromises/2021/log4j.md | 0 .../catalog}/compromises/2021/php.md | 0 .../catalog}/compromises/2021/repojacking.md | 0 .../catalog}/compromises/2021/travis-ci.md | 0 .../catalog}/compromises/2021/ua-parser-js.md | 0 .../catalog}/compromises/2021/vscode.md | 0 .../2022/Comm100-live-chat-trojan.md | 0 .../2022/auth0-source-code-leak.md | 2 +- .../compromises/2022/ctx-and-phpass.md | 2 + .../2022/docker-hub-malicious-containers.md | 0 .../2022/dropbox-github-account-breach.md | 0 .../catalog}/compromises/2022/fantasy.md | 0 .../2022/golang-buildpacks-compiler.md | 0 .../2022/intel-alder-lake-BIOS-leak.md | 0 .../compromises/2022/js-faker-colors.md | 0 .../compromises/2022/node-ipc-peacenotwar.md | 0 .../compromises/2022/okta-github-repo-leak.md | 0 .../compromises/2022/php-pear-compromise.md | 0 .../2022/pypi-malicious-packages.md | 0 .../compromises/2022/ruby-override.md | 0 .../catalog}/compromises/2022/wp-apthemes.md | 0 .../compromises/2023/fake-dependabot.md | 0 .../catalog}/compromises/2023/mathjs-min.md | 0 .../2023/packagist-maintainer-takeover.md | 0 .../compromises/2023/retool-portal-mfa.md | 0 .../compromises/2023/xmlsec-manageengine.md | 0 .../catalog}/compromises/2024/gitgot.md | 0 .../catalog}/compromises/2024/laixi-3proxy.md | 0 .../catalog}/compromises/2024/polyfill.md | 0 .../2024/targeted-signed-endoor.md | 0 .../catalog}/compromises/2024/xz.md | 0 .../catalog}/compromises/README.md | 7 +- .../compromises/compromise-definitions.md | 0 community/events/cloud_native_security.md | 110 ++++ .../publications}/README.md | 0 .../publications/audio-versions}/README.md | 0 .../publications}/authoring-guidelines.md | 0 .../publications}/paper-process.md | 0 .../publications}/publishing-protocols.md | 0 .../resources/design}/README.md | 0 .../resources/design}/colors/#141419.png | Bin .../resources/design}/colors/#152356.png | Bin .../resources/design}/colors/#389BB2.png | Bin .../resources/design}/colors/#474756.png | Bin .../resources/design}/colors/#4A6CA4.png | Bin .../resources/design}/colors/#6F6F7F.png | Bin .../resources/design}/colors/#85C2D2.png | Bin .../resources/design}/colors/#D81637.png | Bin .../resources/design}/colors/#F7C906.png | Bin .../resources/design}/colors/#F98903.png | Bin ...cloud-native-security-horizontal-color.png | Bin ...cloud-native-security-horizontal-color.svg | 0 ...ative-security-horizontal-darkmodesafe.png | Bin ...ative-security-horizontal-darkmodesafe.svg | 0 ...tive-security-horizontal-white-display.png | Bin ...cloud-native-security-horizontal-white.png | Bin ...cloud-native-security-horizontal-white.svg | 0 .../logo/cloud-native-security-icon-color.png | Bin .../logo/cloud-native-security-icon-color.svg | 0 ...oud-native-security-icon-white-display.png | Bin .../logo/cloud-native-security-icon-white.png | Bin .../logo/cloud-native-security-icon-white.svg | 0 .../cloud-native-security-stacked-color.png | Bin .../cloud-native-security-stacked-color.svg | 0 ...-native-security-stacked-white-display.png | Bin .../cloud-native-security-stacked-white.png | Bin .../cloud-native-security-stacked-white.svg | 0 .../resources/landscape}/README.md | 6 +- .../resources/landscape}/approach.md | 0 .../resources/landscape}/categories.md | 0 .../resources/project-resources}/README.md | 0 .../project-resources}/SecurityGuidelines.png | Bin .../security-hygiene-guide.md | 0 .../templates/ISSUE_TEMPLATE.md | 0 .../project-resources}/templates/SECURITY.md | 0 .../templates/SECURITY_CONTACTS.md | 0 .../templates/embargo-policy.md | 0 .../project-resources}/templates/embargo.md | 0 .../templates/incident-response.md | 0 .../provenance-implementation}/README.md | 0 .../argo/argo-cd.md | 0 .../security-fuzzing-handbook}/README.md | 0 .../security-fuzzing-handbook}/build.sh | 0 .../fuzzing-handbook.md | 2 +- .../handbook-fuzzing.pdf | Bin .../imgs/Code-coverage-of-example-project.png | Bin .../imgs/Coverage-guided-fuzzing-overview.png | Bin .../Function-level-fuzzing-introspection.png | Bin .../imgs/Fuzzing-code-coverage-report.png | Bin .../imgs/Fuzzing-key-components.png | Bin ...storical-progession-of-example-project.png | Bin .../imgs/LibFuzzer-engine-overview.png | Bin .../Minimized-testcase-provided-per-issue.png | Bin ...norail-issues-are-closed-automatically.png | Bin ...-GitHub-bot-automatically-closes-issus.png | Bin ...OSS-Fuzz-GitHub-bot-reporting-an-issue.png | Bin .../imgs/OSS-Fuzz-detailed-stack-trace.png | Bin .../imgs/OSS-Fuzz-issue-overview.png | Bin ...pen-source-fuzz-introspection-overview.png | Bin .../imgs/Source-level-code-coverage.png | Bin .../imgs/cncf-logo-footer.png | Bin .../imgs/cncf-stacked-color.png | Bin .../imgs/envoy-introspector-profile.png | Bin .../imgs/vitess-fuzzing-landscape.png | Bin .../resources/security-lexicon}/README.md | 0 .../cloud-native-security-lexicon.md | 0 .../resources/security-whitepaper}/README.md | 0 .../security-whitepaper}/cnsmap/README.md | 0 .../secure-defaults-cloud-native-8.md | 0 ...oud-native-security-whitepaper-Nov2020.pdf | Bin ...security-whitepaper-brazilian-portugese.md | 0 ...-security-whitepaper-simplified-chinese.md | 0 ...loud-native-security-whitepaper-spanish.md | 4 +- .../v1/cloud-native-security-whitepaper.md | 0 .../RackMultipart20201111_figure1.png | Bin .../RackMultipart20201111_figure2.png | Bin .../RackMultipart20201111_figure3.png | Bin .../RackMultipart20201111_figure4.png | Bin .../RackMultipart20201111_figure5.png | Bin .../v1/secure-software-factory.md | 0 ...-native-security-whitepaper-May2022-v2.pdf | Bin ...ive-security-whitepaper-cn-Sept2023-v2.pdf | Bin ...tive-security-whitepaper-it-May2023-v2.pdf | Bin .../v2/cloud-native-security-whitepaper-it.md | 0 .../v2/cloud-native-security-whitepaper-ja.md | 0 ...-security-whitepaper-simplified-chinese.md | 0 .../v2/cloud-native-security-whitepaper.md | 0 .../v2/cnswp-images/cnswp-v2-figure1.png | Bin ...wp-v2-security-structural-model-deploy.png | Bin ...p-v2-security-structural-model-develop.png | Bin ...2-security-structural-model-distribute.png | Bin ...p-v2-security-structural-model-runtime.png | Bin .../resources/usecase-personas}/README.md | 0 .../references/admin-bill-of-rights.md | 0 community/supply-chain-security/README.md | 14 - .../PolicyFormalVerificationDiagram.png | Bin .../policy}/overview-formal-verification.png | Bin ...view-policy-build-time-dependency-vulns.md | 0 .../overview-policy-formal-verification.md | 0 .../automated-governance/README.md | 0 .../{ => working-groups}/compliance/README.md | 0 .../{ => working-groups}/controls/README.md | 0 .../controls}/phase-one-announcement.md | 0 .../{ => working-groups}/research/README.md | 0 .../supply-chain-security/README.md | 41 ++ .../Secure_Software_Factory_Whitepaper.pdf | Bin .../secure-software-factory/images/image1.png | Bin .../secure-software-factory/images/image2.png | Bin .../secure-software-factory/images/image3.png | Bin .../secure-software-factory/images/image4.png | Bin .../secure-software-factory/images/image5.png | Bin .../secure-software-factory/images/image6.png | Bin .../secure-software-factory/images/image7.png | Bin .../secure-software-factory.md | 0 .../CNCF_SSCP_v1.pdf | Bin .../supply-chain-security-paper/README.md | 0 .../supply-chain-security-paper/fig1.png | Bin .../supply-chain-security-paper/fig2.png | Bin .../supply-chain-security-paper/fig3.png | Bin .../supply-chain-security-paper/fig4.png | Bin .../supply-chain-security-paper/fig5.png | Bin .../supply-chain-security-paper/fig6.png | Bin .../supply-chain-security-paper/fig7.png | Bin .../supply-chain-security-paper/fig8.png | Bin .../supply-chain-security-paper/fig9.png | Bin .../secure-supply-chain-assessment.md | 0 .../sscsp-images/fig1.png | Bin .../sscsp-images/fig2.png | Bin .../sscsp-images/fig3.png | Bin .../sscsp-images/fig4.png | Bin .../sscsp-images/fig5.png | Bin .../sscsp-images/fig6.png | Bin .../sscsp-images/fig7.png | Bin .../sscsp-images/fig8.png | Bin .../sscsp-images/fig9.png | Bin .../supply-chain-security-paper/sscsp.md | 0 compliance/README.md | 68 -- policy-wg-merging.md | 23 - roadmap.md | 92 --- supply-chain-security/README.md | 33 - website/Makefile | 7 +- 244 files changed, 791 insertions(+), 862 deletions(-) delete mode 100644 LICENSE-code delete mode 100644 LICENSE-document rename {supply-chain-security => community/catalog}/compromises/1975/login-bell.md (100%) rename {supply-chain-security => community/catalog}/compromises/2003/debian.md (100%) rename {supply-chain-security => community/catalog}/compromises/2003/gentoo-rsync.md (100%) rename {supply-chain-security => community/catalog}/compromises/2003/kernel-repository.md (100%) rename {supply-chain-security => community/catalog}/compromises/2007/squirrelmail.md (100%) rename {supply-chain-security => community/catalog}/compromises/2007/wordpress.md (100%) rename {supply-chain-security => community/catalog}/compromises/2008/fedora.md (100%) rename {supply-chain-security => community/catalog}/compromises/2010/apache.md (100%) rename {supply-chain-security => community/catalog}/compromises/2010/aurora.md (100%) rename {supply-chain-security => community/catalog}/compromises/2010/fsf-website.md (100%) rename {supply-chain-security => community/catalog}/compromises/2010/proftpd.md (100%) rename {supply-chain-security => community/catalog}/compromises/2011/kernelorg.md (100%) rename {supply-chain-security => community/catalog}/compromises/2012/ruby-on-rails-github.md (100%) rename {supply-chain-security => community/catalog}/compromises/2013/apt.md (100%) rename {supply-chain-security => community/catalog}/compromises/2014/code-spaces.md (100%) rename {supply-chain-security => community/catalog}/compromises/2014/monju.md (100%) rename {supply-chain-security => community/catalog}/compromises/2015/ceph-and-inktank.md (100%) rename {supply-chain-security => community/catalog}/compromises/2015/juniper.md (100%) rename {supply-chain-security => community/catalog}/compromises/2015/xcodeghost.md (100%) rename {supply-chain-security => community/catalog}/compromises/2016/fosshub.md (100%) rename {supply-chain-security => community/catalog}/compromises/2016/gh-unicode.md (100%) rename {supply-chain-security => community/catalog}/compromises/2016/keydnap.md (100%) rename {supply-chain-security => community/catalog}/compromises/2016/mint.md (100%) rename {supply-chain-security => community/catalog}/compromises/2017/bitcoingold.md (100%) rename {supply-chain-security => community/catalog}/compromises/2017/ccleaner.md (100%) rename {supply-chain-security => community/catalog}/compromises/2017/elmedia.md (100%) rename {supply-chain-security => community/catalog}/compromises/2017/expensivewall.md (100%) rename {supply-chain-security => community/catalog}/compromises/2017/hacktask.md (100%) rename {supply-chain-security => community/catalog}/compromises/2017/handbrake.md (100%) rename {supply-chain-security => community/catalog}/compromises/2017/kingslayer.md (100%) rename {supply-chain-security => community/catalog}/compromises/2017/notpetya.md (100%) rename {supply-chain-security => community/catalog}/compromises/2018/aur.md (100%) rename {supply-chain-security => community/catalog}/compromises/2018/colourama.md (100%) rename {supply-chain-security => community/catalog}/compromises/2018/dofoil.md (100%) rename {supply-chain-security => community/catalog}/compromises/2018/event_stream.md (100%) rename {supply-chain-security => community/catalog}/compromises/2018/gentoo.md (100%) rename {supply-chain-security => community/catalog}/compromises/2018/gogetu.md (100%) rename {supply-chain-security => community/catalog}/compromises/2018/operation-red.md (100%) rename {supply-chain-security => community/catalog}/compromises/2018/unnamed-maker.md (100%) rename {supply-chain-security => community/catalog}/compromises/2019/canonical-github.md (100%) rename {supply-chain-security => community/catalog}/compromises/2019/electron-native-notify.md (100%) rename {supply-chain-security => community/catalog}/compromises/2019/monero.md (94%) rename {supply-chain-security => community/catalog}/compromises/2019/pear.md (100%) rename {supply-chain-security => community/catalog}/compromises/2019/purescript-npm.md (100%) rename {supply-chain-security => community/catalog}/compromises/2019/pypi.md (100%) rename {supply-chain-security => community/catalog}/compromises/2019/ros.md (100%) rename {supply-chain-security => community/catalog}/compromises/2019/shadowhammer.md (100%) rename {supply-chain-security => community/catalog}/compromises/2019/webmin-backdoor.md (100%) rename {supply-chain-security => community/catalog}/compromises/2020/nodejs.md (100%) rename {supply-chain-security => community/catalog}/compromises/2020/octopus_scanner.md (100%) rename {supply-chain-security => community/catalog}/compromises/2020/solarwinds.md (100%) rename {supply-chain-security => community/catalog}/compromises/2020/sonarqube.md (100%) rename {supply-chain-security => community/catalog}/compromises/2020/thegreatsuspender.md (97%) rename {supply-chain-security => community/catalog}/compromises/2020/trojanized-fdm.md (100%) rename {supply-chain-security => community/catalog}/compromises/2021/coa-rc.md (100%) rename {supply-chain-security => community/catalog}/compromises/2021/codecov.md (100%) rename {supply-chain-security => community/catalog}/compromises/2021/homebrew.md (100%) rename {supply-chain-security => community/catalog}/compromises/2021/klow-klown-okhsa.md (100%) rename {supply-chain-security => community/catalog}/compromises/2021/log4j.md (100%) rename {supply-chain-security => community/catalog}/compromises/2021/php.md (100%) rename {supply-chain-security => community/catalog}/compromises/2021/repojacking.md (100%) rename {supply-chain-security => community/catalog}/compromises/2021/travis-ci.md (100%) rename {supply-chain-security => community/catalog}/compromises/2021/ua-parser-js.md (100%) rename {supply-chain-security => community/catalog}/compromises/2021/vscode.md (100%) rename {supply-chain-security => community/catalog}/compromises/2022/Comm100-live-chat-trojan.md (100%) rename {supply-chain-security => community/catalog}/compromises/2022/auth0-source-code-leak.md (91%) rename {supply-chain-security => community/catalog}/compromises/2022/ctx-and-phpass.md (93%) rename {supply-chain-security => community/catalog}/compromises/2022/docker-hub-malicious-containers.md (100%) rename {supply-chain-security => community/catalog}/compromises/2022/dropbox-github-account-breach.md (100%) rename {supply-chain-security => community/catalog}/compromises/2022/fantasy.md (100%) rename {supply-chain-security => community/catalog}/compromises/2022/golang-buildpacks-compiler.md (100%) rename {supply-chain-security => community/catalog}/compromises/2022/intel-alder-lake-BIOS-leak.md (100%) rename {supply-chain-security => community/catalog}/compromises/2022/js-faker-colors.md (100%) rename {supply-chain-security => community/catalog}/compromises/2022/node-ipc-peacenotwar.md (100%) rename {supply-chain-security => community/catalog}/compromises/2022/okta-github-repo-leak.md (100%) rename {supply-chain-security => community/catalog}/compromises/2022/php-pear-compromise.md (100%) rename {supply-chain-security => community/catalog}/compromises/2022/pypi-malicious-packages.md (100%) rename {supply-chain-security => community/catalog}/compromises/2022/ruby-override.md (100%) rename {supply-chain-security => community/catalog}/compromises/2022/wp-apthemes.md (100%) rename {supply-chain-security => community/catalog}/compromises/2023/fake-dependabot.md (100%) rename {supply-chain-security => community/catalog}/compromises/2023/mathjs-min.md (100%) rename {supply-chain-security => community/catalog}/compromises/2023/packagist-maintainer-takeover.md (100%) rename {supply-chain-security => community/catalog}/compromises/2023/retool-portal-mfa.md (100%) rename {supply-chain-security => community/catalog}/compromises/2023/xmlsec-manageengine.md (100%) rename {supply-chain-security => community/catalog}/compromises/2024/gitgot.md (100%) rename {supply-chain-security => community/catalog}/compromises/2024/laixi-3proxy.md (100%) rename {supply-chain-security => community/catalog}/compromises/2024/polyfill.md (100%) rename {supply-chain-security => community/catalog}/compromises/2024/targeted-signed-endoor.md (100%) rename {supply-chain-security => community/catalog}/compromises/2024/xz.md (100%) rename {supply-chain-security => community/catalog}/compromises/README.md (98%) rename {supply-chain-security => community/catalog}/compromises/compromise-definitions.md (100%) create mode 100644 community/events/cloud_native_security.md rename {publications => community/publications}/README.md (100%) rename {audio-versions => community/publications/audio-versions}/README.md (100%) rename {publications => community/publications}/authoring-guidelines.md (100%) rename {publications => community/publications}/paper-process.md (100%) rename {publications => community/publications}/publishing-protocols.md (100%) rename {design => community/resources/design}/README.md (100%) rename {design => community/resources/design}/colors/#141419.png (100%) rename {design => community/resources/design}/colors/#152356.png (100%) rename {design => community/resources/design}/colors/#389BB2.png (100%) rename {design => community/resources/design}/colors/#474756.png (100%) rename {design => community/resources/design}/colors/#4A6CA4.png (100%) rename {design => community/resources/design}/colors/#6F6F7F.png (100%) rename {design => community/resources/design}/colors/#85C2D2.png (100%) rename {design => community/resources/design}/colors/#D81637.png (100%) rename {design => community/resources/design}/colors/#F7C906.png (100%) rename {design => community/resources/design}/colors/#F98903.png (100%) rename {design => community/resources/design}/logo/cloud-native-security-horizontal-color.png (100%) rename {design => community/resources/design}/logo/cloud-native-security-horizontal-color.svg (100%) rename {design => community/resources/design}/logo/cloud-native-security-horizontal-darkmodesafe.png (100%) rename {design => community/resources/design}/logo/cloud-native-security-horizontal-darkmodesafe.svg (100%) rename {design => community/resources/design}/logo/cloud-native-security-horizontal-white-display.png (100%) rename {design => community/resources/design}/logo/cloud-native-security-horizontal-white.png (100%) rename {design => community/resources/design}/logo/cloud-native-security-horizontal-white.svg (100%) rename {design => community/resources/design}/logo/cloud-native-security-icon-color.png (100%) rename {design => community/resources/design}/logo/cloud-native-security-icon-color.svg (100%) rename {design => community/resources/design}/logo/cloud-native-security-icon-white-display.png (100%) rename {design => community/resources/design}/logo/cloud-native-security-icon-white.png (100%) rename {design => community/resources/design}/logo/cloud-native-security-icon-white.svg (100%) rename {design => community/resources/design}/logo/cloud-native-security-stacked-color.png (100%) rename {design => community/resources/design}/logo/cloud-native-security-stacked-color.svg (100%) rename {design => community/resources/design}/logo/cloud-native-security-stacked-white-display.png (100%) rename {design => community/resources/design}/logo/cloud-native-security-stacked-white.png (100%) rename {design => community/resources/design}/logo/cloud-native-security-stacked-white.svg (100%) rename {landscape => community/resources/landscape}/README.md (82%) rename {landscape => community/resources/landscape}/approach.md (100%) rename {landscape => community/resources/landscape}/categories.md (100%) rename {project-resources => community/resources/project-resources}/README.md (100%) rename {project-resources => community/resources/project-resources}/SecurityGuidelines.png (100%) rename {project-resources => community/resources/project-resources}/security-hygiene-guide.md (100%) rename {project-resources => community/resources/project-resources}/templates/ISSUE_TEMPLATE.md (100%) rename {project-resources => community/resources/project-resources}/templates/SECURITY.md (100%) rename {project-resources => community/resources/project-resources}/templates/SECURITY_CONTACTS.md (100%) rename {project-resources => community/resources/project-resources}/templates/embargo-policy.md (100%) rename {project-resources => community/resources/project-resources}/templates/embargo.md (100%) rename {project-resources => community/resources/project-resources}/templates/incident-response.md (100%) rename {provenance-implementation => community/resources/provenance-implementation}/README.md (100%) rename {provenance-implementation => community/resources/provenance-implementation}/argo/argo-cd.md (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/README.md (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/build.sh (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/fuzzing-handbook.md (99%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/handbook-fuzzing.pdf (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/Code-coverage-of-example-project.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/Coverage-guided-fuzzing-overview.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/Function-level-fuzzing-introspection.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/Fuzzing-code-coverage-report.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/Fuzzing-key-components.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/Historical-progession-of-example-project.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/LibFuzzer-engine-overview.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/Minimized-testcase-provided-per-issue.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/Monorail-issues-are-closed-automatically.