docs: discussions: Alice Engineering Comms: 2023-11-21T22:52:21+00:00

Signed-off-by: John Andersen <[email protected]>

docs/discussions/alice_engineering_comms/0243/reply_0000.md

@@ -242,4 +242,4 @@ if __name__ == "__main__":
 - https://docs.siliconcompiler.com/en/stable/user_guide/programming_model.html
 - TODO
   - [ ] Vuln disclosure form and OpenVEX in registry with JSON-LD linking to assets `FROM scratch` added with labels used to store schema manifest and to store comments from Dockerfile as README-esq in labels
-    - https://github.com/ossf/wg-vulnerability-disclosures/issues/94#issuecomment-1483184591
+    - https://github.com/ossf/wg-vulnerability-disclosures/issues/94#issuecomment-1483184591

docs/discussions/alice_engineering_comms/0444/reply_0001.md

@@ -151,6 +151,94 @@ skopeo copy docker://localhost:5000/ssh_public_keys/pdxjohnny dir:/tmp/ssh_publi
 ) > authorized_keys
 ```
 
+
+```python
+import os
+import json
+import asyncio
+import logging
+import pathlib
+import argparse
+import concurrent.futures
+
+import yaml
+
+
+logger = logging.getLogger(__file__)
+
+
+async def coro_for_loop_run_in_executor(loop, pool, non_async_func, *args):
+    return await loop.run_in_executor(pool, non_async_func, *args)
+
+
+async def search_sbom_for_deps_in_question(loop, tg, pool, root_dir, in_question, path):
+    sbom_as_dict = await tg.create_task(coro_for_loop_run_in_executor(loop, pool, lambda path: yaml.safe_load(pathlib.Path(path).read_text()), path))
+    if not isinstance(sbom_as_dict, dict):
+        return
+    packages = sbom_as_dict.get("packages", [])
+    if not isinstance(packages, list):
+        return
+    for package in packages.items():
+        version_info = package.get("versionInfo", None)
+        if version_info is None:
+            return
+        package_name = package.get("name", None)
+        if package_name is None:
+            continue
+        output = {
+            "path": str(path.relative_to(root_dir)),
+            "package_name": package_name,
+            "version_info": version_info,
+        }
+        logger.debug("Checking: %s", json.dumps(output))
+        if package_name in in_question:
+            print(json.dumps(output))
+
+
+async def main(
+    dir: str,
+    in_question: str,
+):
+    loop = asyncio.get_event_loop()
+
+    in_question = json.loads(pathlib.Path(in_question).read_text())
+
+    # Gather all YAML versions of SBOMs files
+    sbom_paths = list(pathlib.Path(dir).rglob("*.y[am]*l"))
+    with concurrent.futures.ThreadPoolExecutor(
+        max_workers=len(os.sched_getaffinity(0)) * 4
+    ) as pool:
+        async with asyncio.TaskGroup() as tg:
+            for i, path in enumerate(sbom_paths):
+                if not path.is_file():
+                    continue
+                while len(tg._tasks) >= pool._max_workers:
+                    await asyncio.sleep(0.05)
+                tg.create_task(
+                    search_sbom_for_deps_in_question(
+                        loop, tg, pool, dir, in_question, path
+                    )
+                )
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "--dir", required=True, help="Root directory for searching SBOMs"
+    )
+    parser.add_argument(
+        "--in_question", required=True, help="File containing deps in question"
+    )
+    parser.add_argument(
+        "--log", required=False, help="Log level"
+    )
+    args = parser.parse_args()
+
+    logging.basicConfig(level=getattr(logging, args.log.upper(), logging.DEBUG))
+
+    asyncio.run(main(**vars(args)))
+```
+
 - TODO
   - [ ] Ensure `build_arg` quoting works as intended
   - [ ] For CWT issuer derive key from SSH private key and resolve via github ssh keys endpoint

docs/discussions/alice_engineering_comms/0450/reply_0001.md

@@ -0,0 +1,37 @@
+## 2023-11-13 SCITT Community List Ned on OAuth ADCR and SCITT
+
+On Mon, Nov 13, 2023 at 10:00 AM Smith, Ned <[email protected]> wrote:
+>
+> > From: John Andersen <[email protected]>
+> > Date: Monday, November 13, 2023 at 7:42 AM
+> > To: "[email protected]" <[email protected]>
+> > Cc: "Melara, Marcela" <[email protected]>, "Smith, Ned" <[email protected]>
+> > Subject: Re: [scitt-community] Standalone version of scitt-emulator client create-statement
+> >
+> > IMHO we move towards farther towards decentralized trust when we combine build metadata referenced in statements to federated instances with OAuth ADCR approach. As TS + policy engine would have the information it needs to act as a RATS Verifier, where the passport is a receipt.
