From 19033ae3efdfade3ba22d9a6ec3ec7fdc37a13df Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Fri, 24 Nov 2023 09:01:56 -0300 Subject: [PATCH] doc: add meeting minutes 2023-11-23 (#1160) * doc: add meeting minutes 2023-11-23 * Update meetings/2023-11-23.md Co-authored-by: Marco Ippolito * Update meetings/2023-11-23.md Co-authored-by: Marco Ippolito --------- Co-authored-by: Marco Ippolito --- meetings/2023-11-23.md | 67 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 meetings/2023-11-23.md diff --git a/meetings/2023-11-23.md b/meetings/2023-11-23.md new file mode 100644 index 00000000..8a778949 --- /dev/null +++ b/meetings/2023-11-23.md @@ -0,0 +1,67 @@ +# Node.js Security Team Meeting 2023-11-23 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=ZKKyUVbPY24&ab_channel=node.js +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1154 +* **Minutes Google Doc**: https://docs.google.com/document/d/11l2KWrMIzywSj_seO_4Xl24_Wq_hTs0Rz1AKPjPiFJg/edit + +## Present + +* Rafael Gonzaga: @RafaelGSS +* Marco Ippolito: @marco-ippolito +* Ulises Gascon: @ulisesGascon +* Michael Dawson: @mhdawson +* Thomas GENTILHOMME: @fraxken +* Amir Montazery - @Amir-Montazery (https://github.com/ostif-org/OSTIF) +* Prabhu Subramanian - @prabhu (author of cdxgen tool) + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues +- [X] OpenSSF Scorecard Monitor Review + - PR: https://github.com/nodejs/security-wg/pull/1158 + - resume: https://github.com/nodejs/security-wg/issues/1157 + +### nodejs/security-wg + +* NodeJS Code integrity on Windows [#1149](https://github.com/nodejs/security-wg/issues/1149) + * Skipped to the next meeting + +* Amir from ostif.org - Discuss possibility of consulting engagement with security expert in November/December at 2023-11-09 3pm Security-WG meeting [#1145](https://github.com/nodejs/security-wg/issues/1145) + * Discussing fuzzing for Node.js and its dependencies such as llhttp. + * David will be a point of contact for fuzzing on Node.js in December + * Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs + * llhttp: https://github.com/google/oss-fuzz/tree/master/projects/llhttp + * Amir will take action to create an issue for fuzzing on Node.js, so David can share his updates and make it an official initiative of the security team. + * (Fuzzing has been discussed in the past: https://github.com/nodejs/security-wg/issues/435) + +* Have a SBOM for Node.js? [#1115](https://github.com/nodejs/security-wg/issues/1115) + * Prabhu did a presentation on how we could generate the SBOMs in the CI + * Lifecycle of SBOMs + * Marco will get access to a machine for developing these materials locally as an experiement + +* License checker process/script [#1104](https://github.com/nodejs/security-wg/issues/1104) + * Skipped due to time + +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) + * Skipped due to time + +* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953) + * Skipped due to time + +* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898) + * RafaelGSS and Ceres6 wrote the following PR https://github.com/nodejs/node/pull/50758 + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. +