Node.js Security WorkGroup Meeting 2023-03-16

[mhdawson]

Time

UTC Thu 16-Mar-2023 14:00 (02:00 PM):

Timezone	Date/Time
US / Pacific	Thu 16-Mar-2023 07:00 (07:00 AM)
US / Mountain	Thu 16-Mar-2023 08:00 (08:00 AM)
US / Central	Thu 16-Mar-2023 09:00 (09:00 AM)
US / Eastern	Thu 16-Mar-2023 10:00 (10:00 AM)
EU / Western	Thu 16-Mar-2023 14:00 (02:00 PM)
EU / Central	Thu 16-Mar-2023 15:00 (03:00 PM)
EU / Eastern	Thu 16-Mar-2023 16:00 (04:00 PM)
Moscow	Thu 16-Mar-2023 17:00 (05:00 PM)
Chennai	Thu 16-Mar-2023 19:30 (07:30 PM)
Hangzhou	Thu 16-Mar-2023 22:00 (10:00 PM)
Tokyo	Thu 16-Mar-2023 23:00 (11:00 PM)
Sydney	Fri 17-Mar-2023 01:00 (01:00 AM)

Or in your local time:

• https://www.timeanddate.com/worldclock/fixedtime.html?msg=Node.js+Foundation+Security%20WorkGroup+Meeting+2023-03-16&iso=20230316T1400
• or https://www.wolframalpha.com/input/?i=02PM+UTC%2C+Mar+16%2C+2023+in+local+time

Links

• Minutes Google Doc: https://docs.google.com/document/d/1jRii66Jp_TR0YXsXp15Lx-tGXFTPF7_k5mwOvjMsK6k/edit

Agenda

Extracted from security-wg-agenda labelled issues and pull requests from the nodejs org prior to the meeting.

nodejs/security-wg

• Permission Model - Roadmap #898
• Improve SecurityWG Scorecard #884
• Automate security release process #860
• Assessment against best practices (OpenSSF Scorecards ...) #859
• Discussion about policy-integrity integration on Windows #856
• Add OSSF Scorecard #851
• Automate updates of all dependencies #828

nodejs/nodejs-dependency-vuln-assessments

• Recursive support on Node.js dependencies #89

Invited

• Security wg team: @nodejs/security-wg

Observers/Guests

Notes

The agenda comes from issues labelled with security-wg-agenda across all of the repositories in the nodejs org. Please label any additional issues that should be on the agenda before the meeting starts.

Joining the meeting

https://zoom.us/j/92309450775

• link for participants: <>
• For those who just want to watch We stream our conference call straight to YouTube so anyone can listen to it live, it should start playing at https://www.youtube.com/c/nodejs+foundation/live when we turn it on. There's usually a short cat-herding time at the start of the meeting and then occasionally we have some quick private business to attend to before we can start recording & streaming. So be patient and it should show up.
• youtube admin page: https://www.youtube.com/my_live_events?filter=scheduled

[varunsh-coder]

Hello, I am a co-founder of StepSecurity and plan to attend the next Node.js Security WG meeting. I want to demo a solution to automate remediations to increase Scorecard score using a pull request if there is time. This has already been used by many open-source repositories and is also being used by the Eclipse Foundation. Looking forward to the meeting! Thanks!

[bmeck]

I won't be around to discuss flags for MS integration tomorrow.

[fraxken]

arf missed the meeting, didn't see that the time changed 😅

[naugtur]

Oh no, it's DST in some timezones now 🤦‍♂️

[RafaelGSS]

Sorry, I should have pinged in the #nodejs-security-wg slack channel

[varunsh-coder]

I wanted to follow up on a few things discussed in today's meeting.

1. To add a direct link to the markdown to analyze a create a PR to increase Scorecard score, you can use this format: http://app.stepsecurity.io/securerepo?repo=nodejs/docker-node. The repo can be specified using the repo query string.
2. Analysis of https://github.com/nodejs/node is timing out currently since it has too many workflows. This should be fixed soon.
3. We have an open issue to sign commits created using the bot account - we will prioritize this.
4. w.r.t to the dashboard that I had demoed for the Node.js org, access has been granted to RafaelGSS, UlisesGascon, mhdawson, and fraxken, in case you want to check it out. We will work on granting access based on team membership.
5. I will also follow up on the Scorecard code review check to understand when the finding auto-closes in the code scanning UI.

Thanks!