+>
+>  
+>
+> I’m not sure I agree in principle that an OAuth “Attestation Provider” (i.e., RATS Verifier) has the same semantics as a SCITT TS. I think the desire is for a TS receipt to say: “I witnessed this signature operation”. In a RATS Verifier, the TS watches the RATs Verifier use its key to sign the Attestation Results. In a TPM, it watches the Attester sign Evidence.
+>
+>  
+>
+> I’m still not convinced that the SCITT TS can say this however, unless it is tightly integrated with the signer in such a way that it can observe the signing operation directly (but without observing the key material or other secrets). I don’t know of any technology that does this! Hence, the TS isn’t saying “I witnessed this signature operation”, it can only say “I witnessed this signature”. There is a big difference IMHO. The latter just means the signed artifact was logged (and the signer identity was checked, maybe signer authorization was checked, and the artifact was logged with a range of transparency from nil to fully disclosed).
+>
+>  
+>
+> A physical-world notary observes the signer as they sign the document. The SCITT TS doesn’t do this. It is closer to: The signer signs the document at home, drives to the notary, presents the signed document to the notary, the notary looks at the signature and assess that it looks like the signers handwriting or maybe assess that the ink is still relatively fresh, or something along these lines. I just think “Notary” is misleading (and don’t believe it should exist in the SCITT architecture).
+>
+>  
+>
+> Back to the OAuth ADCR use case. The Attestation Provider asserts that the container that the AS wants to provision the Client software + identity into is valid (based on AS policy). The role of a TS possibly adds value if it aims to detect duplicitous AP behavior. For example, If the Client (Attester) asserts it is a tomato but the AP (RATS Verifier) asserts to the AS that the Attester is a grape (after having asserted it was a tomato earlier). A TS might flag this as duplicitous under the assumption that once a tomato always a tomato. But even this isn’t always true. A device can be remanufactured to become a different type of device. FPGAs and VMs are designed to make this easy.
+>
+>  
+>
+> At best the second “T” in SCITT should be a little “t”. The first “T” might also be a little “t” depending on policies for selective disclosure.
+>
+>  
+>
+> Cheers,
+>
+> Ned

docs/discussions/alice_engineering_comms/0451/index.md

@@ -0,0 +1 @@
+# 2023-11-14 Engineering Logs

docs/discussions/alice_engineering_comms/0451/reply_0000.md

@@ -0,0 +1,49 @@
+## 2023-11-14 @pdxjohnny Engineering Logs
+
+- https://community.intel.com/t5/Blogs/Products-and-Solutions/Security/Introducing-Attested-Containers/post/1539199
+  - https://github.com/intel/ACON/issues/51
+- https://github.com/aquasecurity/trivy/blob/main/docs/docs/supply-chain/vex.md#openvex
+- https://github.com/aquasecurity/trivy/pull/5466
+- https://github.com/pdxjohnny/scitt-api-emulator/blob/demo-instance/docs/slsa_in_toto.md
+
+### S2C2F
+
+Upstream for S2C2F sections: https://github.com/ossf/s2c2f/blob/98803e0a558e6d8cef4d2770864ffd3cf7618c65/specification/framework.md#appendix-relation-to-scitt
+
+#### Appendix: Relation to SCITT
+
+> The [Supply Chain Integrity, Transparency, and Trust](https://github.com/ietf-scitt) initiative, or SCITT, is a set of proposed industry standards for managing the compliance of goods and services across end-to-end supply chains. In the future, we expect teams to output "attestations of conformance" to the S2C2F requirements and store it in SCITT. The format of such attestations is to be determined.