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/OSS-Fuzz-GitHub-bot-automatically-closes-issus.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/OSS-Fuzz-GitHub-bot-reporting-an-issue.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/OSS-Fuzz-detailed-stack-trace.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/OSS-Fuzz-issue-overview.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/Open-source-fuzz-introspection-overview.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/Source-level-code-coverage.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/cncf-logo-footer.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/cncf-stacked-color.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/envoy-introspector-profile.png (100%) rename {security-fuzzing-handbook => community/resources/security-fuzzing-handbook}/imgs/vitess-fuzzing-landscape.png (100%) rename {security-lexicon => community/resources/security-lexicon}/README.md (100%) rename {security-lexicon => community/resources/security-lexicon}/cloud-native-security-lexicon.md (100%) rename {security-whitepaper => community/resources/security-whitepaper}/README.md (100%) rename {security-whitepaper => community/resources/security-whitepaper}/cnsmap/README.md (100%) rename {security-whitepaper => community/resources/security-whitepaper}/secure-defaults-cloud-native-8.md (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v1/CNCF_cloud-native-security-whitepaper-Nov2020.pdf (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v1/cloud-native-security-whitepaper-brazilian-portugese.md (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v1/cloud-native-security-whitepaper-simplified-chinese.md (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v1/cloud-native-security-whitepaper-spanish.md (99%) rename {security-whitepaper => community/resources/security-whitepaper}/v1/cloud-native-security-whitepaper.md (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v1/cnswp-images/RackMultipart20201111_figure1.png (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v1/cnswp-images/RackMultipart20201111_figure2.png (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v1/cnswp-images/RackMultipart20201111_figure3.png (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v1/cnswp-images/RackMultipart20201111_figure4.png (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v1/cnswp-images/RackMultipart20201111_figure5.png (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v1/secure-software-factory.md (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v2/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v2/CNCF_cloud-native-security-whitepaper-cn-Sept2023-v2.pdf (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v2/CNCF_cloud-native-security-whitepaper-it-May2023-v2.pdf (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v2/cloud-native-security-whitepaper-it.md (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v2/cloud-native-security-whitepaper-ja.md (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v2/cloud-native-security-whitepaper-simplified-chinese.md (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v2/cloud-native-security-whitepaper.md (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v2/cnswp-images/cnswp-v2-figure1.png (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v2/cnswp-images/cnswp-v2-security-structural-model-deploy.png (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v2/cnswp-images/cnswp-v2-security-structural-model-develop.png (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v2/cnswp-images/cnswp-v2-security-structural-model-distribute.png (100%) rename {security-whitepaper => community/resources/security-whitepaper}/v2/cnswp-images/cnswp-v2-security-structural-model-runtime.png (100%) rename {usecase-personas => community/resources/usecase-personas}/README.md (100%) rename {usecase-personas => community/resources/usecase-personas}/references/admin-bill-of-rights.md (100%) delete mode 100644 community/supply-chain-security/README.md rename {policy => community/working-groups/archive/policy}/PolicyFormalVerificationDiagram.png (100%) rename {policy => community/working-groups/archive/policy}/overview-formal-verification.png (100%) rename {policy => community/working-groups/archive/policy}/overview-policy-build-time-dependency-vulns.md (100%) rename {policy => community/working-groups/archive/policy}/overview-policy-formal-verification.md (100%) rename community/{ => working-groups}/automated-governance/README.md (100%) rename community/{ => working-groups}/compliance/README.md (100%) rename community/{ => working-groups}/controls/README.md (100%) rename {cloud-native-controls => community/working-groups/controls}/phase-one-announcement.md (100%) rename community/{ => working-groups}/research/README.md (100%) create mode 100644 community/working-groups/supply-chain-security/README.md rename {supply-chain-security => community/working-groups/supply-chain-security}/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/secure-software-factory/images/image1.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/secure-software-factory/images/image2.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/secure-software-factory/images/image3.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/secure-software-factory/images/image4.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/secure-software-factory/images/image5.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/secure-software-factory/images/image6.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/secure-software-factory/images/image7.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/secure-software-factory/secure-software-factory.md (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/CNCF_SSCP_v1.pdf (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/README.md (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/fig1.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/fig2.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/fig3.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/fig4.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/fig5.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/fig6.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/fig7.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/fig8.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/fig9.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/secure-supply-chain-assessment.md (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/sscsp-images/fig1.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/sscsp-images/fig2.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/sscsp-images/fig3.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/sscsp-images/fig4.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/sscsp-images/fig5.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/sscsp-images/fig6.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/sscsp-images/fig7.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/sscsp-images/fig8.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/sscsp-images/fig9.png (100%) rename {supply-chain-security => community/working-groups/supply-chain-security}/supply-chain-security-paper/sscsp.md (100%) delete mode 100644 compliance/README.md delete mode 100644 policy-wg-merging.md delete mode 100644 roadmap.md delete mode 100644 supply-chain-security/README.md diff --git a/LICENSE-code b/LICENSE-code deleted file mode 100644 index 261eeb9e9..000000000 --- a/LICENSE-code +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/LICENSE-document b/LICENSE-document deleted file mode 100644 index 2802779ed..000000000 --- a/LICENSE-document +++ /dev/null @@ -1,395 +0,0 @@ -Attribution 4.0 International - -======================================================================= - -Creative Commons Corporation ("Creative Commons") is not a law firm and -does not provide legal services or legal advice. Distribution of -Creative Commons public licenses does not create a lawyer-client or -other relationship. Creative Commons makes its licenses and related -information available on an "as-is" basis. Creative Commons gives no -warranties regarding its licenses, any material licensed under their -terms and conditions, or any related information. Creative Commons -disclaims all liability for damages resulting from their use to the -fullest extent possible. - -Using Creative Commons Public Licenses - -Creative Commons public licenses provide a standard set of terms and -conditions that creators and other rights holders may use to share -original works of authorship and other material subject to copyright -and certain other rights specified in the public license below. The -following considerations are for informational purposes only, are not -exhaustive, and do not form part of our licenses. - - Considerations for licensors: Our public licenses are - intended for use by those authorized to give the public - permission to use material in ways otherwise restricted by - copyright and certain other rights. Our licenses are - irrevocable. Licensors should read and understand the terms - and conditions of the license they choose before applying it. - Licensors should also secure all rights necessary before - applying our licenses so that the public can reuse the - material as expected. Licensors should clearly mark any - material not subject to the license. This includes other CC- - licensed material, or material used under an exception or - limitation to copyright. More considerations for licensors: - wiki.creativecommons.org/Considerations_for_licensors - - Considerations for the public: By using one of our public - licenses, a licensor grants the public permission to use the - licensed material under specified terms and conditions. If - the licensor's permission is not necessary for any reason--for - example, because of any applicable exception or limitation to - copyright--then that use is not regulated by the license. Our - licenses grant only permissions under copyright and certain - other rights that a licensor has authority to grant. Use of - the licensed material may still be restricted for other - reasons, including because others have copyright or other - rights in the material. A licensor may make special requests, - such as asking that all changes be marked or described. - Although not required by our licenses, you are encouraged to - respect those requests where reasonable. More_considerations - for the public: - wiki.creativecommons.org/Considerations_for_licensees - -======================================================================= - -Creative Commons Attribution 4.0 International Public License - -By exercising the Licensed Rights (defined below), You accept and agree -to be bound by the terms and conditions of this Creative Commons -Attribution 4.0 International Public License ("Public License"). To the -extent this Public License may be interpreted as a contract, You are -granted the Licensed Rights in consideration of Your acceptance of -these terms and conditions, and the Licensor grants You such rights in -consideration of benefits the Licensor receives from making the -Licensed Material available under these terms and conditions. - - -Section 1 -- Definitions. - - a. Adapted Material means material subject to Copyright and Similar - Rights that is derived from or based upon the Licensed Material - and in which the Licensed Material is translated, altered, - arranged, transformed, or otherwise modified in a manner requiring - permission under the Copyright and Similar Rights held by the - Licensor. For purposes of this Public License, where the Licensed - Material is a musical work, performance, or sound recording, - Adapted Material is always produced where the Licensed Material is - synched in timed relation with a moving image. - - b. Adapter's License means the license You apply to Your Copyright - and Similar Rights in Your contributions to Adapted Material in - accordance with the terms and conditions of this Public License. - - c. Copyright and Similar Rights means copyright and/or similar rights - closely related to copyright including, without limitation, - performance, broadcast, sound recording, and Sui Generis Database - Rights, without regard to how the rights are labeled or - categorized. For purposes of this Public License, the rights - specified in Section 2(b)(1)-(2) are not Copyright and Similar - Rights. - - d. Effective Technological Measures means those measures that, in the - absence of proper authority, may not be circumvented under laws - fulfilling obligations under Article 11 of the WIPO Copyright - Treaty adopted on December 20, 1996, and/or similar international - agreements. - - e. Exceptions and Limitations means fair use, fair dealing, and/or - any other exception or limitation to Copyright and Similar Rights - that applies to Your use of the Licensed Material. - - f. Licensed Material means the artistic or literary work, database, - or other material to which the Licensor applied this Public - License. - - g. Licensed Rights means the rights granted to You subject to the - terms and conditions of this Public License, which are limited to - all Copyright and Similar Rights that apply to Your use of the - Licensed Material and that the Licensor has authority to license. - - h. Licensor means the individual(s) or entity(ies) granting rights - under this Public License. - - i. Share means to provide material to the public by any means or - process that requires permission under the Licensed Rights, such - as reproduction, public display, public performance, distribution, - dissemination, communication, or importation, and to make material - available to the public including in ways that members of the - public may access the material from a place and at a time - individually chosen by them. - - j. Sui Generis Database Rights means rights other than copyright - resulting from Directive 96/9/EC of the European Parliament and of - the Council of 11 March 1996 on the legal protection of databases, - as amended and/or succeeded, as well as other essentially - equivalent rights anywhere in the world. - - k. You means the individual or entity exercising the Licensed Rights - under this Public License. Your has a corresponding meaning. - - -Section 2 -- Scope. - - a. License grant. - - 1. Subject to the terms and conditions of this Public License, - the Licensor hereby grants You a worldwide, royalty-free, - non-sublicensable, non-exclusive, irrevocable license to - exercise the Licensed Rights in the Licensed Material to: - - a. reproduce and Share the Licensed Material, in whole or - in part; and - - b. produce, reproduce, and Share Adapted Material. - - 2. Exceptions and Limitations. For the avoidance of doubt, where - Exceptions and Limitations apply to Your use, this Public - License does not apply, and You do not need to comply with - its terms and conditions. - - 3. Term. The term of this Public License is specified in Section - 6(a). - - 4. Media and formats; technical modifications allowed. The - Licensor authorizes You to exercise the Licensed Rights in - all media and formats whether now known or hereafter created, - and to make technical modifications necessary to do so. The - Licensor waives and/or agrees not to assert any right or - authority to forbid You from making technical modifications - necessary to exercise the Licensed Rights, including - technical modifications necessary to circumvent Effective - Technological Measures. For purposes of this Public License, - simply making modifications authorized by this Section 2(a) - (4) never produces Adapted Material. - - 5. Downstream recipients. - - a. Offer from the Licensor -- Licensed Material. Every - recipient of the Licensed Material automatically - receives an offer from the Licensor to exercise the - Licensed Rights under the terms and conditions of this - Public License. - - b. No downstream restrictions. You may not offer or impose - any additional or different terms or conditions on, or - apply any Effective Technological Measures to, the - Licensed Material if doing so restricts exercise of the - Licensed Rights by any recipient of the Licensed - Material. - - 6. No endorsement. Nothing in this Public License constitutes or - may be construed as permission to assert or imply that You - are, or that Your use of the Licensed Material is, connected - with, or sponsored, endorsed, or granted official status by, - the Licensor or others designated to receive attribution as - provided in Section 3(a)(1)(A)(i). - - b. Other rights. - - 1. Moral rights, such as the right of integrity, are not - licensed under this Public License, nor are publicity, - privacy, and/or other similar personality rights; however, to - the extent possible, the Licensor waives and/or agrees not to - assert any such rights held by the Licensor to the limited - extent necessary to allow You to exercise the Licensed - Rights, but not otherwise. - - 2. Patent and trademark rights are not licensed under this - Public License. - - 3. To the extent possible, the Licensor waives any right to - collect royalties from You for the exercise of the Licensed - Rights, whether directly or through a collecting society - under any voluntary or waivable statutory or compulsory - licensing scheme. In all other cases the Licensor expressly - reserves any right to collect such royalties. - - -Section 3 -- License Conditions. - -Your exercise of the Licensed Rights is expressly made subject to the -following conditions. - - a. Attribution. - - 1. If You Share the Licensed Material (including in modified - form), You must: - - a. retain the following if it is supplied by the Licensor - with the Licensed Material: - - i. identification of the creator(s) of the Licensed - Material and any others designated to receive - attribution, in any reasonable manner requested by - the Licensor (including by pseudonym if - designated); - - ii. a copyright notice; - - iii. a notice that refers to this Public License; - - iv. a notice that refers to the disclaimer of - warranties; - - v. a URI or hyperlink to the Licensed Material to the - extent reasonably practicable; - - b. indicate if You modified the Licensed Material and - retain an indication of any previous modifications; and - - c. indicate the Licensed Material is licensed under this - Public License, and include the text of, or the URI or - hyperlink to, this Public License. - - 2. You may satisfy the conditions in Section 3(a)(1) in any - reasonable manner based on the medium, means, and context in - which You Share the Licensed Material. For example, it may be - reasonable to satisfy the conditions by providing a URI or - hyperlink to a resource that includes the required - information. - - 3. If requested by the Licensor, You must remove any of the - information required by Section 3(a)(1)(A) to the extent - reasonably practicable. - - 4. If You Share Adapted Material You produce, the Adapter's - License You apply must not prevent recipients of the Adapted - Material from complying with this Public License. - - -Section 4 -- Sui Generis Database Rights. - -Where the Licensed Rights include Sui Generis Database Rights that -apply to Your use of the Licensed Material: - - a. for the avoidance of doubt, Section 2(a)(1) grants You the right - to extract, reuse, reproduce, and Share all or a substantial - portion of the contents of the database; - - b. if You include all or a substantial portion of the database - contents in a database in which You have Sui Generis Database - Rights, then the database in which You have Sui Generis Database - Rights (but not its individual contents) is Adapted Material; and - - c. You must comply with the conditions in Section 3(a) if You Share - all or a substantial portion of the contents of the database. - -For the avoidance of doubt, this Section 4 supplements and does not -replace Your obligations under this Public License where the Licensed -Rights include other Copyright and Similar Rights. - - -Section 5 -- Disclaimer of Warranties and Limitation of Liability. - - a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE - EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS - AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF - ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, - IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, - WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR - PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, - ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT - KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT - ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. - - b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE - TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, - NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, - INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, - COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR - USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN - ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR - DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR - IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. - - c. The disclaimer of warranties and limitation of liability provided - above shall be interpreted in a manner that, to the extent - possible, most closely approximates an absolute disclaimer and - waiver of all liability. - - -Section 6 -- Term and Termination. - - a. This Public License applies for the term of the Copyright and - Similar Rights licensed here. However, if You fail to comply with - this Public License, then Your rights under this Public License - terminate automatically. - - b. Where Your right to use the