[Security Review] WasmEdge

[dm4]

The WasmEdge team would like to initiate the CNCF TAG-Security Security Assessment (TSSA) process.

Project Name: WasmEdge
Github URL: https://github.com/WasmEdge/WasmEdge
CNCF project stage and issue: cncf/toc#1316 (sandbox)
Security Provider: No

• Identify team
  • Project security lead @hydai
  • Lead security reviewer @JustinCappos
  • 1 or more additional reviewer(s) @victorjunlu @mnm678 @entlein Observers: @camilaavilarinho @matthewflannery
  • Every reviewer has read security reviewer guidelines and stated declaration of conflict
  • Sign off by facilitator on reviewer conflicts
• Create slack channel #sec-assess-wasmedge
• Project lead provides draft document (GDoc version, Markdown PR)
• "Naive question phase" Lead Security Reviewer asks clarifying questions
• Assign issue to security reviewers
• Initial review
• Presentation & discussion
• Share draft findings with project
• Assessment summary and doc checked into /community/assessments/projects/wasmedge (require at least 1 co-chair approval)
• CNCF TOC presentation (if requested by TOC)

[JustinCappos]

We have three other assessments ongoing. We'll likely have the bandwidth for this in early September.

Who will be the project lead from your side?

[hydai]

Hi @JustinCappos
I am a WasmEdge maintainer1, and I am going to be the project lead.
Since dm4 is OOO this week, I am submitting the self-assessment instead.

[hydai]

Hi @JustinCappos

Is there anything else I should do before you start the review process, such as rebasing the PR?

[JustinCappos]

Where is the self assessment document at? You can update this issue to include a link.

[hydai]

Where is the self assessment document at? You can update this issue to include a link.

Here is the PR: https://github.com/cncf/tag-security/pull/1343/files
Please feel free to let me know if you need more materials for the review process. Thanks.
Cc @dm4 Please check the draft document item.

[JustinCappos]

Okay, thanks. I updated the issue description. Depending on who the assessment lead is, they may prefer that you have something in a google doc so that it is easier for folks to iterate quickly on comments. If so, don't worry at all about the formatting, etc. Just get the content there so people can work on it. We have the assessment of dragonfly on-going. I'll try to get a team together for your project while that is on-going. Certainly, we should be able to start when that finishes or stalls, if nothing else.

…

On Fri, Sep 20, 2024 at 8:39 AM hydai ***@***.***> wrote: Where is the self assessment document at? You can update this issue to include a link. Here is the PR: https://github.com/cncf/tag-security/pull/1343/files Please feel free to let me know if you need more materials for the review process. Thanks. Cc @dm4 <https://github.com/dm4> Please check the draft document item. — Reply to this email directly, view it on GitHub <#1337 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGROD64LYJGATUEA3PI2PLZXQJRVAVCNFSM6AAAAABLZZWKDOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRTGY2DIMZWGI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[dm4]

I just created a Google Doc to help us collaborate and edit files more easily. Thank you for your help.

https://docs.google.com/document/d/1Mv2AZRwkJjsjoputCyg_IuPk5gfFhQJuCx2fVigkic0/edit

[dm4]

Just checking in to see if there are any updates on the security review for WasmEdge. Please let us know if there's anything else we can provide to help with the process. Thank you for your assistance and support.

[JustinCappos]

Okay, we need to recruit a group to do this assessment. We have an assessment ongoing currently, OSS Summit Japan is happening now and KubeCon NA is in 2 weeks. I think most likely this will not happen until after KubeCon NA. Sorry for the delay!

[victorjunlu]

I am interested as a participant.

[JustinCappos]

Great, @victorjunlu . Would you please read the guidelines and assert if you have a conflict?

[JustinCappos]

I'd also like to volunteer to be a security reviewer. I have no hard or soft conflicts.