+
+#### Appendix: Mapping Secure Supply Chain Consumption Framework Requirements to Other Specifications
+
+Goal: Create YAML file allowing users to map webhook event data to creation of data notarized by SCITT, statments and receipts created. Use YAML as basis for overall automatable format for alignment to S2C2F.
+
+Use presence of data in respective feeds/subjects to determine overall result (URL or RDF + jq / jsonpath?)
+
+| **Requirement ID** | **Requirement Title** | **References** |
+| --- | --- | --- |
+| ING-1 | Use package managers trusted by your organization | |
+| ING-2 | Use an OSS binary repository manager solution | |
+| ING-3 | Have a Deny List capability to block known malicious OSS from being consumed | |
+| ING-4 | Mirror a copy of all OSS source code to an internal location | |
+| SCA-1 | Scan OSS for known vulnerabilities | https://deps.dev |
+| SCA-2 | Scan OSS for licenses | https://deps.dev |
+| SCA-3 | Scan OSS to determine if its end-of-life | |
+| SCA-4 | Scan OSS for malware | clamav workflow or job, virustotal API? |
+| SCA-5 | Perform proactive security review of OSS | OpenSSF Scorecard |
+| INV-1 | Maintain an automated inventory of all OSS used in development | analysis of dev-requirements, package.json dev, etc. |
+| INV-2 | Have an OSS Incident Response Plan | SECURITY.md |
+| UPD-1 | Update vulnerable OSS manually | Watch for human approval on renovate/dependabot pull requests |
+| UPD-2 | Enable automated OSS updates | Presence of renovate/dependabot pull requests |
+| UPD-3 | Display OSS vulnerabilities as comments in Pull Requests (PRs) | |
+| AUD-1 | Verify the provenance of your OSS |  |
+| AUD-2 | Audit that developers are consuming OSS through the approved ingestion method | |
+| AUD-3 | Validate integrity of the OSS that you consume into your build | no network build with content addressed deps aka dockerfiles or melange |
+| AUD-4 | Validate SBOMs of OSS that you consume into your build | |
+| ENF-1 | Securely configure your package source files (i.e. nuget.config, .npmrc, pip.conf, pom.xml, etc.) | |
+| ENF-2 | Enforce usage of a curated OSS feed that enhances the trust of your OSS | |
+| REB-1 | Rebuild the OSS in a trusted build environment, or validate that it is reproducibly built | |
+| REB-2 | Digitally sign the OSS you rebuild | docs: slsa_in_toto |
+| REB-3 | Generate SBOMs for OSS that you rebuild | docs: slsa_in_toto |
+| REB-4 | Digitally sign the SBOMs you produce | docs: slsa_in_toto |
+| FIX-1 | Implement a change in the code to address a zero-day vulnerability, rebuild, deploy to your organization, and confidentially contribute the fix to the upstream maintainer | |

docs/discussions/alice_engineering_comms/0452/index.md

@@ -0,0 +1 @@
+# 2023-11-15 Engineering Logs

docs/discussions/alice_engineering_comms/0452/reply_0000.md

@@ -0,0 +1,17 @@
+## 2023-11-15 @pdxjohnny Engineering Logs
+
+- https://docs.fuel.network/guides/quickstart/
+  - Ref: Alice on Chain
+  - Policy Engine + Federation + inputs from labeled property graph (IETF 118 Hackathon day 1) built of receipts
+  - SCITT root rotation or tree swap persevere context and root of trust for that TS
+- https://netboot.xyz/docs/docker
+- [RFC7515: JSON Web Key (JWK)](https://www.rfc-editor.org/rfc/rfc7517)
+- [RFC8037: CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)](https://www.rfc-editor.org/rfc/rfc8037)
+- [On using the same key pair for Ed25519 and an X25519 based KEM - Erik Thormarker](https://eprint.iacr.org/2021/509.pdf)
+- https://github.com/DavidBuchanan314/dag-cbrrr
+- https://github.com/TBD54566975/dwn-sdk-js/pull/607
+  - /acc/
+  - https://github.com/ietf-wg-scitt/draft-ietf-scitt-architecture/issues/79#issuecomment-1797016940
+    - Updated with DWN as option for federation
+
+![chaos-for-the-chaos-god](https://user-images.githubusercontent.com/5950433/220794351-4611804a-ac72-47aa-8954-cdb3c10d6a5b.jpg)

docs/discussions/alice_engineering_comms/0453/index.md

@@ -0,0 +1 @@
+# 2023-11-16 Engineering Logs

docs/discussions/alice_engineering_comms/0453/reply_0000.md

@@ -0,0 +1,47 @@
+## 2023-11-16 @pdxjohnny Engineering Logs
+
+- https://grotto-networking.com/blog/posts/DID_Key.html#did%3Akey
+  - Unmaintained
+    - https://pypi.org/project/py-multibase/
+    - https://pypi.org/project/py-multicodec/
+  - Mentions a bug with leading 0 decode, but then it looks like the keys in [w3c-ccg/did-method-key.git/test-vectors/nist-curves.json](https://raw.githubusercontent.com/w3c-ccg/did-method-key/main/test-vectors/nist-curves.json) rely on that for proper decode?