Licensed Material has terminated under - Section 6(a), it reinstates: - - 1. automatically as of the date the violation is cured, provided - it is cured within 30 days of Your discovery of the - violation; or - - 2. upon express reinstatement by the Licensor. - - For the avoidance of doubt, this Section 6(b) does not affect any - right the Licensor may have to seek remedies for Your violations - of this Public License. - - c. For the avoidance of doubt, the Licensor may also offer the - Licensed Material under separate terms or conditions or stop - distributing the Licensed Material at any time; however, doing so - will not terminate this Public License. - - d. Sections 1, 5, 6, 7, and 8 survive termination of this Public - License. - - -Section 7 -- Other Terms and Conditions. - - a. The Licensor shall not be bound by any additional or different - terms or conditions communicated by You unless expressly agreed. - - b. Any arrangements, understandings, or agreements regarding the - Licensed Material not stated herein are separate from and - independent of the terms and conditions of this Public License. - - -Section 8 -- Interpretation. - - a. For the avoidance of doubt, this Public License does not, and - shall not be interpreted to, reduce, limit, restrict, or impose - conditions on any use of the Licensed Material that could lawfully - be made without permission under this Public License. - - b. To the extent possible, if any provision of this Public License is - deemed unenforceable, it shall be automatically reformed to the - minimum extent necessary to make it enforceable. If the provision - cannot be reformed, it shall be severed from this Public License - without affecting the enforceability of the remaining terms and - conditions. - - c. No term or condition of this Public License will be waived and no - failure to comply consented to unless expressly agreed to by the - Licensor. - - d. Nothing in this Public License constitutes or may be interpreted - as a limitation upon, or waiver of, any privileges and immunities - that apply to the Licensor or You, including from the legal - processes of any jurisdiction or authority. - - -======================================================================= - -Creative Commons is not a party to its public -licenses. Notwithstanding, Creative Commons may elect to apply one of -its public licenses to material it publishes and in those instances -will be considered the "Licensor." The text of the Creative Commons -public licenses is dedicated to the public domain under the CC0 Public -Domain Dedication. Except for the limited purpose of indicating that -material is shared under a Creative Commons public license or as -otherwise permitted by the Creative Commons policies published at -creativecommons.org/policies, Creative Commons does not authorize the -use of the trademark "Creative Commons" or any other trademark or logo -of Creative Commons without its prior written consent including, -without limitation, in connection with any unauthorized modifications -to any of its public licenses or any other arrangements, -understandings, or agreements concerning use of licensed material. For -the avoidance of doubt, this paragraph does not form part of the -public licenses. - -Creative Commons may be contacted at creativecommons.org. \ No newline at end of file diff --git a/LICENSE.md b/LICENSE.md index 9ea106dc0..99e03dd69 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,2 +1,602 @@ -Code in this repository is licensed under [Apache License Version 2.0](LICENSE-code) (SPDX-License-Identifier: Apache-2.0). -Documentation in this repository is licensed under [Creative Common Attribution 4.0 International License](LICENSE-document) (SPDX-License-Identifier: CC-BY-4.0) \ No newline at end of file +# License + +## Source Code + +The source code in this repository is licensed under the MIT License. See below for the full license text. + +## Documentation + +The documentation in this repository is licensed under the Creative Commons Attribution 4.0 International License. See below for the full license text. + +### MIT License + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + +### Creative Commons Attribution 4.0 International License + +Attribution 4.0 International + +======================================================================= + +Creative Commons Corporation ("Creative Commons") is not a law firm and +does not provide legal services or legal advice. Distribution of +Creative Commons public licenses does not create a lawyer-client or +other relationship. Creative Commons makes its licenses and related +information available on an "as-is" basis. Creative Commons gives no +warranties regarding its licenses, any material licensed under their +terms and conditions, or any related information. Creative Commons +disclaims all liability for damages resulting from their use to the +fullest extent possible. + +Using Creative Commons Public Licenses + +Creative Commons public licenses provide a standard set of terms and +conditions that creators and other rights holders may use to share +original works of authorship and other material subject to copyright +and certain other rights specified in the public license below. The +following considerations are for informational purposes only, are not +exhaustive, and do not form part of our licenses. + + Considerations for licensors: Our public licenses are + intended for use by those authorized to give the public + permission to use material in ways otherwise restricted by + copyright and certain other rights. Our licenses are + irrevocable. Licensors should read and understand the terms + and conditions of the license they choose before applying it. + Licensors should also secure all rights necessary before + applying our licenses so that the public can reuse the + material as expected. Licensors should clearly mark any + material not subject to the license. This includes other CC- + licensed material, or material used under an exception or + limitation to copyright. More considerations for licensors: + wiki.creativecommons.org/Considerations_for_licensors + + Considerations for the public: By using one of our public + licenses, a licensor grants the public permission to use the + licensed material under specified terms and conditions. If + the licensor's permission is not necessary for any reason--for + example, because of any applicable exception or limitation to + copyright--then that use is not regulated by the license. Our + licenses grant only permissions under copyright and certain + other rights that a licensor has authority to grant. Use of + the licensed material may still be restricted for other + reasons, including because others have copyright or other + rights in the material. A licensor may make special requests, + such as asking that all changes be marked or described. + Although not required by our licenses, you are encouraged to + respect those requests where reasonable. More_considerations + for the public: + wiki.creativecommons.org/Considerations_for_licensees + +======================================================================= + +Creative Commons Attribution 4.0 International Public License + +By exercising the Licensed Rights (defined below), You accept and agree +to be bound by the terms and conditions of this Creative Commons +Attribution 4.0 International Public License ("Public License"). To the +extent this Public License may be interpreted as a contract, You are +granted the Licensed Rights in consideration of Your acceptance of +these terms and conditions, and the Licensor grants You such rights in +consideration of benefits the Licensor receives from making the +Licensed Material available under these terms and conditions. + +Section 1 -- Definitions. + + a. Adapted Material means material subject to Copyright and Similar + Rights that is derived from or based upon the Licensed Material + and in which the Licensed Material is translated, altered, + arranged, transformed, or otherwise modified in a manner requiring + permission under the Copyright and Similar Rights held by the + Licensor. For purposes of this Public License, where the Licensed + Material is a musical work, performance, or sound recording, + Adapted Material is always produced where the Licensed Material is + synched in timed relation with a moving image. + + b. Adapter's License means the license You apply to Your Copyright + and Similar Rights in Your contributions to Adapted Material in + accordance with the terms and conditions of this Public License. + + c. Copyright and Similar Rights means copyright and/or similar rights + closely related to copyright including, without limitation, + performance, broadcast, sound recording, and Sui Generis Database + Rights, without regard to how the rights are labeled or + categorized. For purposes of this Public License, the rights + specified in Section 2(b)(1)-(2) are not Copyright and Similar + Rights. + + d. Effective Technological Measures means those measures that, in the + absence of proper authority, may not be circumvented under laws + fulfilling obligations under Article 11 of the WIPO Copyright + Treaty adopted on December 20, 1996, and/or similar international + agreements. + + e. Exceptions and Limitations means fair use, fair dealing, and/or + any other exception or limitation to Copyright and Similar Rights + that applies to Your use of the Licensed Material. + + f. Licensed Material means the artistic or literary work, database, + or other material to which the Licensor applied this Public + License. + + g. Licensed Rights means the rights granted to You subject to the + terms and conditions of this Public License, which are limited to + all Copyright and Similar Rights that apply to Your use of the + Licensed Material and that the Licensor has authority to license. + + h. Licensor means the individual(s) or entity(ies) granting rights + under this Public License. + + i. Share means to provide material to the public by any means or + process that requires permission under the Licensed Rights, such + as reproduction, public display, public performance, distribution, + dissemination, communication, or importation, and to make material + available to the public including in ways that members of the + public may access the material from a place and at a time + individually chosen by them. + + j. Sui Generis Database Rights means rights other than copyright + resulting from Directive 96/9/EC of the European Parliament and of + the Council of 11 March 1996 on the legal protection of databases, + as amended and/or succeeded, as well as other essentially + equivalent rights anywhere in the world. + + k. You means the individual or entity exercising the Licensed Rights + under this Public License. Your has a corresponding meaning. + +Section 2 -- Scope. + + a. License grant. + + 1. Subject to the terms and conditions of this Public License, + the Licensor hereby grants You a worldwide, royalty-free, + non-sublicensable, non-exclusive, irrevocable license to + exercise the Licensed Rights in the Licensed Material to: + + a. reproduce and Share the Licensed Material, in whole or + in part; and + + b. produce, reproduce, and Share Adapted Material. + + 2. Exceptions and Limitations. For the avoidance of doubt, where + Exceptions and Limitations apply to Your use, this Public + License does not apply, and You do not need to comply with + its terms and conditions. + + 3. Term. The term of this Public License is specified in Section + 6(a). + + 4. Media and formats; technical modifications allowed. The + Licensor authorizes You to exercise the Licensed Rights in + all media and formats whether now known or hereafter created, + and to make technical modifications necessary to do so. The + Licensor waives and/or agrees not to assert any right or + authority to forbid You from making technical modifications + necessary to exercise the Licensed Rights, including + technical modifications necessary to circumvent Effective + Technological Measures. For purposes of this Public License, + simply making modifications authorized by this Section 2(a) + (4) never produces Adapted Material. + + 5. Downstream recipients. + + a. Offer from the Licensor -- Licensed Material. Every + recipient of the Licensed Material automatically + receives an offer from the Licensor to exercise the + Licensed Rights under the terms and conditions of this + Public License. + + b. No downstream restrictions. You may not offer or impose + any additional or different terms or conditions on, or + apply any Effective Technological Measures to, the + Licensed Material if doing so restricts exercise of the + Licensed Rights by any recipient of the Licensed + Material. + + 6. No endorsement. Nothing in this Public License constitutes or + may be construed as permission to assert or imply that You + are, or that Your use of the Licensed Material is, connected + with, or sponsored, endorsed, or granted official status by, + the Licensor or others designated to receive attribution as + provided in Section 3(a)(1)(A)(i). + + b. Other rights. + + 1. Moral rights, such as the right of integrity, are not + licensed under this Public License, nor are publicity, + privacy, and/or other similar personality rights; however, to + the extent possible, the Licensor waives and/or agrees not to + assert any such rights held by the Licensor to the limited + extent necessary to allow You to exercise the Licensed + Rights, but not otherwise. + + 2. Patent and trademark rights are not licensed under this + Public License. + + 3. To the extent possible, the Licensor waives any right to + collect royalties from You for the exercise of the Licensed + Rights, whether directly or through a collecting society + under any voluntary or waivable statutory or compulsory + licensing scheme. In all other cases the Licensor expressly + reserves any right to collect such royalties. + +Section 3 -- License Conditions. + +Your exercise of the Licensed Rights is expressly made subject to the +following conditions. + + a. Attribution. + + 1. If You Share the Licensed Material (including in modified + form), You must: + + a. retain the following if it is supplied by the Licensor + with the Licensed Material: + + i. identification of the creator(s) of the Licensed + Material and any others designated to receive + attribution, in any reasonable manner requested by + the Licensor (including by pseudonym if + designated); + + ii. a copyright notice; + + iii. a notice that refers to this Public License; + + iv. a notice that refers to the disclaimer of + warranties; + + v. a URI or hyperlink to the Licensed Material to the + extent reasonably practicable; + + b. indicate if You modified the Licensed Material and + retain an indication of any previous modifications; and + + c. indicate the Licensed Material is licensed under this + Public License, and include the text of, or the URI or + hyperlink to, this Public License. + + 2. You may satisfy the conditions in Section 3(a)(1) in any + reasonable manner based on the medium, means, and context in + which You Share the Licensed Material. For example, it may be + reasonable to satisfy the conditions by providing a URI or + hyperlink to a resource that includes the required + information. + + 3. If requested by the Licensor, You must remove any of the + information required by Section 3(a)(1)(A) to the extent + reasonably practicable. + + 4. If You Share Adapted Material You produce, the Adapter's + License You apply must not prevent recipients of the Adapted + Material from complying with this Public License. + +Section 4 -- Sui Generis Database Rights. + +Where the Licensed Rights include Sui Generis Database Rights that +apply to Your use of the Licensed Material: + + a. for the avoidance of doubt, Section 2(a)(1) grants You the right + to extract, reuse, reproduce, and Share all or a substantial + portion of the contents of the database; + + b. if You include all or a substantial portion of the database + contents in a database in which You have Sui Generis Database + Rights, then the database in which You have Sui Generis Database + Rights (but not its individual contents) is Adapted Material; and + + c. You must comply with the conditions in Section 3(a) if You Share + all or a substantial portion of the contents of the database. + +For the avoidance of doubt, this Section 4 supplements and does not +replace Your obligations under this Public License where the Licensed +Rights include other Copyright and Similar Rights. + +Section 5 -- Disclaimer of Warranties and Limitation of Liability. + + a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE + EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS + AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF + ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, + IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, + WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR + PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, + ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT + KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT + ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. + + b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE + TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, + NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, + INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, + COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR + USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN + ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR + DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR + IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + + c. The disclaimer of warranties and limitation of liability provided + above shall be interpreted in a manner that, to the extent + possible, most closely approximates an absolute disclaimer and + waiver of all liability. + +Section 6 -- Term and Termination. + + a. This Public License applies for the term of the Copyright and + Similar Rights licensed here. However, if You fail to comply with + this Public License, then Your rights under this Public License + terminate automatically. + + b. Where Your right to use the Licensed Material has terminated under + Section 6(a), it reinstates: + + 1. automatically as of the date the violation is cured, provided + it is cured within 30 days of Your discovery of the + violation; or + + 2. upon express reinstatement by the Licensor. + + For the avoidance of doubt, this Section 6(b) does not affect any + right the Licensor may have to seek remedies for Your violations + of this Public License. + + c. For the avoidance of doubt, the Licensor may also offer the + Licensed Material under separate terms or conditions or stop + distributing the Licensed Material at any time; however, doing so + will not terminate this Public License. + + d. Sections 1, 5, 6, 7, and 8 survive termination of this Public + License. + +Section 7 -- Other Terms and Conditions. + + a. The Licensor shall not be bound by any additional or different + terms or conditions communicated by You unless expressly agreed. + + b. Any arrangements, understandings, or agreements regarding the + Licensed Material not stated herein are separate from and + independent of the terms and conditions of this Public License. + +Section 8 -- Interpretation. + + a. For the avoidance of doubt, this Public License does not, and + shall not be interpreted to, reduce, limit, restrict, or impose + conditions on any use of the Licensed Material that could lawfully + be made without permission under this Public License. + + b. To the extent possible, if any provision of this Public License is + deemed unenforceable, it shall be automatically reformed to the + minimum extent necessary to make it enforceable. If the provision + cannot be reformed, it shall be severed from this Public License + without affecting the enforceability of the remaining terms and + conditions. + + c. No term or condition of this Public License will be waived and no + failure to comply consented to unless expressly agreed to by the + Licensor. + + d. Nothing in this Public License constitutes or may be interpreted + as a limitation upon, or waiver of, any privileges and immunities + that apply to the Licensor or You, including from the legal + processes of any jurisdiction or authority. + +======================================================================= + +Creative Commons is not a party to its public +licenses. Notwithstanding, Creative Commons may elect to apply one of +its public licenses to material it publishes and in those instances +will be considered the "Licensor." The text of the Creative Commons +public licenses is dedicated to the public domain under the CC0 Public +Domain Dedication. Except for the limited purpose of indicating that +material is shared under a Creative Commons public license or as +otherwise permitted by the Creative Commons policies published at +creativecommons.org/policies, Creative Commons does not authorize the +use of the trademark "Creative Commons" or any other trademark or logo +of Creative Commons without its prior written consent including, +without limitation, in connection with any unauthorized modifications +to any of its public licenses or any other arrangements, +understandings, or agreements concerning use of licensed material. For +the avoidance of doubt, this paragraph does not form part of the +public licenses. + +Creative Commons may be contacted at creativecommons.org. diff --git a/README.md b/README.md index 581f76fe4..cbca4d24d 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Security Technical Advisory Group -![Cloud Native Security