Social Code Scanning2017-05-24 Barcelona

Maurizio PillituDevops Director, Symphony Software Foundation

@maoo maoo@symphony.foundation

Analysing code, together

Social Code Scanning - our first event!

✓ What is it

Hands-on-code Workshop to analyse quality, security and legal aspects of your

code

Quick intro on how to analyse and measure

Networking, pizza and beers are on us

✓ Who’s behind

Organised by the Symphony Software Foundation

Hosted by CodeWorks Barcelona

✓ Requirements - none

1/23

The Symphony Software Foundation

✓ Non-profit organisation to foster an open source community and

developer ecosystem for the financial services

✓ Leverages Symphony* and other open source platforms to drive

inter-firm collaboration

✓ Open

Governance - Board of Directors, Engineering Steering Committee

Standards - Working Groups

Source - github.com/symphonyoss

2/23

Today’s takeaways

1. Understand

If/when to analyse your code

Common scenarios

2. Try

Analysing your code

Commonly adopted tools

3. Ask

Share doubts, questions

3/23

Why analyze code?

1. To know your codebase

Your code is a puzzle, few tiles are actually made by you

Code modularity constantly increases (more, smaller tiles)

Platforms and technologies (ie runtimes) evolve fast, opening to new potential exploits

Open source constitutes a massive tile repository, publicly available

2. Your customers (or consumers) deserve to know

Nobody wants to consume unsecure/buggy code

Highly-regulated (ie financial services) and mission-critical (ie aerospace) industries

cannot afford quality/security/legal exposure #dealbreaker

4/23

Security

Why measure security?

1. Protect your data #atrest #intransit

2. Protect your servers

3. ...

5/23

What to measure

1. Query CVE databases

http://cve.mitre.org/

https://www.exploit-db.com/ #offsec #kalilinux #mrrobot

https://nvd.nist.gov/ #usgov

2. Code patterns

http VS https

Hardcoded keys and passwords

Anti-patterns

3. Guidelines (manual)

6/23

How to measure

1. One-off (manual) scanning

Read your code

Know your libraries

Follow guidelines

2. Automated/continuous scanning

BlackDuck

WhiteSource

SonarQube

NodeSecurity

7/23

Quality

Why measure quality?

1. Know when quality lowers (and where)

2. Say bye to regressions

3. Focus on (new) code #boostproductivity

4. ....

8/23

What to measure

1. Project

Activity

Commits (codebase activity)

Bugs - Opened VS Fixed

Inter-firm collaboration #bus-factor

Documentation

User manual

Installation manual

Roadmap

9/23

How to measure

1. One-off (manual) scanning

Read your code

Know your libraries

Follow guidelines

2. Automated/continuous scanning

BlackDuck

WhiteSource

SonarQube

CodeClimate

10/23

Legal

Why care about legal compliance?

1. Respect the rights of open source contributors

a. Appropriate attribution

b. Reciprocal (copyleft) licensing requirements

2. Avoid intellectual property infringement

a. Copyrights

b. Patents

3. Demonstrate due diligence (aka build trust)

a. Targeted for highly regulated industries #consumption #contribution

b. Avoid concerns in event of acquisition

11/23

What to measure

1. Outbound - choose the right license

a. Proprietary

b. Open source

i. Permissive

ii. Copyleft

iii. Weak copyleft

iv. Public domain

2. Dependencies Inbound (for bundled software)

a. Look for licenses included in the codebase

12/23

How to measure

1. One-off (manual) scanning

Read your code

Know your libraries

2. Automated/continuous scanning

BlackDuck / OpenHub

Fossa

WhiteSource

VersionEye

FOSSology

13/23

Open source common misunderstandings

1. It’s public in github, no license is defined, ergo it’s open source

■ Quite the opposite, as no license defaults to "all rights reserved", including use and

redistribution for personal and commercial purposes

2. No license is defined… contributions are welcome!

■ Without a contribution policy, license sets the terms for collaboration

3. I defined a LICENSE file, I’m fine

■ If you use dependencies, you must check their licenses and make sure it doesn’t

conflict with your outbound license

4. I have 2 direct dependencies and their license is ok, I’m fine

■ Careful about transitive dependencies!

14/23

Wrapping up

General remarks

1. Keep it simple

2. Understand requirements

3. Manage expectations

4. Use the right tool….

Useful resources

symphonyoss.atlassian.net/wiki

choosealicense.com

15/23

16/23

17/23

Let’s see some action!

Google Map Polygon Filter

React component allows to draw a draggable polygon on a Google

Map and extract locations within that area.

18/23

Google Map Polygon Filter

Scanning with VersionEye

19/23

Google Map Polygon Filter

bcrypt-pbkdf - upgrade to 1.0.1

20/23

Traffic Alarm

ReactNative alarm that adapts to traffic situation

21/23

Traffic Alarm

Scanning with VersionEye

https://stackoverflow.com/questions/28756017/about-googlemaps-sdk-for-ios-licenses

22/23

Traffic Alarm

Reading GoogleMaps Terms of Service

23/23

Thanks!

Maurizio PillituDevops Director, Symphony Software Foundation

@maoo maoo@symphony.foundation