diff --git a/meetings/2024-01-18.md b/meetings/2024-01-18.md new file mode 100644 index 00000000..6638b90a --- /dev/null +++ b/meetings/2024-01-18.md @@ -0,0 +1,78 @@ +# Node.js Security Team Meeting 2024-01-18 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=WZxhzkmKmRg&ab_channel=node.js +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1196 +* **Minutes Google Doc**: https://docs.google.com/document/d/1Ca-cu-pfAxFnEcewEQYVP9u3AitS_PdTKy8m1B_5JTk/edit + +## Present + +* Ulises Gascon: @ulisesGascon +* Thomas GENTILHOMME: @fraxken +* Rafael Gonzaga: @RafaelGSS +* Adam Ruddermann: @rudd +* Michael Dawson: @mhdawson +* Marco Ippolito: @marco-ippolito +* Carlos Ayala: @CarlossAyala + +## Agenda + +## Announcements + +Rudd introduced himself as the new Security Engineer Champion at OpenJSF, and the team presented their latest initiatives and developments. +- Discussions around SBOMs: https://docs.google.com/document/d/1KfxNDP4LaKyD5TW3GNEL_VZuKdl9UzuTOfcKgZ3D3bY/edit#heading=h.j08u9xksrk9r +- OpenSSF Best Practices + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + +- [X] OpenSSF Scorecard Monitor Review + - Details in [issue](https://github.com/nodejs/security-wg/issues/1200) and [PR](https://github.com/nodejs/security-wg/pull/1201) + - 0.3 oscillation in Node and Nodejs.org due code review practices + - Oscillation in nodejs/llhttp is ignored due API processing errors + - No changes or actions are required + - Ulises to work on a PR to reduce the tracking repositories that are not relevant + + +### nodejs/security-wg + +* Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs +[#1159](https://github.com/nodejs/security-wg/issues/1159) + * no updates + +* NodeJS Code integrity on Windows [#1149](https://github.com/nodejs/security-wg/issues/1149) + * no updates + +* Have a SBOM for Node.js? [#1115](https://github.com/nodejs/security-wg/issues/1115) + * no updates + * removing from the agenda until further updates + +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) + * undici summary https://github.com/nodejs/security-wg/issues/1037#issuecomment-1884518748 + +* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953) + * No news from the OSSF regarding transferring issues + * Change made: added hash reference in the documentation https://github.com/nodejs/security-wg/pull/956/commits/3f496a89aa0d4a905f33d0bda0ef417f392e3070 + * Updated Gold proposal with last discussion agreements: https://github.com/nodejs/security-wg/pull/956/commits/91f35e74f87b95f1ce0f36f21bd660154a64831c + * Generated issues to follow up on the discussions outside the PR: + * The project MUST have FLOSS automated test suite(s) that provide at least 80% branch and 90% statement coverage: https://github.com/nodejs/security-wg/issues/1188 + * Secured delivery against man-in-the-middle (MITM) attacks: https://github.com/nodejs/security-wg/issues/1190 + * The project MUST include a license and copyright statement in each source file: https://github.com/nodejs/security-wg/issues/1187 + * Hardening mechanisms: https://github.com/nodejs/security-wg/issues/1186 + * Current expectation is to solve the discussions. + +* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898) + * Skipped + + + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. +