2020-08-14 Meeting notes

Date

Attendees

Discussion items

TimeItemWhoNotes

Housekeeping - email, JIRA, etc

NO ACTION TAKEN - follow up in 2 weeks.


Email alias/address security@folio.org still not working. Coordinating through Peter Murray  who is working with EBSCO on other address(es).

Jira configuration actions:

  • Can the Security Project be setup so that new issues automatically set the Security Level to FOLIO Security Group? 
    • Confirmed how to get this done - need to coordinate changes to permissions scheme and security scheme for the Security project with JIRA admin (some dependencies with other settings/projects).
    • Expect to complete week of July 27 (MDG OOO next week).
  • Some issues appear to show Security Level but others don't. Investigate. Could be issue type (Epic vs Story vs Task vs Bug).
    • Still investigating. It won't show unless it's set. The field has to be configured to appear on the screen that the project uses (not so for UXPROD)
    • Able to set for task, bug and epic.
  • Clarify and/or propose how we set a security level that allows only those who might need to know (ie. the specific developers who might work on issues) 
    • Need to define who is part of the list. Currently an "external core contributors" group that has 178 members. The current Security Role of "Core FOLIO Team" points to this group.
    • Use the "Core FOLIO Team"
    • May not ever need a more restrictive group.
  • NEW ITEM: Figure out a tagging/other system to note which items this team discussed

Review open security issuesTeamReviewed the open issues and made some adjustments.

NPM Package risks/analysisTeam

Discussed potential vulnerabilities related to NPM and more broadly Java and other languages that might bring in dependencies. Additionally what types of code scanning might be possible/recommended. SonarCloud/SonarQube offers some - and some happens with Github, but are there other/better options.

Ryan volunteered to look at the Javascript environment/front end.