+    - [2023-11-16-did-key-multicodec-header-issues.ndjson.xz.txt](https://github.com/intel/dffml/files/13385986/2023-11-16-did-key-multicodec-header-issues.ndjson.xz.txt)
+      - `python -m asciinema play -s 15 <(cat 2023-11-16-did-key-multicodec-header-issues.ndjson.xz.txt | xz -d -)`
+
+```console
+$ python -c 'print(int(0x1201))'
+4609
+$ python -c 'import sys, base58, multibase, multicodec; multicodec_value = base58.b58decode(sys.argv[-1]); multicodec.get_codec(multicodec_value); raw_public_key_bytes = multicodecremove_prefix(multicodec_value);' z82LkvCwHNreneWpsgPEbV3gu1C6NFJEBg4srfJ5gdxEsMGRJUz2sG9FE42shbn2xkZJh54
+Traceback (most recent call last):
+  File "/home/pdxjohnny/.local/.venv/lib64/python3.11/site-packages/multicodec/multicodec.py", line 73, in get_codec
+    return CODE_TABLE[prefix]
+           ~~~~~~~~~~^^^^^^^^
+KeyError: 109902829
+
+During handling of the above exception, another exception occurred:
+
+Traceback (most recent call last):
+  File "<string>", line 1, in <module>
+  File "/home/pdxjohnny/.local/.venv/lib64/python3.11/site-packages/multicodec/multicodec.py", line 75, in get_codec
+    raise ValueError('Prefix {} not present in the lookup table'.format(prefix))
+ValueError: Prefix 109902829 not present in the lookup table
+$ python -c 'import sys, base58, multibase, multicodec; multicodec_value = multibase.decode(sys.argv[-1]); multicodec.get_codec(multicodec_value); raw_public_key_bytes = multicodecremove_prefix(multicodec_value);' z82LkvCwHNreneWpsgPEbV3gu1C6NFJEBg4srfJ5gdxEsMGRJUz2sG9FE42shbn2xkZJh54
+Traceback (most recent call last):
+  File "/home/pdxjohnny/.local/.venv/lib64/python3.11/site-packages/multicodec/multicodec.py", line 73, in get_codec
+    return CODE_TABLE[prefix]
+           ~~~~~~~~~~^^^^^^^^
+KeyError: 4609
+
+During handling of the above exception, another exception occurred:
+
+Traceback (most recent call last):
+  File "<string>", line 1, in <module>
+  File "/home/pdxjohnny/.local/.venv/lib64/python3.11/site-packages/multicodec/multicodec.py", line 75, in get_codec
+    raise ValueError('Prefix {} not present in the lookup table'.format(prefix))
+ValueError: Prefix 4609 not present in the lookup table
+```
+
+- TODO
+  - [x] https://github.com/scitt-community/scitt-api-emulator/pull/39
+    - [ ] PR approvals
+      - [x] Orie

docs/discussions/alice_engineering_comms/0454/index.md

@@ -0,0 +1 @@
+# 2023-11-17 Engineering Logs

docs/discussions/alice_engineering_comms/0454/reply_0000.md

@@ -0,0 +1,5 @@
+## 2023-11-17 @pdxjohnny Engineering Logs
+
+- Resources for newcomers
+  - https://github.com/microsoft/generative-ai-for-beginners
+  - https://github.com/microsoft/ML-For-Beginners