diff --git a/meetings/2023-05-25.md b/meetings/2023-05-25.md new file mode 100644 index 00000000..6d81e33f --- /dev/null +++ b/meetings/2023-05-25.md @@ -0,0 +1,80 @@ +# Node.js Security WorkGroup Meeting 2023-05-25 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=c-tMjOJawSI +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/994 +* **Minutes Google Doc**: https://docs.google.com/document/d/1SPbPePi7U7YnPmTeYA1aBNL-SZHOnGayLeF-ZPLhjIo/edit + +## Present + +* Security wg team: @nodejs/security-wg +* Ulises Gascon: @ulisesGascon +* Marco Ippolito: @marco-ippolito +* Rafael Gonzaga: @RafaelGSS +* Ruy Adorno: @ruyadorno +* Michael Dawson: @mhdawson +* Laurent Simon: @laurentsimon +* Ashish Kurmi @ashishkurmi +* Andrea Fassina @fasenderos + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting. + +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + +- [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+ +https://github.com/nodejs/security-wg/pull/1003 + +* Laurent showed a scorecard running via CLI with a granular report and custom checks + +### nodejs/security-wg + +* Nominate Ashish Kurmi [#989](https://github.com/nodejs/security-wg/issues/989) + * Invited and closed + +* Access to security tab in Github for key projects [#984](https://github.com/nodejs/security-wg/issues/984) + * This raises some security concerns once to get access to the security tab you will have access to security advisories, which is something we should avoid to a working group. + * Closed + +* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898) + * marco, working on path.resolve in C++ to allow relative path in the CLI + * Discussion around env permissions + * the less you have access, the less you make mistakes - Dawson, Michael + * Michael made a point that env permissions isn’t different from file system permissions, considering a malicious package could read all the environment variables. + +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + * Rafael created https://github.com/nodejs/node-core-utils/pull/665 to automate security proposal PRs + +* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859) + +* Discussion about policy-integrity integration on Windows [#856](https://github.com/nodejs/security-wg/issues/856) + * skipped + +* Automate updates of all dependencies [#828](https://github.com/nodejs/security-wg/issues/828) + * 1 last dependency update left to be automated + * Andrea created 3 pull requests to improve dependency automation + * Marco opened a first draft pr on dependency updates backporting, might restrict the scope and focus only on OpenSSL + +* Requirement: It MUST be possible to configure the software so that smaller keylengths are completely disabled [#988](https://github.com/nodejs/security-wg/issues/988) +* Requirement: Secure development knowledge [#987](https://github.com/nodejs/security-wg/issues/987) +* Requirement: Publicly known medium-high vulnerabilities unpatched for +60 days [#986](https://github.com/nodejs/security-wg/issues/986) +* Requirement: Static source code analysis daily or per commit [#985](https://github.com/nodejs/security-wg/issues/985) +* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953) + + * https://github.com/nodejs/security-wg/pull/954 - please review + + +* Update Charter / Readme.md [#874](https://github.com/nodejs/security-wg/pull/874) + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. +