social code scanning
TRANSCRIPT
Social Code Scanning2017-05-24 Barcelona
Maurizio PillituDevops Director, Symphony Software Foundation
@maoo [email protected]
Analysing code, together
Social Code Scanning - our first event!
✓ What is it
Hands-on-code Workshop to analyse quality, security and legal aspects of your
code
Quick intro on how to analyse and measure
Networking, pizza and beers are on us
✓ Who’s behind
Organised by the Symphony Software Foundation
Hosted by CodeWorks Barcelona
✓ Requirements - none
1/23
The Symphony Software Foundation
✓ Non-profit organisation to foster an open source community and
developer ecosystem for the financial services
✓ Leverages Symphony* and other open source platforms to drive
inter-firm collaboration
✓ Open
Governance - Board of Directors, Engineering Steering Committee
Standards - Working Groups
Source - github.com/symphonyoss
2/23
Today’s takeaways
1. Understand
If/when to analyse your code
Common scenarios
2. Try
Analysing your code
Commonly adopted tools
3. Ask
Share doubts, questions
3/23
Why analyze code?
1. To know your codebase
Your code is a puzzle, few tiles are actually made by you
Code modularity constantly increases (more, smaller tiles)
Platforms and technologies (ie runtimes) evolve fast, opening to new potential exploits
Open source constitutes a massive tile repository, publicly available
2. Your customers (or consumers) deserve to know
Nobody wants to consume unsecure/buggy code
Highly-regulated (ie financial services) and mission-critical (ie aerospace) industries
cannot afford quality/security/legal exposure #dealbreaker
4/23
Security
Why measure security?
1. Protect your data #atrest #intransit
2. Protect your servers
3. ...
5/23
What to measure
1. Query CVE databases
http://cve.mitre.org/
https://www.exploit-db.com/ #offsec #kalilinux #mrrobot
https://nvd.nist.gov/ #usgov
2. Code patterns
http VS https
Hardcoded keys and passwords
Anti-patterns
3. Guidelines (manual)
6/23
How to measure
1. One-off (manual) scanning
Read your code
Know your libraries
Follow guidelines
2. Automated/continuous scanning
BlackDuck
WhiteSource
SonarQube
NodeSecurity
7/23
Quality
Why measure quality?
1. Know when quality lowers (and where)
2. Say bye to regressions
3. Focus on (new) code #boostproductivity
4. ....
8/23
What to measure
1. Project
Activity
Commits (codebase activity)
Bugs - Opened VS Fixed
Inter-firm collaboration #bus-factor
Documentation
User manual
Installation manual
Roadmap
9/23
How to measure
1. One-off (manual) scanning
Read your code
Know your libraries
Follow guidelines
2. Automated/continuous scanning
BlackDuck
WhiteSource
SonarQube
CodeClimate
10/23
Legal
Why care about legal compliance?
1. Respect the rights of open source contributors
a. Appropriate attribution
b. Reciprocal (copyleft) licensing requirements
2. Avoid intellectual property infringement
a. Copyrights
b. Patents
3. Demonstrate due diligence (aka build trust)
a. Targeted for highly regulated industries #consumption #contribution
b. Avoid concerns in event of acquisition
11/23
What to measure
1. Outbound - choose the right license
a. Proprietary
b. Open source
i. Permissive
ii. Copyleft
iii. Weak copyleft
iv. Public domain
2. Dependencies Inbound (for bundled software)
a. Look for licenses included in the codebase
12/23
How to measure
1. One-off (manual) scanning
Read your code
Know your libraries
2. Automated/continuous scanning
BlackDuck / OpenHub
Fossa
WhiteSource
VersionEye
FOSSology
13/23
Open source common misunderstandings
1. It’s public in github, no license is defined, ergo it’s open source
■ Quite the opposite, as no license defaults to "all rights reserved", including use and
redistribution for personal and commercial purposes
2. No license is defined… contributions are welcome!
■ Without a contribution policy, license sets the terms for collaboration
3. I defined a LICENSE file, I’m fine
■ If you use dependencies, you must check their licenses and make sure it doesn’t
conflict with your outbound license
4. I have 2 direct dependencies and their license is ok, I’m fine
■ Careful about transitive dependencies!
14/23
Wrapping up
General remarks
1. Keep it simple
2. Understand requirements
3. Manage expectations
4. Use the right tool….
Useful resources
symphonyoss.atlassian.net/wiki
choosealicense.com
15/23
16/23
17/23
Let’s see some action!
Google Map Polygon Filter
React component allows to draw a draggable polygon on a Google
Map and extract locations within that area.
18/23
Google Map Polygon Filter
Scanning with VersionEye
19/23
Google Map Polygon Filter
bcrypt-pbkdf - upgrade to 1.0.1
20/23
Traffic Alarm
ReactNative alarm that adapts to traffic situation
21/23
Traffic Alarm
Scanning with VersionEye
https://stackoverflow.com/questions/28756017/about-googlemaps-sdk-for-ios-licenses
22/23
Traffic Alarm
Reading GoogleMaps Terms of Service
23/23