Logo](/design/logo/cloud-native-security-horizontal-darkmodesafe.svg) +![Cloud Native Security Logo](/community/resources/design/logo/cloud-native-security-horizontal-darkmodesafe.svg) ## Quick links @@ -25,21 +25,21 @@ We aim to significantly reduce the probability and impact of attacks, breaches, ## Publications -Below is a list of publications by TAG Security. For a comprehensive collection of our works in various formats, please visit the [publications](publications/README.md) directory. +Below is a list of publications by TAG Security. For a comprehensive collection of our works in various formats, please visit the [publications](community/publications/README.md) directory. | Publication | Date | |-------------|------| -| [Formal Verification for Policy Configurations](https://github.com/cncf/tag-security/blob/main/policy/overview-policy-formal-verification.md) | August, 2019 | -| [Catalog of Supply Chain Compromises](https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises) | November 2019 - Present | -| [Software Supply Chain Best Practices](https://github.com/cncf/tag-security/raw/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) | May, 2021 | -| [Evaluating your Supply Chain Security](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/secure-supply-chain-assessment.md) | May, 2021 | -| [Cloud Native Security Lexicon](https://github.com/cncf/tag-security/blob/main/security-lexicon/cloud-native-security-lexicon.md) | August, 2021 | -| [Cloud Native Security Whitepaper](https://www.cncf.io/wp-content/uploads/2022/06/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf) | May, 2022 | -| [Cloud Native Security Controls Catalog](https://github.com/cncf/tag-security/blob/main/cloud-native-controls/phase-one-announcement.md) | May, 2022 | -| [Handling Build-time Dependency Vulnerabilities](https://github.com/cncf/tag-security/blob/main/policy/overview-policy-build-time-dependency-vulns.md) | June, 2022 | -| [Secure Software Factory: A Reference Architecture to Securing the Software Supply Chain](https://github.com/cncf/tag-security/raw/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf) | May, 2022 | -| [Secure Defaults](https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md) | February, 2022 | -| [Open and Secure - A Manual for Practicing Threat Modeling to Assess and Fortify Open Source Security](/community/assessments/Open_and_Secure.pdf) | November, 2023 | +| [Formal Verification for Policy Configurations](community/working-groups/archive/policy/overview-policy-formal-verification.md) | August, 2019 | +| [Catalog of Supply Chain Compromises](community/catalog/compromises) | November 2019 - Present | +| [Software Supply Chain Best Practices](community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) | May, 2021 | +| [Evaluating your Supply Chain Security](community/working-groups/supply-chain-security/supply-chain-security-paper/secure-supply-chain-assessment.md) | May, 2021 | +| [Cloud Native Security Lexicon](community/resources/security-lexicon/cloud-native-security-lexicon.md) | August, 2021 | +| [Cloud Native Security Whitepaper](community/resources/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf) | May, 2022 | +| [Cloud Native Security Controls Catalog](community/working-groups/controls/phase-one-announcement.md) | May, 2022 | +| [Handling Build-time Dependency Vulnerabilities](community/working-groups/archive/policy/overview-policy-build-time-dependency-vulns.md) | June, 2022 | +| [Secure Software Factory: A Reference Architecture to Securing the Software Supply Chain](community/working-groups/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf) | May, 2022 | +| [Secure Defaults](community/resources/security-whitepaper/secure-defaults-cloud-native-8.md) | February, 2022 | +| [Open and Secure - A Manual for Practicing Threat Modeling to Assess and Fortify Open Source Security](assessments/Open_and_Secure.pdf) | November, 2023 | ## Governance @@ -93,10 +93,10 @@ Each group, led by a responsible leader, reaches consensus on issues and manages | [Research](/community/research/README.md) | Andrés Vega | | [Automated Governance](/community/automated-governance/README.md) | Matthew Flannery, Brandt Keller | | [Catalog of Supply Chain Compromises](/community/catalog/README.md) | Santiago Arias Torres | -| [Compliance](/community/compliance/README.md) | Anca Sailer, Robert Ficcaglia | -| [Controls](/community/controls/README.md) | Jon Zeolla | -| [Security Reviews](community/assessments/README.md) | Justin Cappos, Eddie Knight| -| [Software Supply Chain](/community/supply-chain-security/README.md) | Marina Moore, Michael Liebermann, John Kjell | +| [Compliance](/community/working-groups/compliance/README.md) | Anca Sailer, Robert Ficcaglia | +| [Controls](/community/working-groups/controls/README.md) | Jon Zeolla | +| [Security Reviews](/community/assessments/README.md) | Justin Cappos, Eddie Knight| +| [Software Supply Chain](/community/working-groups/supply-chain-security/README.md) | Marina Moore, Michael Liebermann, John Kjell | ## Additional information diff --git a/community/catalog/README.md b/community/catalog/README.md index 0b4f3298b..87db212d1 100644 --- a/community/catalog/README.md +++ b/community/catalog/README.md @@ -2,7 +2,7 @@ The Catalog of Supply Chain Compromises provides real-world examples that help raise awareness and provide detailed information that lets us understand attack vectors and consider how to mitigate potential risk. -For information on how to contribute, check the [catalog](/supply-chain-security/compromises) directly. +For information on how to contribute, check the [catalog](./compromises/) directly. ## Contact diff --git a/supply-chain-security/compromises/1975/login-bell.md b/community/catalog/compromises/1975/login-bell.md similarity index 100% rename from supply-chain-security/compromises/1975/login-bell.md rename to community/catalog/compromises/1975/login-bell.md diff --git a/supply-chain-security/compromises/2003/debian.md b/community/catalog/compromises/2003/debian.md similarity index 100% rename from supply-chain-security/compromises/2003/debian.md rename to community/catalog/compromises/2003/debian.md diff --git a/supply-chain-security/compromises/2003/gentoo-rsync.md b/community/catalog/compromises/2003/gentoo-rsync.md similarity index 100% rename from supply-chain-security/compromises/2003/gentoo-rsync.md rename to community/catalog/compromises/2003/gentoo-rsync.md diff --git a/supply-chain-security/compromises/2003/kernel-repository.md b/community/catalog/compromises/2003/kernel-repository.md similarity index 100% rename from supply-chain-security/compromises/2003/kernel-repository.md rename to community/catalog/compromises/2003/kernel-repository.md diff --git a/supply-chain-security/compromises/2007/squirrelmail.md b/community/catalog/compromises/2007/squirrelmail.md similarity index 100% rename from supply-chain-security/compromises/2007/squirrelmail.md rename to community/catalog/compromises/2007/squirrelmail.md diff --git a/supply-chain-security/compromises/2007/wordpress.md b/community/catalog/compromises/2007/wordpress.md similarity index 100% rename from supply-chain-security/compromises/2007/wordpress.md rename to community/catalog/compromises/2007/wordpress.md diff --git a/supply-chain-security/compromises/2008/fedora.md b/community/catalog/compromises/2008/fedora.md similarity index 100% rename from supply-chain-security/compromises/2008/fedora.md rename to community/catalog/compromises/2008/fedora.md diff --git a/supply-chain-security/compromises/2010/apache.md b/community/catalog/compromises/2010/apache.md similarity index 100% rename from supply-chain-security/compromises/2010/apache.md rename to community/catalog/compromises/2010/apache.md diff --git a/supply-chain-security/compromises/2010/aurora.md b/community/catalog/compromises/2010/aurora.md similarity index 100% rename from supply-chain-security/compromises/2010/aurora.md rename to community/catalog/compromises/2010/aurora.md diff --git a/supply-chain-security/compromises/2010/fsf-website.md b/community/catalog/compromises/2010/fsf-website.md similarity index 100% rename from supply-chain-security/compromises/2010/fsf-website.md rename to community/catalog/compromises/2010/fsf-website.md diff --git a/supply-chain-security/compromises/2010/proftpd.md b/community/catalog/compromises/2010/proftpd.md similarity index 100% rename from supply-chain-security/compromises/2010/proftpd.md rename to community/catalog/compromises/2010/proftpd.md diff --git a/supply-chain-security/compromises/2011/kernelorg.md b/community/catalog/compromises/2011/kernelorg.md similarity index 100% rename from supply-chain-security/compromises/2011/kernelorg.md rename to community/catalog/compromises/2011/kernelorg.md diff --git a/supply-chain-security/compromises/2012/ruby-on-rails-github.md b/community/catalog/compromises/2012/ruby-on-rails-github.md similarity index 100% rename from supply-chain-security/compromises/2012/ruby-on-rails-github.md rename to community/catalog/compromises/2012/ruby-on-rails-github.md diff --git a/supply-chain-security/compromises/2013/apt.md b/community/catalog/compromises/2013/apt.md similarity index 100% rename from supply-chain-security/compromises/2013/apt.md rename to community/catalog/compromises/2013/apt.md diff --git a/supply-chain-security/compromises/2014/code-spaces.md b/community/catalog/compromises/2014/code-spaces.md similarity index 100% rename from supply-chain-security/compromises/2014/code-spaces.md rename to community/catalog/compromises/2014/code-spaces.md diff --git a/supply-chain-security/compromises/2014/monju.md b/community/catalog/compromises/2014/monju.md similarity index 100% rename from supply-chain-security/compromises/2014/monju.md rename to community/catalog/compromises/2014/monju.md diff --git a/supply-chain-security/compromises/2015/ceph-and-inktank.md b/community/catalog/compromises/2015/ceph-and-inktank.md similarity index 100% rename from supply-chain-security/compromises/2015/ceph-and-inktank.md rename to community/catalog/compromises/2015/ceph-and-inktank.md diff --git a/supply-chain-security/compromises/2015/juniper.md b/community/catalog/compromises/2015/juniper.md similarity index 100% rename from supply-chain-security/compromises/2015/juniper.md rename to community/catalog/compromises/2015/juniper.md diff --git a/supply-chain-security/compromises/2015/xcodeghost.md b/community/catalog/compromises/2015/xcodeghost.md similarity index 100% rename from supply-chain-security/compromises/2015/xcodeghost.md rename to community/catalog/compromises/2015/xcodeghost.md diff --git a/supply-chain-security/compromises/2016/fosshub.md b/community/catalog/compromises/2016/fosshub.md similarity index 100% rename from supply-chain-security/compromises/2016/fosshub.md rename to community/catalog/compromises/2016/fosshub.md diff --git a/supply-chain-security/compromises/2016/gh-unicode.md b/community/catalog/compromises/2016/gh-unicode.md similarity index 100% rename from supply-chain-security/compromises/2016/gh-unicode.md rename to community/catalog/compromises/2016/gh-unicode.md diff --git a/supply-chain-security/compromises/2016/keydnap.md b/community/catalog/compromises/2016/keydnap.md similarity index 100% rename from supply-chain-security/compromises/2016/keydnap.md rename to community/catalog/compromises/2016/keydnap.md diff --git a/supply-chain-security/compromises/2016/mint.md b/community/catalog/compromises/2016/mint.md similarity index 100% rename from supply-chain-security/compromises/2016/mint.md rename to community/catalog/compromises/2016/mint.md diff --git a/supply-chain-security/compromises/2017/bitcoingold.md b/community/catalog/compromises/2017/bitcoingold.md similarity index 100% rename from supply-chain-security/compromises/2017/bitcoingold.md rename to community/catalog/compromises/2017/bitcoingold.md diff --git a/supply-chain-security/compromises/2017/ccleaner.md b/community/catalog/compromises/2017/ccleaner.md similarity index 100% rename from supply-chain-security/compromises/2017/ccleaner.md rename to community/catalog/compromises/2017/ccleaner.md diff --git a/supply-chain-security/compromises/2017/elmedia.md b/community/catalog/compromises/2017/elmedia.md similarity index 100% rename from supply-chain-security/compromises/2017/elmedia.md rename to community/catalog/compromises/2017/elmedia.md diff --git a/supply-chain-security/compromises/2017/expensivewall.md b/community/catalog/compromises/2017/expensivewall.md similarity index 100% rename from supply-chain-security/compromises/2017/expensivewall.md rename to community/catalog/compromises/2017/expensivewall.md diff --git a/supply-chain-security/compromises/2017/hacktask.md b/community/catalog/compromises/2017/hacktask.md similarity index 100% rename from supply-chain-security/compromises/2017/hacktask.md rename to community/catalog/compromises/2017/hacktask.md diff --git a/supply-chain-security/compromises/2017/handbrake.md b/community/catalog/compromises/2017/handbrake.md similarity index 100% rename from supply-chain-security/compromises/2017/handbrake.md rename to community/catalog/compromises/2017/handbrake.md diff --git a/supply-chain-security/compromises/2017/kingslayer.md b/community/catalog/compromises/2017/kingslayer.md similarity index 100% rename from supply-chain-security/compromises/2017/kingslayer.md rename to community/catalog/compromises/2017/kingslayer.md diff --git a/supply-chain-security/compromises/2017/notpetya.md b/community/catalog/compromises/2017/notpetya.md similarity index 100% rename from supply-chain-security/compromises/2017/notpetya.md rename to community/catalog/compromises/2017/notpetya.md diff --git a/supply-chain-security/compromises/2018/aur.md b/community/catalog/compromises/2018/aur.md similarity index 100% rename from supply-chain-security/compromises/2018/aur.md rename to community/catalog/compromises/2018/aur.md diff --git a/supply-chain-security/compromises/2018/colourama.md b/community/catalog/compromises/2018/colourama.md similarity index 100% rename from supply-chain-security/compromises/2018/colourama.md rename to community/catalog/compromises/2018/colourama.md diff --git a/supply-chain-security/compromises/2018/dofoil.md b/community/catalog/compromises/2018/dofoil.md similarity index 100% rename from supply-chain-security/compromises/2018/dofoil.md rename to community/catalog/compromises/2018/dofoil.md diff --git a/supply-chain-security/compromises/2018/event_stream.md b/community/catalog/compromises/2018/event_stream.md similarity index 100% rename from supply-chain-security/compromises/2018/event_stream.md rename to community/catalog/compromises/2018/event_stream.md diff --git a/supply-chain-security/compromises/2018/gentoo.md b/community/catalog/compromises/2018/gentoo.md similarity index 100% rename from supply-chain-security/compromises/2018/gentoo.md rename to community/catalog/compromises/2018/gentoo.md diff --git a/supply-chain-security/compromises/2018/gogetu.md b/community/catalog/compromises/2018/gogetu.md similarity index 100% rename from supply-chain-security/compromises/2018/gogetu.md rename to community/catalog/compromises/2018/gogetu.md diff --git a/supply-chain-security/compromises/2018/operation-red.md b/community/catalog/compromises/2018/operation-red.md similarity index 100% rename from supply-chain-security/compromises/2018/operation-red.md rename to community/catalog/compromises/2018/operation-red.md diff --git a/supply-chain-security/compromises/2018/unnamed-maker.md b/community/catalog/compromises/2018/unnamed-maker.md similarity index 100% rename from supply-chain-security/compromises/2018/unnamed-maker.md rename to community/catalog/compromises/2018/unnamed-maker.md diff --git a/supply-chain-security/compromises/2019/canonical-github.md b/community/catalog/compromises/2019/canonical-github.md similarity index 100% rename from supply-chain-security/compromises/2019/canonical-github.md rename to community/catalog/compromises/2019/canonical-github.md diff --git a/supply-chain-security/compromises/2019/electron-native-notify.md b/community/catalog/compromises/2019/electron-native-notify.md similarity index 100% rename from supply-chain-security/compromises/2019/electron-native-notify.md rename to community/catalog/compromises/2019/electron-native-notify.md diff --git a/supply-chain-security/compromises/2019/monero.md b/community/catalog/compromises/2019/monero.md similarity index 94% rename from supply-chain-security/compromises/2019/monero.md rename to community/catalog/compromises/2019/monero.md index 4e7ae73b4..63b408581 100644 --- a/supply-chain-security/compromises/2019/monero.md +++ b/community/catalog/compromises/2019/monero.md @@ -19,4 +19,4 @@ This incident fits the [Publishing Infrastructure](../compromise-definitions.md# - [Warning: The binaries of the CLI wallet were compromised for a short time](https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html) - [Wrong hashes (from getmonero.org)](https://github.com/monero-project/monero/issues/6151) -- [Security Warning: CLI binaries available on getmonero.org may have been compromised at some point during the last 24h.](https://old.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/) \ No newline at end of file +- [Security Warning: CLI binaries available on getmonero.org may have been compromised at some point during the last 24h.](https://www.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/) \ No newline at end of file diff --git a/supply-chain-security/compromises/2019/pear.md b/community/catalog/compromises/2019/pear.md similarity index 100% rename from supply-chain-security/compromises/2019/pear.md rename to community/catalog/compromises/2019/pear.md diff --git a/supply-chain-security/compromises/2019/purescript-npm.md b/community/catalog/compromises/2019/purescript-npm.md similarity index 100% rename from supply-chain-security/compromises/2019/purescript-npm.md rename to community/catalog/compromises/2019/purescript-npm.md diff --git a/supply-chain-security/compromises/2019/pypi.md b/community/catalog/compromises/2019/pypi.md similarity index 100% rename from supply-chain-security/compromises/2019/pypi.md rename to community/catalog/compromises/2019/pypi.md diff --git a/supply-chain-security/compromises/2019/ros.md b/community/catalog/compromises/2019/ros.md similarity index 100% rename from supply-chain-security/compromises/2019/ros.md rename to community/catalog/compromises/2019/ros.md diff --git a/supply-chain-security/compromises/2019/shadowhammer.md b/community/catalog/compromises/2019/shadowhammer.md similarity index 100% rename from supply-chain-security/compromises/2019/shadowhammer.md rename to community/catalog/compromises/2019/shadowhammer.md diff --git a/supply-chain-security/compromises/2019/webmin-backdoor.md b/community/catalog/compromises/2019/webmin-backdoor.md similarity index 100% rename from supply-chain-security/compromises/2019/webmin-backdoor.md rename to community/catalog/compromises/2019/webmin-backdoor.md diff --git a/supply-chain-security/compromises/2020/nodejs.md b/community/catalog/compromises/2020/nodejs.md similarity index 100% rename from supply-chain-security/compromises/2020/nodejs.md rename to community/catalog/compromises/2020/nodejs.md diff --git a/supply-chain-security/compromises/2020/octopus_scanner.md b/community/catalog/compromises/2020/octopus_scanner.md similarity index 100% rename from supply-chain-security/compromises/2020/octopus_scanner.md rename to community/catalog/compromises/2020/octopus_scanner.md diff --git a/supply-chain-security/compromises/2020/solarwinds.md b/community/catalog/compromises/2020/solarwinds.md similarity index 100% rename from supply-chain-security/compromises/2020/solarwinds.md rename to community/catalog/compromises/2020/solarwinds.md diff --git a/supply-chain-security/compromises/2020/sonarqube.md b/community/catalog/compromises/2020/sonarqube.md similarity index 100% rename from supply-chain-security/compromises/2020/sonarqube.md rename to community/catalog/compromises/2020/sonarqube.md diff --git a/supply-chain-security/compromises/2020/thegreatsuspender.md b/community/catalog/compromises/2020/thegreatsuspender.md similarity index 97% rename from supply-chain-security/compromises/2020/thegreatsuspender.md rename to community/catalog/compromises/2020/thegreatsuspender.md index 67a44b240..0cf51a7a3 100644 --- a/supply-chain-security/compromises/2020/thegreatsuspender.md +++ b/community/catalog/compromises/2020/thegreatsuspender.md @@ -20,10 +20,12 @@ diverged from its Github source. A minor change in the manifest was now being shipped on the chrome web store, which was not included in Github. This is a major concern. + As a final red flag, no part of the web-store posting has been updated to account for this. [@greatsuspender](https://github.com/greatsuspender) remains listed as -the maintainer, and the privacy policy makes no mention of the new tracking or +the maintainer, and a privacy policy makes no mention of the new tracking or maintainer [greatsuspender privacy policy](https://greatsuspender.github.io/privacy). + On November 6th, [@lucasdf](https://github.com/lucasdf) discovered a smoking gun that the new maintainer is malicious. Although OpenWebAnalytics is legitimate diff --git a/supply-chain-security/compromises/2020/trojanized-fdm.md b/community/catalog/compromises/2020/trojanized-fdm.md similarity index 100% rename from supply-chain-security/compromises/2020/trojanized-fdm.md rename to community/catalog/compromises/2020/trojanized-fdm.md diff --git a/supply-chain-security/compromises/2021/coa-rc.md b/community/catalog/compromises/2021/coa-rc.md similarity index 100% rename from supply-chain-security/compromises/2021/coa-rc.md rename to community/catalog/compromises/2021/coa-rc.md diff --git a/supply-chain-security/compromises/2021/codecov.md b/community/catalog/compromises/2021/codecov.md similarity index 100% rename from supply-chain-security/compromises/2021/codecov.md rename to community/catalog/compromises/2021/codecov.md diff --git a/supply-chain-security/compromises/2021/homebrew.md b/community/catalog/compromises/2021/homebrew.md similarity index 100% rename from supply-chain-security/compromises/2021/homebrew.md rename to community/catalog/compromises/2021/homebrew.md diff --git a/supply-chain-security/compromises/2021/klow-klown-okhsa.md b/community/catalog/compromises/2021/klow-klown-okhsa.md similarity index 100% rename from supply-chain-security/compromises/2021/klow-klown-okhsa.md rename to community/catalog/compromises/2021/klow-klown-okhsa.md diff --git a/supply-chain-security/compromises/2021/log4j.md b/community/catalog/compromises/2021/log4j.md similarity index 100% rename from supply-chain-security/compromises/2021/log4j.md rename to community/catalog/compromises/2021/log4j.md diff --git a/supply-chain-security/compromises/2021/php.md b/community/catalog/compromises/2021/php.md similarity index 100% rename from supply-chain-security/compromises/2021/php.md rename to community/catalog/compromises/2021/php.md diff --git a/supply-chain-security/compromises/2021/repojacking.md b/community/catalog/compromises/2021/repojacking.md similarity index 100% rename from supply-chain-security/compromises/2021/repojacking.md rename to community/catalog/compromises/2021/repojacking.md diff --git a/supply-chain-security/compromises/2021/travis-ci.md b/community/catalog/compromises/2021/travis-ci.md similarity index 100% rename from supply-chain-security/compromises/2021/travis-ci.md rename to community/catalog/compromises/2021/travis-ci.md diff --git a/supply-chain-security/compromises/2021/ua-parser-js.md b/community/catalog/compromises/2021/ua-parser-js.md similarity index 100% rename from supply-chain-security/compromises/2021/ua-parser-js.md rename to community/catalog/compromises/2021/ua-parser-js.md diff --git a/supply-chain-security/compromises/2021/vscode.md b/community/catalog/compromises/2021/vscode.md similarity index 100% rename from supply-chain-security/compromises/2021/vscode.md rename to community/catalog/compromises/2021/vscode.md diff --git a/supply-chain-security/compromises/2022/Comm100-live-chat-trojan.md b/community/catalog/compromises/2022/Comm100-live-chat-trojan.md similarity index 100% rename from supply-chain-security/compromises/2022/Comm100-live-chat-trojan.md rename to community/catalog/compromises/2022/Comm100-live-chat-trojan.md diff --git a/supply-chain-security/compromises/2022/auth0-source-code-leak.md b/community/catalog/compromises/2022/auth0-source-code-leak.md similarity index 91% rename from supply-chain-security/compromises/2022/auth0-source-code-leak.md rename to community/catalog/compromises/2022/auth0-source-code-leak.md index 166f042e5..a4b69faf2 100644 --- a/supply-chain-security/compromises/2022/auth0-source-code-leak.md +++ b/community/catalog/compromises/2022/auth0-source-code-leak.md @@ -13,7 +13,7 @@ to Okta environments. It's not entirely clear what the type of compromise is here. It appears to be source code like the [Intel BIOS -leak](/supply-chain-security/compromises/2022/intel-alder-lake-BIOS-leak.md) and +leak](community/catalog/compromises/2022/intel-alder-lake-BIOS-leak.md) and might also involve dev tooling depending on how the attacker gained access to the source code. diff --git a/supply-chain-security/compromises/2022/ctx-and-phpass.md b/community/catalog/compromises/2022/ctx-and-phpass.md similarity index 93% rename from supply-chain-security/compromises/2022/ctx-and-phpass.md rename to community/catalog/compromises/2022/ctx-and-phpass.md index 224d8a8c4..e3cdc0443 100644 --- a/supply-chain-security/compromises/2022/ctx-and-phpass.md +++ b/community/catalog/compromises/2022/ctx-and-phpass.md @@ -19,6 +19,8 @@ This incident fits the [Dev Tooling](../compromise-definitions.md#dev-tooling) d ## References + - [How I hacked CTX and PHPass Modules](https://sockpuppets.medium.com/how-i-hacked-ctx-and-phpass-modules-656638c6ec5e) - [Twitter thread on the topic](https://twitter.com/s0md3v/status/1529005758540808192) - [Reddit's I think the CTX package on PyPI has been hacked!](https://www.reddit.com/r/Python/comments/uwhzkj/i_think_the_ctx_package_on_pypi_has_been_hacked/) + diff --git a/supply-chain-security/compromises/2022/docker-hub-malicious-containers.md b/community/catalog/compromises/2022/docker-hub-malicious-containers.md similarity index 100% rename from supply-chain-security/compromises/2022/docker-hub-malicious-containers.md rename to community/catalog/compromises/2022/docker-hub-malicious-containers.md diff --git a/supply-chain-security/compromises/2022/dropbox-github-account-breach.md b/community/catalog/compromises/2022/dropbox-github-account-breach.md similarity index 100% rename from supply-chain-security/compromises/2022/dropbox-github-account-breach.md rename to community/catalog/compromises/2022/dropbox-github-account-breach.md diff --git a/supply-chain-security/compromises/2022/fantasy.md b/community/catalog/compromises/2022/fantasy.md similarity index 100% rename from supply-chain-security/compromises/2022/fantasy.md rename to community/catalog/compromises/2022/fantasy.md diff --git a/supply-chain-security/compromises/2022/golang-buildpacks-compiler.md b/community/catalog/compromises/2022/golang-buildpacks-compiler.md similarity index 100% rename from supply-chain-security/compromises/2022/golang-buildpacks-compiler.md rename to community/catalog/compromises/2022/golang-buildpacks-compiler.md diff --git a/supply-chain-security/compromises/2022/intel-alder-lake-BIOS-leak.md b/community/catalog/compromises/2022/intel-alder-lake-BIOS-leak.md similarity index 100% rename from supply-chain-security/compromises/2022/intel-alder-lake-BIOS-leak.md rename to community/catalog/compromises/2022/intel-alder-lake-BIOS-leak.md diff --git a/supply-chain-security/compromises/2022/js-faker-colors.md b/community/catalog/compromises/2022/js-faker-colors.md similarity index 100% rename from supply-chain-security/compromises/2022/js-faker-colors.md rename to community/catalog/compromises/2022/js-faker-colors.md diff --git a/supply-chain-security/compromises/2022/node-ipc-peacenotwar.md b/community/catalog/compromises/2022/node-ipc-peacenotwar.md similarity index 100% rename from supply-chain-security/compromises/2022/node-ipc-peacenotwar.md rename to community/catalog/compromises/2022/node-ipc-peacenotwar.md diff --git a/supply-chain-security/compromises/2022/okta-github-repo-leak.md b/community/catalog/compromises/2022/okta-github-repo-leak.md similarity index 100% rename from supply-chain-security/compromises/2022/okta-github-repo-leak.md rename to community/catalog/compromises/2022/okta-github-repo-leak.md diff --git a/supply-chain-security/compromises/2022/php-pear-compromise.md b/community/catalog/compromises/2022/php-pear-compromise.md similarity index 100% rename from supply-chain-security/compromises/2022/php-pear-compromise.md rename to community/catalog/compromises/2022/php-pear-compromise.md diff --git a/supply-chain-security/compromises/2022/pypi-malicious-packages.md b/community/catalog/compromises/2022/pypi-malicious-packages.md similarity index 100% rename from supply-chain-security/compromises/2022/pypi-malicious-packages.md rename to community/catalog/compromises/2022/pypi-malicious-packages.md diff --git a/supply-chain-security/compromises/2022/ruby-override.md b/community/catalog/compromises/2022/ruby-override.md similarity index 100% rename from supply-chain-security/compromises/2022/ruby-override.md rename to community/catalog/compromises/2022/ruby-override.md diff --git a/supply-chain-security/compromises/2022/wp-apthemes.md b/community/catalog/compromises/2022/wp-apthemes.md similarity index 100% rename from supply-chain-security/compromises/2022/wp-apthemes.md rename to community/catalog/compromises/2022/wp-apthemes.md diff --git a/supply-chain-security/compromises/2023/fake-dependabot.md b/community/catalog/compromises/2023/fake-dependabot.md similarity index 100% rename from supply-chain-security/compromises/2023/fake-dependabot.md rename to community/catalog/compromises/2023/fake-dependabot.md diff --git a/supply-chain-security/compromises/2023/mathjs-min.md b/community/catalog/compromises/2023/mathjs-min.md similarity index 100% rename from supply-chain-security/compromises/2023/mathjs-min.md rename to community/catalog/compromises/2023/mathjs-min.md diff --git a/supply-chain-security/compromises/2023/packagist-maintainer-takeover.md b/community/catalog/compromises/2023/packagist-maintainer-takeover.md similarity index 100% rename from supply-chain-security/compromises/2023/packagist-maintainer-takeover.md rename to community/catalog/compromises/2023/packagist-maintainer-takeover.md diff --git a/supply-chain-security/compromises/2023/retool-portal-mfa.md b/community/catalog/compromises/2023/retool-portal-mfa.md similarity index 100% rename from supply-chain-security/compromises/2023/retool-portal-mfa.md rename to community/catalog/compromises/2023/retool-portal-mfa.md diff --git a/supply-chain-security/compromises/2023/xmlsec-manageengine.md b/community/catalog/compromises/2023/xmlsec-manageengine.md similarity index 100% rename from supply-chain-security/compromises/2023/xmlsec-manageengine.md rename to community/catalog/compromises/2023/xmlsec-manageengine.md diff --git a/supply-chain-security/compromises/2024/gitgot.md b/community/catalog/compromises/2024/gitgot.md similarity index 100% rename from supply-chain-security/compromises/2024/gitgot.md rename to community/catalog/compromises/2024/gitgot.md diff --git a/supply-chain-security/compromises/2024/laixi-3proxy.md b/community/catalog/compromises/2024/laixi-3proxy.md similarity index 100% rename from supply-chain-security/compromises/2024/laixi-3proxy.md rename to community/catalog/compromises/2024/laixi-3proxy.md diff --git a/supply-chain-security/compromises/2024/polyfill.md b/community/catalog/compromises/2024/polyfill.md similarity index 100% rename from supply-chain-security/compromises/2024/polyfill.md rename to community/catalog/compromises/2024/polyfill.md diff --git a/supply-chain-security/compromises/2024/targeted-signed-endoor.md b/community/catalog/compromises/2024/targeted-signed-endoor.md similarity index 100% rename from supply-chain-security/compromises/2024/targeted-signed-endoor.md rename to community/catalog/compromises/2024/targeted-signed-endoor.md diff --git a/supply-chain-security/compromises/2024/xz.md b/community/catalog/compromises/2024/xz.md similarity index 100% rename from supply-chain-security/compromises/2024/xz.md rename to community/catalog/compromises/2024/xz.md diff --git a/supply-chain-security/compromises/README.md b/community/catalog/compromises/README.md similarity index 98% rename from supply-chain-security/compromises/README.md rename to community/catalog/compromises/README.md index c6e805610..e9301b228 100644 --- a/supply-chain-security/compromises/README.md +++ b/community/catalog/compromises/README.md @@ -8,8 +8,7 @@ The goal is not to catalog every known supply chain attack, but rather to captur many examples of different kinds of attack, so that we can better understand the patterns and develop best practices and tools. -For definitions of each compromise type, please check out our [compromise -definitions page](/supply-chain-security/compromises/compromise-definitions.md) +For definitions of each compromise type, please check out our [compromise definitions page](community/catalog/compromises/compromise-definitions.md) We welcome additions to this catalog by [filing an issue](https://github.com/cncf/tag-security/issues/new/choose) or [github pull @@ -23,7 +22,7 @@ enforcement of one of open sources founding principles, "[Linus's Law](https://en.wikipedia.org/wiki/Linus%27s_law)". When submitting an addition, please review the -[definitions](https://github.com/cncf/sig-security/blob/master/supply-chain-security/compromises/compromise-definitions.md) +[definitions](./compromise-definitions.md) page to ensure the Type of Compromise on the details of the incidents as well as the Catalog itself are consistent. If a definition doesn't exist or a new type of compromise needs added, please include that as well. @@ -35,7 +34,7 @@ of compromise needs added, please include that as well. | [3proxy signing incident](2024/laixi-3proxy.md) | 2024 | Trust and Signing | [1](https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/) | | [xz backdoor incident](2024/xz.md) | 2024 | Malicious Maintainer | [1](https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide) | | [GitGot: using GitHub repositories as exfiltration store](2024/gitgot.md) | 2024 | Trust and Signing | [1](https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data) | -| [ManageEngine xmlsec dependency](2023/xmlsec-manageengine.md) | 2023 | Outdated Dependencies | [1](ttps://flashpoint.io/blog/manageengine-apache-santuario-cve-2022-47966) | +| [ManageEngine xmlsec dependency](2023/xmlsec-manageengine.md) | 2023 | Outdated Dependencies | [1](https://flashpoint.io/blog/manageengine-apache-santuario-cve-2022-47966) | | [Retool Spear Phishing](2023/retool-portal-mfa.md) | 2023 | Dev Tooling | [1](https://www.coindesk.com/business/2023/09/13/phishing-attack-on-cloud-provider-with-fortune-500-clients-led-to-15m-crypto-theft-from-fortress-trust/) | | [Fake Dependabot commits](2023/fake-dependabot.md) | 2023 | Source Code | [1](https://checkmarx.com/blog/surprise-when-dependabot-contributes-malicious-code/) | | [Okta Source Code Theft](2022/okta-github-repo-leak.md) | 2022 | Source Code
Dev Tooling | [1](https://www.bleepingcomputer.com/news/security/oktas-source-code-stolen-after-github-repositories-hacked/) | diff --git a/supply-chain-security/compromises/compromise-definitions.md b/community/catalog/compromises/compromise-definitions.md similarity index 100% rename from supply-chain-security/compromises/compromise-definitions.md rename to community/catalog/compromises/compromise-definitions.md diff --git a/community/events/cloud_native_security.md b/community/events/cloud_native_security.md new file mode 100644 index 000000000..481e0c80c --- /dev/null +++ b/community/events/cloud_native_security.md @@ -0,0 +1,110 @@ + +# Cloud Native SecurityCon (Formerly "Cloud Native Security Day") + +One of the things we do as a community is Cloud Native SecurityCon +(previously called Security Day before it was expanded to cover two days). +It is designed to bring together the cloud native security community +together to discuss and share current challenges and solutions +in cloud native security to get together in a vendor neutral space. + +Cloud Native SecurityCon is intended to +drive collaboration, discussion, and knowledge sharing of +cloud native security accomplishments and roadblocks. Get +connected with others that are passionate about security. +Learn from practitioners about pitfalls to avoid, hurdles to +jump, and how to integrate security into your cloud native +project, architecture, and enhance team awareness on security. + +## References to past events & related issues that have details of planning + +### 2018 + +[KubeCon EU 2018](https://events.linuxfoundation.org/events/kubecon-cloudnativecon-europe-2018/) + +- Copenhagen, Denmark +- May 2-4, 2018 + +[KubeCon + CloudNativeCon, Shanghai](https://events19.linuxfoundation.cn/events/kubecon-cloudnativecon-china-2018/) + +- Shanghai, China +- Nov 14-15, 2018 +- Planning the event => + [issue#28](https://github.com/cncf/tag-security/issues/28) + +[KubeCon + CloudNativeCon, North America](https://events19.linuxfoundation.org/events/kubecon-cloudnativecon-north-america-2018/) + +- Seattle, USA +- December 11-13, 2018 +- Planning the event => + [issue#29](https://github.com/cncf/tag-security/issues/29) + +### 2019 + +[KubeCon + CloudNativeCon + Open Source Summit](https://events19.linuxfoundation.cn/events/kubecon-cloudnativecon-china-2019/) + +- Shanghai, China +- June 24-26, 2019 +- Planning the event => + [issue#200](https://github.com/cncf/tag-security/issues/200) + +[Cloud Native Security Day NA](https://events19.linuxfoundation.org/events/cloud-native-security-day-2019/) + +- San Diego, USA +- November 18, 2019 +- Planning the event => + [Issue#209](https://github.com/cncf/tag-security/issues/209) + +### 2020 + +[Cloud Native Security Day EU](https://events.linuxfoundation.org/archive/2020/cloud-native-security-day/) + +- Virtual +- August 17, 2020 +- Planning the event => + [Issue#305](https://github.com/cncf/tag-security/issues/305) + +[Cloud Native Security Day NA](https://events.linuxfoundation.org/cloud-native-security-day-north-america/) + +- Virtual +- November 17, 2020 +- Planning the event => + [Issue#416](https://github.com/cncf/tag-security/issues/416) + +### 2021 + +[Cloud Native Security Day EU](https://events.linuxfoundation.org/cloud-native-security-day-europe/) + +- Virtual +- May 4, 2021 +- Planning the event => + [Issue#454](https://github.com/cncf/tag-security/issues/454) + +[Cloud Native Security Con NA](https://cloudnativesecurityconna21.sched.com/) + +- Los Angeles, California + Virtual +- October 12, 2021 +- Planning the event => + [Issue#667](https://github.com/cncf/tag-security/issues/667) + +### 2022 + +[Cloud Native SecurityCon Europe](https://events.linuxfoundation.org/cloud-native-securitycon-europe/) + +- Valencia, Spain +- May 16-17, 2022 +- Planning the event => + [Issue#811](https://github.com/cncf/tag-security/issues/811) + +[Cloud Native SecurityCon North America](https://events.linuxfoundation.org/cloud-native-securitycon-north-america/) + +- Detroit, Michigan +- October 24-25, 2022 +- Planning the event => + [Issue#939](https://github.com/cncf/tag-security/issues/939) + +### 2023 + +[Cloud Native SecurityCon North America](https://cloudnativesecurityconna23.sched.com/) + +- Seattle, WA +- February 1-2, 2023 diff --git a/publications/README.md b/community/publications/README.md similarity index 100% rename from publications/README.md rename to community/publications/README.md diff --git a/audio-versions/README.md b/community/publications/audio-versions/README.md similarity index 100% rename from audio-versions/README.md rename to community/publications/audio-versions/README.md diff --git a/publications/authoring-guidelines.md b/community/publications/authoring-guidelines.md similarity index 100% rename from publications/authoring-guidelines.md rename to community/publications/authoring-guidelines.md diff --git a/publications/paper-process.md b/community/publications/paper-process.md similarity index 100% rename from publications/paper-process.md rename to community/publications/paper-process.md diff --git a/publications/publishing-protocols.md b/community/publications/publishing-protocols.md similarity index 100% rename from publications/publishing-protocols.md rename to community/publications/publishing-protocols.md diff --git a/design/README.md b/community/resources/design/README.md similarity index 100% rename from design/README.md rename to community/resources/design/README.md diff --git a/design/colors/#141419.png b/community/resources/design/colors/#141419.png similarity index 100% rename from design/colors/#141419.png rename to community/resources/design/colors/#141419.png diff --git a/design/colors/#152356.png b/community/resources/design/colors/#152356.png similarity index 100% rename from design/colors/#152356.png rename to community/resources/design/colors/#152356.png diff --git a/design/colors/#389BB2.png b/community/resources/design/colors/#389BB2.png similarity index 100% rename from design/colors/#389BB2.png rename to community/resources/design/colors/#389BB2.png diff --git a/design/colors/#474756.png b/community/resources/design/colors/#474756.png similarity index 100% rename from design/colors/#474756.png rename to community/resources/design/colors/#474756.png diff --git a/design/colors/#4A6CA4.png b/community/resources/design/colors/#4A6CA4.png similarity index 100% rename from design/colors/#4A6CA4.png rename to community/resources/design/colors/#4A6CA4.png diff --git a/design/colors/#6F6F7F.png b/community/resources/design/colors/#6F6F7F.png similarity index 100% rename from design/colors/#6F6F7F.png rename to community/resources/design/colors/#6F6F7F.png diff --git a/design/colors/#85C2D2.png b/community/resources/design/colors/#85C2D2.png similarity index 100% rename from design/colors/#85C2D2.png rename to community/resources/design/colors/#85C2D2.png diff --git a/design/colors/#D81637.png b/community/resources/design/colors/#D81637.png similarity index 100% rename from design/colors/#D81637.png rename to community/resources/design/colors/#D81637.png diff --git a/design/colors/#F7C906.png b/community/resources/design/colors/#F7C906.png similarity index 100% rename from design/colors/#F7C906.png rename to community/resources/design/colors/#F7C906.png diff --git a/design/colors/#F98903.png b/community/resources/design/colors/#F98903.png similarity index 100% rename from design/colors/#F98903.png rename to community/resources/design/colors/#F98903.png diff --git a/design/logo/cloud-native-security-horizontal-color.png b/community/resources/design/logo/cloud-native-security-horizontal-color.png similarity index 100% rename from design/logo/cloud-native-security-horizontal-color.png rename to community/resources/design/logo/cloud-native-security-horizontal-color.png diff --git a/design/logo/cloud-native-security-horizontal-color.svg b/community/resources/design/logo/cloud-native-security-horizontal-color.svg similarity index 100% rename from design/logo/cloud-native-security-horizontal-color.svg rename to community/resources/design/logo/cloud-native-security-horizontal-color.svg diff --git a/design/logo/cloud-native-security-horizontal-darkmodesafe.png b/community/resources/design/logo/cloud-native-security-horizontal-darkmodesafe.png similarity index 100% rename from design/logo/cloud-native-security-horizontal-darkmodesafe.png rename to community/resources/design/logo/cloud-native-security-horizontal-darkmodesafe.png diff --git a/design/logo/cloud-native-security-horizontal-darkmodesafe.svg b/community/resources/design/logo/cloud-native-security-horizontal-darkmodesafe.svg similarity index 100% rename from design/logo/cloud-native-security-horizontal-darkmodesafe.svg rename to community/resources/design/logo/cloud-native-security-horizontal-darkmodesafe.svg diff --git a/design/logo/cloud-native-security-horizontal-white-display.png b/community/resources/design/logo/cloud-native-security-horizontal-white-display.png similarity index 100% rename from design/logo/cloud-native-security-horizontal-white-display.png rename to community/resources/design/logo/cloud-native-security-horizontal-white-display.png diff --git a/design/logo/cloud-native-security-horizontal-white.png b/community/resources/design/logo/cloud-native-security-horizontal-white.png similarity index 100% rename from design/logo/cloud-native-security-horizontal-white.png rename to community/resources/design/logo/cloud-native-security-horizontal-white.png diff --git a/design/logo/cloud-native-security-horizontal-white.svg b/community/resources/design/logo/cloud-native-security-horizontal-white.svg similarity index 100% rename from design/logo/cloud-native-security-horizontal-white.svg rename to community/resources/design/logo/cloud-native-security-horizontal-white.svg diff --git a/design/logo/cloud-native-security-icon-color.png b/community/resources/design/logo/cloud-native-security-icon-color.png similarity index 100% rename from design/logo/cloud-native-security-icon-color.png rename to community/resources/design/logo/cloud-native-security-icon-color.png diff --git a/design/logo/cloud-native-security-icon-color.svg b/community/resources/design/logo/cloud-native-security-icon-color.svg similarity index 100% rename from design/logo/cloud-native-security-icon-color.svg rename to community/resources/design/logo/cloud-native-security-icon-color.svg diff --git a/design/logo/cloud-native-security-icon-white-display.png b/community/resources/design/logo/cloud-native-security-icon-white-display.png similarity index 100% rename from design/logo/cloud-native-security-icon-white-display.png rename to community/resources/design/logo/cloud-native-security-icon-white-display.png diff --git a/design/logo/cloud-native-security-icon-white.png b/community/resources/design/logo/cloud-native-security-icon-white.png similarity index 100% rename from design/logo/cloud-native-security-icon-white.png rename to community/resources/design/logo/cloud-native-security-icon-white.png diff --git a/design/logo/cloud-native-security-icon-white.svg b/community/resources/design/logo/cloud-native-security-icon-white.svg similarity index 100% rename from design/logo/cloud-native-security-icon-white.svg rename to community/resources/design/logo/cloud-native-security-icon-white.svg diff --git a/design/logo/cloud-native-security-stacked-color.png b/community/resources/design/logo/cloud-native-security-stacked-color.png similarity index 100% rename from design/logo/cloud-native-security-stacked-color.png rename to community/resources/design/logo/cloud-native-security-stacked-color.png diff --git a/design/logo/cloud-native-security-stacked-color.svg b/community/resources/design/logo/cloud-native-security-stacked-color.svg similarity index 100% rename from design/logo/cloud-native-security-stacked-color.svg rename to community/resources/design/logo/cloud-native-security-stacked-color.svg diff --git a/design/logo/cloud-native-security-stacked-white-display.png b/community/resources/design/logo/cloud-native-security-stacked-white-display.png similarity index 100% rename from design/logo/cloud-native-security-stacked-white-display.png rename to community/resources/design/logo/cloud-native-security-stacked-white-display.png diff --git a/design/logo/cloud-native-security-stacked-white.png b/community/resources/design/logo/cloud-native-security-stacked-white.png similarity index 100% rename from design/logo/cloud-native-security-stacked-white.png rename to community/resources/design/logo/cloud-native-security-stacked-white.png diff --git a/design/logo/cloud-native-security-stacked-white.svg b/community/resources/design/logo/cloud-native-security-stacked-white.svg similarity index 100% rename from design/logo/cloud-native-security-stacked-white.svg rename to community/resources/design/logo/cloud-native-security-stacked-white.svg diff --git a/landscape/README.md b/community/resources/landscape/README.md similarity index 82% rename from landscape/README.md rename to community/resources/landscape/README.md index 642f9b9fb..ac6e051d3 100644 --- a/landscape/README.md +++ b/community/resources/landscape/README.md @@ -1,9 +1,9 @@ ## Goal -The [SAFE roadmap](../roadmap.md) includes describing the landscape of -cloud-native security. We evaluated categories in the +TAG Security evaluated categories in the [CNCF Landscape](https://landscape.cncf.io/) and -determined the need for a [modified approach](approach.md). +determined the need for a [modified approach](approach.md) to describe +the landscape of cloud native security. We propose [categories](categories.md) as a draft structure for a “Cloud Native Security Landscape”. We drafted this document after reviewing the current list diff --git a/landscape/approach.md b/community/resources/landscape/approach.md similarity index 100% rename from landscape/approach.md rename to community/resources/landscape/approach.md diff --git a/landscape/categories.md b/community/resources/landscape/categories.md similarity index 100% rename from landscape/categories.md rename to community/resources/landscape/categories.md diff --git a/project-resources/README.md b/community/resources/project-resources/README.md similarity index 100% rename from project-resources/README.md rename to community/resources/project-resources/README.md diff --git a/project-resources/SecurityGuidelines.png b/community/resources/project-resources/SecurityGuidelines.png similarity index 100% rename from project-resources/SecurityGuidelines.png rename to community/resources/project-resources/SecurityGuidelines.png diff --git a/project-resources/security-hygiene-guide.md b/community/resources/project-resources/security-hygiene-guide.md similarity index 100% rename from project-resources/security-hygiene-guide.md rename to community/resources/project-resources/security-hygiene-guide.md diff --git a/project-resources/templates/ISSUE_TEMPLATE.md b/community/resources/project-resources/templates/ISSUE_TEMPLATE.md similarity index 100% rename from project-resources/templates/ISSUE_TEMPLATE.md rename to community/resources/project-resources/templates/ISSUE_TEMPLATE.md diff --git a/project-resources/templates/SECURITY.md b/community/resources/project-resources/templates/SECURITY.md similarity index 100% rename from project-resources/templates/SECURITY.md rename to community/resources/project-resources/templates/SECURITY.md diff --git a/project-resources/templates/SECURITY_CONTACTS.md b/community/resources/project-resources/templates/SECURITY_CONTACTS.md similarity index 100% rename from project-resources/templates/SECURITY_CONTACTS.md rename to community/resources/project-resources/templates/SECURITY_CONTACTS.md diff --git a/project-resources/templates/embargo-policy.md b/community/resources/project-resources/templates/embargo-policy.md similarity index 100% rename from project-resources/templates/embargo-policy.md rename to community/resources/project-resources/templates/embargo-policy.md diff --git a/project-resources/templates/embargo.md b/community/resources/project-resources/templates/embargo.md similarity index 100% rename from project-resources/templates/embargo.md rename to community/resources/project-resources/templates/embargo.md diff --git a/project-resources/templates/incident-response.md b/community/resources/project-resources/templates/incident-response.md similarity index 100% rename from project-resources/templates/incident-response.md rename to community/resources/project-resources/templates/incident-response.md diff --git a/provenance-implementation/README.md b/community/resources/provenance-implementation/README.md similarity index 100% rename from provenance-implementation/README.md rename to community/resources/provenance-implementation/README.md diff --git a/provenance-implementation/argo/argo-cd.md b/community/resources/provenance-implementation/argo/argo-cd.md similarity index 100% rename from provenance-implementation/argo/argo-cd.md rename to community/resources/provenance-implementation/argo/argo-cd.md diff --git a/security-fuzzing-handbook/README.md b/community/resources/security-fuzzing-handbook/README.md similarity index 100% rename from security-fuzzing-handbook/README.md rename to community/resources/security-fuzzing-handbook/README.md diff --git a/security-fuzzing-handbook/build.sh b/community/resources/security-fuzzing-handbook/build.sh similarity index 100% rename from security-fuzzing-handbook/build.sh rename to community/resources/security-fuzzing-handbook/build.sh diff --git a/security-fuzzing-handbook/fuzzing-handbook.md b/community/resources/security-fuzzing-handbook/fuzzing-handbook.md similarity index 99% rename from security-fuzzing-handbook/fuzzing-handbook.md rename to community/resources/security-fuzzing-handbook/fuzzing-handbook.md index 2825c710c..5f7e0f8b2 100644 --- a/security-fuzzing-handbook/fuzzing-handbook.md +++ b/community/resources/security-fuzzing-handbook/fuzzing-handbook.md @@ -1780,7 +1780,7 @@ In the `project.yaml` we enabled issue reporting via GitHub, specifically `file_ ![OSS-Fuzz auto-bot reporting a bug](imgs/OSS-Fuzz-GitHub-bot-reporting-an-issue.png) -In addition to the GitHub issue we also received an email notification at the same time, with the exact same content as in the GitHub issue. This email was sent out to all emails listed in the project.yaml. The content of the text is scarce and to extract more insights we need to follow the links in the description to bug reports. There are two links to further details about the issue, one for https://bugs.chromium.org/… and one for https://oss-fuzz.com/… The bug report on https://oss-fuzz.com/… has the most details and will always remain only visible to the emails listed in project.yaml and the details listed on https://bugs.chromium.org/… has slightly more information about the bug report than the GitHub issue and this report will remain private until the bug disclosure deadlines has passed, which is 90 days, or until the issue is fixed. +In addition to the GitHub issue we also received an email notification at the same time, with the exact same content as in the GitHub issue. This email was sent out to all emails listed in the project.yaml. The content of the text is scarce and to extract more insights we need to follow the links in the description to bug reports. There are two links to further details about the issue, one for https://bugs.chromium.org/ and one for https://oss-fuzz.com/. The bug report on https://oss-fuzz.com/ has the most details and will always remain only visible to the emails listed in project.yaml and the details listed on https://bugs.chromium.org/ has slightly more information about the bug report than the GitHub issue and this report will remain private until the bug disclosure deadlines has passed, which is 90 days, or until the issue is fixed. ### Viewing detailed bug reports diff --git a/security-fuzzing-handbook/handbook-fuzzing.pdf b/community/resources/security-fuzzing-handbook/handbook-fuzzing.pdf similarity index 100% rename from security-fuzzing-handbook/handbook-fuzzing.pdf rename to community/resources/security-fuzzing-handbook/handbook-fuzzing.pdf diff --git a/security-fuzzing-handbook/imgs/Code-coverage-of-example-project.png b/community/resources/security-fuzzing-handbook/imgs/Code-coverage-of-example-project.png similarity index 100% rename from security-fuzzing-handbook/imgs/Code-coverage-of-example-project.png rename to community/resources/security-fuzzing-handbook/imgs/Code-coverage-of-example-project.png diff --git a/security-fuzzing-handbook/imgs/Coverage-guided-fuzzing-overview.png b/community/resources/security-fuzzing-handbook/imgs/Coverage-guided-fuzzing-overview.png similarity index 100% rename from security-fuzzing-handbook/imgs/Coverage-guided-fuzzing-overview.png rename to community/resources/security-fuzzing-handbook/imgs/Coverage-guided-fuzzing-overview.png diff --git a/security-fuzzing-handbook/imgs/Function-level-fuzzing-introspection.png b/community/resources/security-fuzzing-handbook/imgs/Function-level-fuzzing-introspection.png similarity index 100% rename from security-fuzzing-handbook/imgs/Function-level-fuzzing-introspection.png rename to community/resources/security-fuzzing-handbook/imgs/Function-level-fuzzing-introspection.png diff --git a/security-fuzzing-handbook/imgs/Fuzzing-code-coverage-report.png b/community/resources/security-fuzzing-handbook/imgs/Fuzzing-code-coverage-report.png similarity index 100% rename from security-fuzzing-handbook/imgs/Fuzzing-code-coverage-report.png rename to community/resources/security-fuzzing-handbook/imgs/Fuzzing-code-coverage-report.png diff --git a/security-fuzzing-handbook/imgs/Fuzzing-key-components.png b/community/resources/security-fuzzing-handbook/imgs/Fuzzing-key-components.png similarity index 100% rename from security-fuzzing-handbook/imgs/Fuzzing-key-components.png rename to community/resources/security-fuzzing-handbook/imgs/Fuzzing-key-components.png diff --git a/security-fuzzing-handbook/imgs/Historical-progession-of-example-project.png b/community/resources/security-fuzzing-handbook/imgs/Historical-progession-of-example-project.png similarity index 100% rename from security-fuzzing-handbook/imgs/Historical-progession-of-example-project.png rename to community/resources/security-fuzzing-handbook/imgs/Historical-progession-of-example-project.png diff --git a/security-fuzzing-handbook/imgs/LibFuzzer-engine-overview.png b/community/resources/security-fuzzing-handbook/imgs/LibFuzzer-engine-overview.png similarity index 100% rename from security-fuzzing-handbook/imgs/LibFuzzer-engine-overview.png rename to community/resources/security-fuzzing-handbook/imgs/LibFuzzer-engine-overview.png diff --git a/security-fuzzing-handbook/imgs/Minimized-testcase-provided-per-issue.png b/community/resources/security-fuzzing-handbook/imgs/Minimized-testcase-provided-per-issue.png similarity index 100% rename from security-fuzzing-handbook/imgs/Minimized-testcase-provided-per-issue.png rename to community/resources/security-fuzzing-handbook/imgs/Minimized-testcase-provided-per-issue.png diff --git a/security-fuzzing-handbook/imgs/Monorail-issues-are-closed-automatically.png b/community/resources/security-fuzzing-handbook/imgs/Monorail-issues-are-closed-automatically.png similarity index 100% rename from security-fuzzing-handbook/imgs/Monorail-issues-are-closed-automatically.png rename to community/resources/security-fuzzing-handbook/imgs/Monorail-issues-are-closed-automatically.png diff --git a/security-fuzzing-handbook/imgs/OSS-Fuzz-GitHub-bot-automatically-closes-issus.png b/community/resources/security-fuzzing-handbook/imgs/OSS-Fuzz-GitHub-bot-automatically-closes-issus.png similarity index 100% rename from security-fuzzing-handbook/imgs/OSS-Fuzz-GitHub-bot-automatically-closes-issus.png rename to community/resources/security-fuzzing-handbook/imgs/OSS-Fuzz-GitHub-bot-automatically-closes-issus.png diff --git a/security-fuzzing-handbook/imgs/OSS-Fuzz-GitHub-bot-reporting-an-issue.png b/community/resources/security-fuzzing-handbook/imgs/OSS-Fuzz-GitHub-bot-reporting-an-issue.png similarity index 100% rename from security-fuzzing-handbook/imgs/OSS-Fuzz-GitHub-bot-reporting-an-issue.png rename to community/resources/security-fuzzing-handbook/imgs/OSS-Fuzz-GitHub-bot-reporting-an-issue.png diff --git a/security-fuzzing-handbook/imgs/OSS-Fuzz-detailed-stack-trace.png b/community/resources/security-fuzzing-handbook/imgs/OSS-Fuzz-detailed-stack-trace.png similarity index 100% rename from security-fuzzing-handbook/imgs/OSS-Fuzz-detailed-stack-trace.png rename to community/resources/security-fuzzing-handbook/imgs/OSS-Fuzz-detailed-stack-trace.png diff --git a/security-fuzzing-handbook/imgs/OSS-Fuzz-issue-overview.png b/community/resources/security-fuzzing-handbook/imgs/OSS-Fuzz-issue-overview.png similarity index 100% rename from security-fuzzing-handbook/imgs/OSS-Fuzz-issue-overview.png rename to community/resources/security-fuzzing-handbook/imgs/OSS-Fuzz-issue-overview.png diff --git a/security-fuzzing-handbook/imgs/Open-source-fuzz-introspection-overview.png b/community/resources/security-fuzzing-handbook/imgs/Open-source-fuzz-introspection-overview.png similarity index 100% rename from security-fuzzing-handbook/imgs/Open-source-fuzz-introspection-overview.png rename to community/resources/security-fuzzing-handbook/imgs/Open-source-fuzz-introspection-overview.png diff --git a/security-fuzzing-handbook/imgs/Source-level-code-coverage.png b/community/resources/security-fuzzing-handbook/imgs/Source-level-code-coverage.png similarity index 100% rename from security-fuzzing-handbook/imgs/Source-level-code-coverage.png rename to community/resources/security-fuzzing-handbook/imgs/Source-level-code-coverage.png diff --git a/security-fuzzing-handbook/imgs/cncf-logo-footer.png b/community/resources/security-fuzzing-handbook/imgs/cncf-logo-footer.png similarity index 100% rename from security-fuzzing-handbook/imgs/cncf-logo-footer.png rename to community/resources/security-fuzzing-handbook/imgs/cncf-logo-footer.png diff --git a/security-fuzzing-handbook/imgs/cncf-stacked-color.png b/community/resources/security-fuzzing-handbook/imgs/cncf-stacked-color.png similarity index 100% rename from security-fuzzing-handbook/imgs/cncf-stacked-color.png rename to community/resources/security-fuzzing-handbook/imgs/cncf-stacked-color.png diff --git a/security-fuzzing-handbook/imgs/envoy-introspector-profile.png b/community/resources/security-fuzzing-handbook/imgs/envoy-introspector-profile.png similarity index 100% rename from security-fuzzing-handbook/imgs/envoy-introspector-profile.png rename to community/resources/security-fuzzing-handbook/imgs/envoy-introspector-profile.png diff --git a/security-fuzzing-handbook/imgs/vitess-fuzzing-landscape.png b/community/resources/security-fuzzing-handbook/imgs/vitess-fuzzing-landscape.png similarity index 100% rename from security-fuzzing-handbook/imgs/vitess-fuzzing-landscape.png rename to community/resources/security-fuzzing-handbook/imgs/vitess-fuzzing-landscape.png diff --git a/security-lexicon/README.md b/community/resources/security-lexicon/README.md similarity index 100% rename from security-lexicon/README.md rename to community/resources/security-lexicon/README.md diff --git a/security-lexicon/cloud-native-security-lexicon.md b/community/resources/security-lexicon/cloud-native-security-lexicon.md similarity index 100% rename from security-lexicon/cloud-native-security-lexicon.md rename to community/resources/security-lexicon/cloud-native-security-lexicon.md diff --git a/security-whitepaper/README.md b/community/resources/security-whitepaper/README.md similarity index 100% rename from security-whitepaper/README.md rename to community/resources/security-whitepaper/README.md diff --git a/security-whitepaper/cnsmap/README.md b/community/resources/security-whitepaper/cnsmap/README.md similarity index 100% rename from security-whitepaper/cnsmap/README.md rename to community/resources/security-whitepaper/cnsmap/README.md diff --git a/security-whitepaper/secure-defaults-cloud-native-8.md b/community/resources/security-whitepaper/secure-defaults-cloud-native-8.md similarity index 100% rename from security-whitepaper/secure-defaults-cloud-native-8.md rename to community/resources/security-whitepaper/secure-defaults-cloud-native-8.md diff --git a/security-whitepaper/v1/CNCF_cloud-native-security-whitepaper-Nov2020.pdf b/community/resources/security-whitepaper/v1/CNCF_cloud-native-security-whitepaper-Nov2020.pdf similarity index 100% rename from security-whitepaper/v1/CNCF_cloud-native-security-whitepaper-Nov2020.pdf rename to community/resources/security-whitepaper/v1/CNCF_cloud-native-security-whitepaper-Nov2020.pdf diff --git a/security-whitepaper/v1/cloud-native-security-whitepaper-brazilian-portugese.md b/community/resources/security-whitepaper/v1/cloud-native-security-whitepaper-brazilian-portugese.md similarity index 100% rename from security-whitepaper/v1/cloud-native-security-whitepaper-brazilian-portugese.md rename to community/resources/security-whitepaper/v1/cloud-native-security-whitepaper-brazilian-portugese.md diff --git a/security-whitepaper/v1/cloud-native-security-whitepaper-simplified-chinese.md b/community/resources/security-whitepaper/v1/cloud-native-security-whitepaper-simplified-chinese.md similarity index 100% rename from security-whitepaper/v1/cloud-native-security-whitepaper-simplified-chinese.md rename to community/resources/security-whitepaper/v1/cloud-native-security-whitepaper-simplified-chinese.md diff --git a/security-whitepaper/v1/cloud-native-security-whitepaper-spanish.md b/community/resources/security-whitepaper/v1/cloud-native-security-whitepaper-spanish.md similarity index 99% rename from security-whitepaper/v1/cloud-native-security-whitepaper-spanish.md rename to community/resources/security-whitepaper/v1/cloud-native-security-whitepaper-spanish.md index a5f569805..8821293aa 100644 --- a/security-whitepaper/v1/cloud-native-security-whitepaper-spanish.md +++ b/community/resources/security-whitepaper/v1/cloud-native-security-whitepaper-spanish.md @@ -317,7 +317,7 @@ Con respecto a los objetivos de las garantías de seguridad, se deben evaluar la #### Etapa de Pruebas -Las aplicaciones nativas para la nube deben estar sujetas al mismo conjunto y estándar de pruebas de calidad que las aplicaciones tradicionales. Estos incluyen conceptos de código limpio, adhesión a la [Pirámide de Prueba]((https://martinfowler.com/articles/practical-test-pyramid.html)), escaneo de seguridad de aplicación y linting a través de pruebas de la seguridad de aplicaciones estáticas (SAST), análisis y escaneo de dependencias, pruebas de seguridad de aplicaciones dinámicas (DAST) (por ejemplo, mocking), instrumentación de aplicación e infraestructura completa con pruebas disponibles para los desarrolladores en flujos de trabajo locales. Los resultados de las pruebas automatizadas deben regresar a los requisitos para una comprobación dual (desarrollador y herramienta) para garantizar la seguridad en tiempo real a los equipos de seguridad y el cumplimiento normativo. +Las aplicaciones nativas para la nube deben estar sujetas al mismo conjunto y estándar de pruebas de calidad que las aplicaciones tradicionales. Estos incluyen conceptos de código limpio, adhesión a la [Pirámide de Prueba](https://martinfowler.com/articles/practical-test-pyramid.html), escaneo de seguridad de aplicación y linting a través de pruebas de la seguridad de aplicaciones estáticas (SAST), análisis y escaneo de dependencias, pruebas de seguridad de aplicaciones dinámicas (DAST) (por ejemplo, mocking), instrumentación de aplicación e infraestructura completa con pruebas disponibles para los desarrolladores en flujos de trabajo locales. Los resultados de las pruebas automatizadas deben regresar a los requisitos para una comprobación dual (desarrollador y herramienta) para garantizar la seguridad en tiempo real a los equipos de seguridad y el cumplimiento normativo. Una vez que se ha identificado un error de seguridad (por ejemplo, un firewall incorrecto o una regla de enrutamiento), si el análisis de la causa raíz determina que tiene una posibilidad razonable de recurrencia, los desarrolladores deben escribir una prueba automatizada para evitar la regresión del defecto. En la falla de la prueba, los equipos recibirán comentarios para corregir el error y con la próxima fusión, la prueba pasará (suponiendo que fue corregido). Hacer esto, defiende contra la regresión debido a los cambios futuros en ese código. Las pruebas unitarias de la infraestructura es un control preventivo y se dirige a las entidades y entradas definidas en la configuración de infraestructura como código (IaC). Las pruebas de seguridad de la infraestructura construida son un control de detección y combinan garantía, regresiones históricas y detección de configuración inesperada (reglas de firewall abiertas al mundo, políticas de demasiado acceso privilegiado y manejo de acceso (IAM), endpoints no autenticados, etc.). @@ -540,7 +540,7 @@ Especificar el UID o GID del volumen sigue permitiendo el acceso del contenedor ##### Registros de Artefactos Los registros deben incluir tecnologías para firmar y verificar los artefactos de OCI. También es importante asegurarse de que las herramientas de almacenamiento en caché y distribución también proporcionen la capacidad de firmar, cifrar y proporcionar sumas de comprobación para garantizar que la capa de caché pueda detectar manipulaciones o intentos de envenenar el conjunto de datos. -El documento técnico [v2]((https://bit.ly/cncf-storage-whitepaperV2)) sobre almacenamiento de la CNCF proporciona información adicional sobre los conceptos, la terminología, los patrones de uso y las clases de tecnología del almacenamiento nativo en la nube. +El documento técnico [v2](https://bit.ly/cncf-storage-whitepaperV2)) sobre almacenamiento de la CNCF proporciona información adicional sobre los conceptos, la terminología, los patrones de uso y las clases de tecnología del almacenamiento nativo en la nube. ### Acceso diff --git a/security-whitepaper/v1/cloud-native-security-whitepaper.md b/community/resources/security-whitepaper/v1/cloud-native-security-whitepaper.md similarity index 100% rename from security-whitepaper/v1/cloud-native-security-whitepaper.md rename to community/resources/security-whitepaper/v1/cloud-native-security-whitepaper.md diff --git a/security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure1.png b/community/resources/security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure1.png similarity index 100% rename from security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure1.png rename to community/resources/security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure1.png diff --git a/security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure2.png b/community/resources/security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure2.png similarity index 100% rename from security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure2.png rename to community/resources/security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure2.png diff --git a/security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure3.png b/community/resources/security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure3.png similarity index 100% rename from security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure3.png rename to community/resources/security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure3.png diff --git a/security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure4.png b/community/resources/security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure4.png similarity index 100% rename from security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure4.png rename to community/resources/security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure4.png diff --git a/security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure5.png b/community/resources/security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure5.png similarity index 100% rename from security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure5.png rename to community/resources/security-whitepaper/v1/cnswp-images/RackMultipart20201111_figure5.png diff --git a/security-whitepaper/v1/secure-software-factory.md b/community/resources/security-whitepaper/v1/secure-software-factory.md similarity index 100% rename from security-whitepaper/v1/secure-software-factory.md rename to community/resources/security-whitepaper/v1/secure-software-factory.md diff --git a/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf b/community/resources/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf similarity index 100% rename from security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf rename to community/resources/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf diff --git a/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-cn-Sept2023-v2.pdf b/community/resources/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-cn-Sept2023-v2.pdf similarity index 100% rename from security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-cn-Sept2023-v2.pdf rename to community/resources/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-cn-Sept2023-v2.pdf diff --git a/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-it-May2023-v2.pdf b/community/resources/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-it-May2023-v2.pdf similarity index 100% rename from security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-it-May2023-v2.pdf rename to community/resources/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-it-May2023-v2.pdf diff --git a/security-whitepaper/v2/cloud-native-security-whitepaper-it.md b/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-it.md similarity index 100% rename from security-whitepaper/v2/cloud-native-security-whitepaper-it.md rename to community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-it.md diff --git a/security-whitepaper/v2/cloud-native-security-whitepaper-ja.md b/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-ja.md similarity index 100% rename from security-whitepaper/v2/cloud-native-security-whitepaper-ja.md rename to community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-ja.md diff --git a/security-whitepaper/v2/cloud-native-security-whitepaper-simplified-chinese.md b/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-simplified-chinese.md similarity index 100% rename from security-whitepaper/v2/cloud-native-security-whitepaper-simplified-chinese.md rename to community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-simplified-chinese.md diff --git a/security-whitepaper/v2/cloud-native-security-whitepaper.md b/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md similarity index 100% rename from security-whitepaper/v2/cloud-native-security-whitepaper.md rename to community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md diff --git a/security-whitepaper/v2/cnswp-images/cnswp-v2-figure1.png b/community/resources/security-whitepaper/v2/cnswp-images/cnswp-v2-figure1.png similarity index 100% rename from security-whitepaper/v2/cnswp-images/cnswp-v2-figure1.png rename to community/resources/security-whitepaper/v2/cnswp-images/cnswp-v2-figure1.png diff --git a/security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-deploy.png b/community/resources/security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-deploy.png similarity index 100% rename from security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-deploy.png rename to community/resources/security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-deploy.png diff --git a/security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-develop.png b/community/resources/security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-develop.png similarity index 100% rename from security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-develop.png rename to community/resources/security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-develop.png diff --git a/security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-distribute.png b/community/resources/security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-distribute.png similarity index 100% rename from security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-distribute.png rename to community/resources/security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-distribute.png diff --git a/security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-runtime.png b/community/resources/security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-runtime.png similarity index 100% rename from security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-runtime.png rename to community/resources/security-whitepaper/v2/cnswp-images/cnswp-v2-security-structural-model-runtime.png diff --git a/usecase-personas/README.md b/community/resources/usecase-personas/README.md similarity index 100% rename from usecase-personas/README.md rename to community/resources/usecase-personas/README.md diff --git a/usecase-personas/references/admin-bill-of-rights.md b/community/resources/usecase-personas/references/admin-bill-of-rights.md similarity index 100% rename from usecase-personas/references/admin-bill-of-rights.md rename to community/resources/usecase-personas/references/admin-bill-of-rights.md diff --git a/community/supply-chain-security/README.md b/community/supply-chain-security/README.md deleted file mode 100644 index 1cd84d8e1..000000000 --- a/community/supply-chain-security/README.md +++ /dev/null @@ -1,14 +0,0 @@ -# Software Supply Chain Security - -Software Supply Chain attacks have come to the wider community's attention following a recent high-profile attack, but have been an ongoing threat for a long time. With the ever-growing importance of free and open source software, software supply chain security is crucial, particularly in cloud native environments where everything is software-defined. - -## Meeting Information - -- **Weekly Meetings:** 8:00 AM Pacific Time (US and Canada) -- **Meeting Link:** See CNCF calendar for invite -- **Meeting Notes:** [Google Docs](https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/edit#heading=h.xkkh09c7ni6) - -## Contact - -- **Lead:** Marina Moore, Michael Lieberman, John Kjell -- **Slack Channel:** [Link](https://cloud-native.slack.com/archives/C01KL0B4LKC) diff --git a/policy/PolicyFormalVerificationDiagram.png b/community/working-groups/archive/policy/PolicyFormalVerificationDiagram.png similarity index 100% rename from policy/PolicyFormalVerificationDiagram.png rename to community/working-groups/archive/policy/PolicyFormalVerificationDiagram.png diff --git a/policy/overview-formal-verification.png b/community/working-groups/archive/policy/overview-formal-verification.png similarity index 100% rename from policy/overview-formal-verification.png rename to community/working-groups/archive/policy/overview-formal-verification.png diff --git a/policy/overview-policy-build-time-dependency-vulns.md b/community/working-groups/archive/policy/overview-policy-build-time-dependency-vulns.md similarity index 100% rename from policy/overview-policy-build-time-dependency-vulns.md rename to community/working-groups/archive/policy/overview-policy-build-time-dependency-vulns.md diff --git a/policy/overview-policy-formal-verification.md b/community/working-groups/archive/policy/overview-policy-formal-verification.md similarity index 100% rename from policy/overview-policy-formal-verification.md rename to community/working-groups/archive/policy/overview-policy-formal-verification.md diff --git a/community/automated-governance/README.md b/community/working-groups/automated-governance/README.md similarity index 100% rename from community/automated-governance/README.md rename to community/working-groups/automated-governance/README.md diff --git a/community/compliance/README.md b/community/working-groups/compliance/README.md similarity index 100% rename from community/compliance/README.md rename to community/working-groups/compliance/README.md diff --git a/community/controls/README.md b/community/working-groups/controls/README.md similarity index 100% rename from community/controls/README.md rename to community/working-groups/controls/README.md diff --git a/cloud-native-controls/phase-one-announcement.md b/community/working-groups/controls/phase-one-announcement.md similarity index 100% rename from cloud-native-controls/phase-one-announcement.md rename to community/working-groups/controls/phase-one-announcement.md diff --git a/community/research/README.md b/community/working-groups/research/README.md similarity index 100% rename from community/research/README.md rename to community/working-groups/research/README.md diff --git a/community/working-groups/supply-chain-security/README.md b/community/working-groups/supply-chain-security/README.md new file mode 100644 index 000000000..bcaefee5c --- /dev/null +++ b/community/working-groups/supply-chain-security/README.md @@ -0,0 +1,41 @@ +# Software Supply Chain Security + +Software Supply Chain attacks have come to the wider community's attention following a recent high-profile attack, but have been an ongoing threat for a long time. With the ever-growing importance of free and open source software, software supply chain security is crucial, particularly in cloud native environments where everything is software-defined. + +## What are supply chain vulnerabilities and their implications? + +The [Catalog of Supply Chain Compromises](../../catalog/compromises/) provides real-world +examples that help raise awareness and provide detailed information that +let's us understand attack vectors and consider how to mitigate potential +risk. + +## On mitigating vulnerabilities + +There is on-going work to establish best practices in this area. The list of +[types of supply chain compromises](../../catalog/compromises/compromise-definitions.md) +in the [catalog of supply chain compromises](../../catalog/compromises/) suggests some +mitigation techniques for the more well understood categories. + +## Supply chain security paper + +STAG (Security Technical Advisory Group) has put work into a comprehensive +software supply chain paper highlighting best practices for high and medium risk +environments. Please check out +[the paper](./supply-chain-security-paper/sscsp.md) +and corollary +[secure supply chain assessment document](./supply-chain-security-paper/secure-supply-chain-assessment.md) +to learn more. + +For information about contributing to the document or providing feedback, please +refer to the [README](./supply-chain-security-paper/README.md). + +## Meeting Information + +- **Weekly Meetings:** 8:00 AM Pacific Time (US and Canada) +- **Meeting Link:** See CNCF calendar for invite +- **Meeting Notes:** [Google Docs](https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/edit#heading=h.xkkh09c7ni6) + +## Contact + +- **Lead:** Marina Moore, Michael Lieberman, John Kjell +- **Slack Channel:** [Link](https://cloud-native.slack.com/archives/C01KL0B4LKC) diff --git a/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf b/community/working-groups/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf similarity index 100% rename from supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf rename to community/working-groups/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf diff --git a/supply-chain-security/secure-software-factory/images/image1.png b/community/working-groups/supply-chain-security/secure-software-factory/images/image1.png similarity index 100% rename from supply-chain-security/secure-software-factory/images/image1.png rename to community/working-groups/supply-chain-security/secure-software-factory/images/image1.png diff --git a/supply-chain-security/secure-software-factory/images/image2.png b/community/working-groups/supply-chain-security/secure-software-factory/images/image2.png similarity index 100% rename from supply-chain-security/secure-software-factory/images/image2.png rename to community/working-groups/supply-chain-security/secure-software-factory/images/image2.png diff --git a/supply-chain-security/secure-software-factory/images/image3.png b/community/working-groups/supply-chain-security/secure-software-factory/images/image3.png similarity index 100% rename from supply-chain-security/secure-software-factory/images/image3.png rename to community/working-groups/supply-chain-security/secure-software-factory/images/image3.png diff --git a/supply-chain-security/secure-software-factory/images/image4.png b/community/working-groups/supply-chain-security/secure-software-factory/images/image4.png similarity index 100% rename from supply-chain-security/secure-software-factory/images/image4.png rename to community/working-groups/supply-chain-security/secure-software-factory/images/image4.png diff --git a/supply-chain-security/secure-software-factory/images/image5.png b/community/working-groups/supply-chain-security/secure-software-factory/images/image5.png similarity index 100% rename from supply-chain-security/secure-software-factory/images/image5.png rename to community/working-groups/supply-chain-security/secure-software-factory/images/image5.png diff --git a/supply-chain-security/secure-software-factory/images/image6.png b/community/working-groups/supply-chain-security/secure-software-factory/images/image6.png similarity index 100% rename from supply-chain-security/secure-software-factory/images/image6.png rename to community/working-groups/supply-chain-security/secure-software-factory/images/image6.png diff --git a/supply-chain-security/secure-software-factory/images/image7.png b/community/working-groups/supply-chain-security/secure-software-factory/images/image7.png similarity index 100% rename from supply-chain-security/secure-software-factory/images/image7.png rename to community/working-groups/supply-chain-security/secure-software-factory/images/image7.png diff --git a/supply-chain-security/secure-software-factory/secure-software-factory.md b/community/working-groups/supply-chain-security/secure-software-factory/secure-software-factory.md similarity index 100% rename from supply-chain-security/secure-software-factory/secure-software-factory.md rename to community/working-groups/supply-chain-security/secure-software-factory/secure-software-factory.md diff --git a/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf b/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf similarity index 100% rename from supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf rename to community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf diff --git a/supply-chain-security/supply-chain-security-paper/README.md b/community/working-groups/supply-chain-security/supply-chain-security-paper/README.md similarity index 100% rename from supply-chain-security/supply-chain-security-paper/README.md rename to community/working-groups/supply-chain-security/supply-chain-security-paper/README.md diff --git a/supply-chain-security/supply-chain-security-paper/fig1.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/fig1.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/fig1.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/fig1.png diff --git a/supply-chain-security/supply-chain-security-paper/fig2.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/fig2.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/fig2.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/fig2.png diff --git a/supply-chain-security/supply-chain-security-paper/fig3.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/fig3.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/fig3.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/fig3.png diff --git a/supply-chain-security/supply-chain-security-paper/fig4.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/fig4.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/fig4.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/fig4.png diff --git a/supply-chain-security/supply-chain-security-paper/fig5.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/fig5.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/fig5.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/fig5.png diff --git a/supply-chain-security/supply-chain-security-paper/fig6.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/fig6.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/fig6.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/fig6.png diff --git a/supply-chain-security/supply-chain-security-paper/fig7.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/fig7.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/fig7.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/fig7.png diff --git a/supply-chain-security/supply-chain-security-paper/fig8.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/fig8.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/fig8.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/fig8.png diff --git a/supply-chain-security/supply-chain-security-paper/fig9.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/fig9.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/fig9.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/fig9.png diff --git a/supply-chain-security/supply-chain-security-paper/secure-supply-chain-assessment.md b/community/working-groups/supply-chain-security/supply-chain-security-paper/secure-supply-chain-assessment.md similarity index 100% rename from supply-chain-security/supply-chain-security-paper/secure-supply-chain-assessment.md rename to community/working-groups/supply-chain-security/supply-chain-security-paper/secure-supply-chain-assessment.md diff --git a/supply-chain-security/supply-chain-security-paper/sscsp-images/fig1.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig1.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/sscsp-images/fig1.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig1.png diff --git a/supply-chain-security/supply-chain-security-paper/sscsp-images/fig2.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig2.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/sscsp-images/fig2.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig2.png diff --git a/supply-chain-security/supply-chain-security-paper/sscsp-images/fig3.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig3.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/sscsp-images/fig3.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig3.png diff --git a/supply-chain-security/supply-chain-security-paper/sscsp-images/fig4.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig4.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/sscsp-images/fig4.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig4.png diff --git a/supply-chain-security/supply-chain-security-paper/sscsp-images/fig5.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig5.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/sscsp-images/fig5.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig5.png diff --git a/supply-chain-security/supply-chain-security-paper/sscsp-images/fig6.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig6.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/sscsp-images/fig6.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig6.png diff --git a/supply-chain-security/supply-chain-security-paper/sscsp-images/fig7.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig7.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/sscsp-images/fig7.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig7.png diff --git a/supply-chain-security/supply-chain-security-paper/sscsp-images/fig8.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig8.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/sscsp-images/fig8.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig8.png diff --git a/supply-chain-security/supply-chain-security-paper/sscsp-images/fig9.png b/community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig9.png similarity index 100% rename from supply-chain-security/supply-chain-security-paper/sscsp-images/fig9.png rename to community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp-images/fig9.png diff --git a/supply-chain-security/supply-chain-security-paper/sscsp.md b/community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp.md similarity index 100% rename from supply-chain-security/supply-chain-security-paper/sscsp.md rename to community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp.md diff --git a/compliance/README.md b/compliance/README.md deleted file mode 100644 index 36db9a775..000000000 --- a/compliance/README.md +++ /dev/null @@ -1,68 +0,0 @@ -# CNCF Compliance Working Group - -## Charter - -Cloud Native systems represent a paradigm shift in both technical and human operations workflows. The community (and industry) has invested significant time researching and solving -approaches to Cloud native security concerns and topics: software vulnerabilities, risk management, software component dependencies and infrastructure as code (GitOps), supply chain -provenance, malicious attackers, threat models, and technical security assessments. At the same time, many commercial, non-profit foundations, community and government organizations -performing services or providing data storage must abide by national, regional, or local laws and regulations regarding user privacy and data, with assurance of protection of their compute -and data processing integrity and resilience. These cross cutting concerns span not only specific technical configuration of software and systems, but also require complex orchestration of -human administrative, operational, and design activities, especially when involving audit activities expecting concrete, reviewable independent audit artifacts. - -The motivation of the Compliance WG is cross-disciplinary and focused on bridging purely technical issues to broader legal and regulatory workflows: not only to strive for the prevention -of system breaches, but also considering supply chain, operators, data and AI failures while simultaneously considering auditability, non-repudiation, legally required forensic evidence, -etc. - across all the various activities required of cloud native operators of all sizes. The Compliance WG plans to curate vendor neutral tools for evidence collection, chain-of-custody -in audits, as well as automated workflows for continuous compliance authoring and assessment. - -The key areas of the Compliance WG include: - -- Building a knowledge base (in GitHub and possibly other tools) and case studies on the How, What, Why and When of operating a cloud native environment within the requirements of legal -and regulatory entities that govern clouds, specific industries, and more generally data and public/consumer usage. These requirements are often _not just_ technical security concerns. -Compliance activities and requirements span human activities and performance, system availability and reliability, the combined human and technical aspects of continuity of operations, -defining and monitoring data location as well as sovereignty and provenance of the regulated environment components and data - -- Generating specific examples of compliance as code, normalized templates, and tools for automating these both technical and non-technical requirements, control assessment, data analysis, -audit and compliance remediation workflows that specifically benefit CNCF projects and their community of users. - -- Reviewing industry and governmental standards - eg NIST, PCI, HIPAA, etc - from a cloud native perspective and serving as Subject Matter Experts in the CNCF community for how projects -should implement and support these compliance-specific requirements as first class citizen to enable broad adoption of the best practices by commercial, non-profit, governmental, and -humanitarian organizations. - -## Responsibilities - - - -- Users/personas/needs/customer demands for industry and regulatory compliance (both human and technical) -- Identifications of areas of focus e.g. human workflows, automated workflows, analytical tools, audit and assessment tools, technical security controls that cut across components and systems and clouds, etc -- Framework for evaluation, audit and reporting - how do products and tools demonstrate compliance? -- Training and automation - what is missing, what is difficult to understand, what knowledge gaps are there? -- Work on integrating common tooling across different projects, particularly where that tooling is a CNCF project (but the targets may not be) -- Cross project focus on the projects and efforts the CNCF is funding, helping projects identify needs and providing subject matter expertise to assist -- Recommendations of integrating security tooling with compliance tooling and processes - making both the synergies and unique separations of concern explicit and achieving community consensus. -- Growing CNCF external relationships with interested parties, e.g. NIST and other compliance standards bodies such as FINOS, OSCAL, OpenSSF - -## Stakeholders/Key people - Roles and responsibilities - - - -### WG co-chairs - -- Anca Sailer ([@ancatri](https://github.com/ancatri)) - -- Robert Ficcaglia ([@rficcaglia](https://github.com/rficcaglia)) - -### WG tech leads - -- Alejandro Leiva ([@AleJo2995](https://github.com/AleJo2995)) - -- Jennifer Power ([@jpower432](https://github.com/jpower432)) - -- Lou DeGenaro ([@degenaro](https://github.com/degenaro)) - -- Manjiree Gadgil ([@mrgadgil](https://github.com/mrgadgil)) - -- Vikas Agarwal ([@vikas-agarwal76](https://github.com/vikas-agarwal76)) - -- Yuji Watanabe ([@yuji-watanabe-jp](https://github.com/yuji-watanabe-jp)) - -- Takumi Yanagawa ([@yana1205](https://github.com/yana1205)) diff --git a/policy-wg-merging.md b/policy-wg-merging.md deleted file mode 100644 index 0f595fd0e..000000000 --- a/policy-wg-merging.md +++ /dev/null @@ -1,23 +0,0 @@ -The Policy WG merged with SAFE WG on Aug 10, 2018, and together submitted SAFE WG proposal to CNCF TOC - -This document illustrates the proposed CNCF Policy WG's key objects and deliverables, and the way to forge ahead with SAFE WG as a unified CNCF level WG to avoid unnecessary overlap and concentrate resources. - -CNCF Policy WG Proposal -======================= - -Overview: https://docs.google.com/document/d/1KSGODwPSzusENZ2vaX3sw81b7M39mgmESaYnwZi53dQ/edit?usp=sharing - -Key Deliverables -================ - -- Cloud Native Policy Architecture White Paper -- Container Policy Interface implementations -- Various feature requests to projects like kubernetes, opa, istio, spifee, and more. - -Way forward on merging with SAFE WG -=================================== - -1. Extend the original scope to include policy, such as security oriented policies (RBAC, network, Auth, ...) and resource oriented policies (resource manager, quota, scheduling, topology, ...) -2. Extend the interested parties to include Policy WG key participants. -3. Extend the deliverables to include Policy WG deliverables: a new scoped white paper on security and policy, cpi development/discussion, and upstream project feedback/feature request. -4. WG rename after official status to reflect the new scope and deliverables. diff --git a/roadmap.md b/roadmap.md deleted file mode 100644 index ba31fc888..000000000 --- a/roadmap.md +++ /dev/null @@ -1,92 +0,0 @@ -# Security TAG Roadmap - -* [Overview](#overview) -* [Details](#details) -* [Upcoming](#upcoming) - * [Ongoing efforts](#ongoing-efforts) -* [Completed](completed) - -## Overview -Note: TAG-Security was rebranded from SAFE working group. The below roadmap -includes SAFE WG and TAG-Security in its timeline. - -| | #2 Discover | #3 Describe | #4 Identify -| --- | --- | --- | --- | -| Artifacts | Personas
Use Cases
Categories
| Standards
Common Definitions
Block Architecture | Catalog Projects
Fill in Boxes
Identify Gaps -| Topics | Presentations
TAG members & guests
| Standards in Practice
Real World Systems Architecture | Platforms & Products
Tools & Libraries - -## Details - -1. **Charter** the SAFE Working Group. Draft vision, process and initial members - (done, see below) -2. **Discover** (Completed) - * Explore the problem space of the working group - * Investigating what is happening in the community today with respect to security for cloud native applications and infrastructure - * [Presentations](issues?utf8=%E2%9C%93&q=is%3Aclosed+is%3Aissue+label%3Ausecase-presentation+) from members & guests - * Describe [personas & use cases](usecase-personas/) - * Draft a picture or set of categories that will serve as a starting point for an evaluation framework - * Solicit real world use cases and practices (and compensating controls) for projects -3. **Describe** (in progress) - * Define the terminology used in the output documents, and in the community - * Describe the current state (map) of cloud native security, which might include: - * existing standards - * existing open source, and proprietary, solutions - * common patterns in use today for system that works for cloud native apps. For example: - * Extract end-to-end view of secure access, and - * Common layering or a block architecture -4. **Identify** existing security components in CNCF and projects in the CNCF landscape and catalog - * Identify gaps and make recommendations to the community and TOC - * Continually monitor the viability of the existing projects and update the landscape document - * Document and disseminate best practices (provide training?) - -## Upcoming - -TAG-Security strives to perform annual planning and quarterly reviews of our -roadmap plans. The Roadmap planning project board for each annum is a live -board and is continually updated. Boards may have cards added which indicate -early concepts or needs for discovery, prior to become proposals or projects. - -| Year | Board Link | -| --- | --- | -| 2021-2022 | [RoadMap Planning Board](https://github.com/cncf/tag-security/projects/4) | - -### Ongoing efforts - -TAG-Security maintains a few activities as regular business. Boards tracking -these items linked below. - -| Effort | Board Link | Description | -| --- | --- | -- | -| CNCF project security reviews | [Security Review Queue](https://github.com/cncf/tag-security/projects/2) | This board is used to manage upcoming and current security reviews and security review related activities. | -| TAG-Security Projects | [Project Tracking Board](https://github.com/cncf/tag-security/projects/1) | This board is used to manage upcoming proposals (backlog) and ongoing projects. | -| Issue Triage | [Triage Board](https://github.com/cncf/tag-security/projects/3) | This board is used to assist the Triage team in managing the queue of issues. | - - -## Completed - -| Milestone | Date | Action -| --- | --- | --- | -| First Community Translation | 27 Feb 2021 | [Chinese translation of Whitepaper](https://github.com/cncf/tag-security/pull/471) | -| Security Assessments => Reviews | 23 Feb 2021 | Retrospective resulted in [process updates](https://github.com/cncf/tag-security/pull/488) | -| APAC meetings start | 1 Feb 2021 | [Regular meeting time added to README](https://github.com/cncf/tag-security/pull/518) -| Expanded to 5 Tech Leads | 13 Jan 2021 | [TOC Approves](https://lists.cncf.io/g/cncf-toc/topic/79052801#5599) [@ashutosh-narkar](https://github.com/ashutosh-narkar), [@achetal01](https://github.com/achetal01), [@anvega](https://github.com/anvega) | -| Cloud Native Security Whitepaper v1 | 18 Nov 2020 | [Markdown source and images in repo](https://github.com/cncf/tag-security/pull/452) | -| First five security assessments | 21 Oct 2020 | [In-toto, OPA, SPIFFE/SPIRE, Harbor, Keycloak](https://github.com/cncf/tag-security/issues/167) | -| First chair rotation | 15 Sep 2020 | [TOC approves](https://lists.cncf.io/g/cncf-toc/topic/77001316#5303) [@TheFoxAtWork](https://github.com/TheFoxAtWork) with new [chair proposal process](https://github.com/cncf/tag-security/pull/419/files) -| DoD Kubernetes/Container Security controls proposed | 26 Jun 2020 | LF collaboration with US DoD [merged to DoD repo](https://repo1.dso.mil/dsawg-devsecops/kubernetes-srg/k8-srg-artifacts/-/tree/master/linuxfoundation) | -| First Tech Leads | 25 Feb 2020 | [TOC approves](https://lists.cncf.io/g/cncf-toc/topic/71341283#4198) [@lumjjb](https://github.com/lumjjb) [@TheFoxAtWork](https://github.com/TheFoxAtWork) [@JustinCappos](https://github.com/JustinCappos) | -| Security Assessment intake process | 7 Jan 2020 | [Intake process and prioritization](https://github.com/cncf/tag-security/pull/296) | -| First Cloud Native Security Day | 19 Nov 2019 | [Event](https://events19.linuxfoundation.org/events/cloud-native-security-day-2019/) organized by [@mfdii and @TheFoxAtWork](https://github.com/cncf/tag-security/issues/209) | -| Software supply chain catalog | 14 Nov 2019 | [Catalog](https://github.com/cncf/tag-security/pull/284) | -| Updated personas & use cases | 23 Sept 2019 | [Added platform implementer](https://github.com/cncf/tag-security/pull/246) -| Policy formal verification overview | 10 Sept 2019 | [Documentation](https://github.com/cncf/tag-security/pull/242) -| First Security Assessment | May 2019 | [In-toto](https://github.com/cncf/tag-security/pull/202) | -| Updated Charter and Governance ratified by CNCF TOC | 7 May 2019 | [New repo](https://github.com/cncf/tag-security/tree/main/governance) | -| First cut security audit guidelines | 2 May 2019 | [Guidelines](https://github.com/cncf/tag-security/pull/125) | -| Moved SAFE WG to CNCF | 15 Apr 2019 | [Repo rename](https://github.com/cncf/tag-security/pull/148) | -| CNCF WG proposal | 21 Aug 2018 | [CNCF TAG-Security charter and roles](https://github.com/cncf/toc/pull/146) | -| Policy WG merged | 10 Aug 2018 | [Merging policy WG](https://github.com/cncf/tag-security/blob/main/policy-wg-merging.md) | -| First KubeCon Presentations | 2-4 May 2018 | [Intro](https://kccnceu18.sched.com/event/ENw3/safe-wg-intro-jeyappragash-j-j-padmeio-ray-colline-google-any-skill-level) and [deep dive](https://kccnceu18.sched.com/event/ENw5/safe-wg-deep-dive-ray-colline-google-intermediate-skill-level) | -| Personas & use cases | 20 Apr 2018 | [Shared doc into repo markdown](https://github.com/cncf/tag-security/pull/16) -| Initial Commit for SAFE repo | 13 Mar 2018 | [First commit](https://github.com/cncf/tag-security/commit/fe999bd637456ade5e6cc8866d0db4107a0d9778) | -| Informal discussions at Kubecon Austin | Dec 2017 | Meeting with CNCF community and gathering feedback | diff --git a/supply-chain-security/README.md b/supply-chain-security/README.md deleted file mode 100644 index f0df0cc8b..000000000 --- a/supply-chain-security/README.md +++ /dev/null @@ -1,33 +0,0 @@ -# Software Supply Chain - -Supply chain compromises are a powerful attack vector. In cloud native -deployments everything is software-defined, so there is increased risk when -there are vulnerabilities in this area. If an attacker controls the supply -chain, they can potentially reconfigure anything in an insecure way. - -## What are supply chain vulnerabilities and their implications? - -The [Catalog of Supply Chain Compromises](./compromises) provides real-world -examples that help raise awareness and provide detailed information that -let's us understand attack vectors and consider how to mitigate potential -risk. - -## On mitigating vulnerabilities - -There is on-going work to establish best practices in this area. The list of -[types of supply chain compromises](./compromises/compromise-definitions.md) -in the [catalog of supply chain compromises](./compromises) suggests some -mitigation techniques for the more well understood categories. - -## Supply chain security paper - -STAG (Security Technical Advisory Group) has put work into a comprehensive -software supply chain paper highlighting best practices for high and medium risk -environments. Please check out -[the paper](./supply-chain-security-paper/sscsp.md) -and corollary -[secure supply chain assessment document](./supply-chain-security-paper/secure-supply-chain-assessment.md) -to learn more. - -For information about contributing to the document or providing feedback, please -refer to the [README](./supply-chain-security-paper/README.md). diff --git a/website/Makefile b/website/Makefile index 2b44b1512..051a99512 100644 --- a/website/Makefile +++ b/website/Makefile @@ -4,12 +4,13 @@ deps: # Move select content from the root level into the website directory. rsync -avv ../ root/ \ --include='governance' --include='governance/**' \ - --include='publications' --include='publications/**' \ + --include='community/publications' --include='community/publications/**' \ --include='community' --include='community/**' \ --include='*.md' --exclude='*' # Move over content such as graphics and logos - rsync -av '../design/' 'static/design/' --exclude='#*' + mkdir -p static/community/resources/design/ + rsync -av '../community/resources/design/' 'static/community/resources/design/' --exclude='#*' # Update all imported markdown files to work as standalone hugo pages (except READMEs, see below) # sed command is configured for the Netlify ubuntu env @@ -75,4 +76,4 @@ clean: @git clean -f . @rm -rf public resource @find root/* -type f ! -name '*.gitkeep' -print0 | xargs -0 rm -v - @echo "Finished removing anything residual" + @echo "Finished removing anything residual" \ No newline at end of file