►
From YouTube: Black Duck OpenShift Integration v2: OpsSight
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right
thanks
everybody
for
joining,
so
my
name
is
Dave.
Muir
I've
been
working
with
Black
Duck
technologies
for
the
last
seven
years,
and
some
of
you
may
know
we
be
required
by
synopsis
late
last
year.
Synopsis
is
building
a
business
unit
of
a
suite
of
software
security
tools,
and
black
duck
happens
to
be
part
of
that.
That's
sweet,
so
I
work
in
our
business
development,
alliances,
team
working
with
great
partners
like
Red
Hat
and
we've
built
an
integration
with
OpenShift
which
I'll
go
through
in
detail
today
and
try
to
do
a
demo.
A
Yesterday,
I
presented
container
security
in
the
front
there
and
just
sort
of
a
quick
review.
There's
a
lot
of
different
security
tools
out
there.
What
I'll
be
talking
about
is
the
middle
piece
here,
software
composition,
software
composition,
analysis
is
something
fairly
new.
That's
been
coined
in
the
market,
but
it's
been
around
for
a
while
black
ducks
been
doing
it
for
14
years.
It's
actually
trying
to
find
the
open
source
software
that
you're
bringing
in
to
your
applications
or
to
your
container
images.
A
A
So
within
an
open,
shipped
environment,
OpenShift
has
an
integrated
registry
or
you
can
pull
images
from
other
external
registries,
whether
that
be
artifactory.
You
know,
GCP
whatever,
and
black
duck
has
a
couple
components
to
it.
One
is
our
huge
knowledge
base
that
typically
sits
in
our
data
center,
so
it
has
over
a
petabyte
of
data.
We've
been
collecting
the
data
for
14
years.
It's
essentially
all
the
open
source
files
that
are
that
we've
collected
over
10,000
sources
and
a
lot
of
metadata
around
that
open
source
as
well
so
think
about
you
know.
A
We
have
all
the
versions
of
OpenSSL
Apache
struts.
We
support.
We
have
over
80
plus
programming
languages
that
we
can
support
when
we're
scanning
and
identifying
open
source.
So
the
knowledge
base
is
typically
in
the
cloud
it
can
be
delivered
on
Prem.
But
the
second
piece
to
the
architecture
is
what
is
called
the
hub.
The
hub
is
the
web
application
that
stores
all
the
results
after
you
do
scans
and
it
produces
a
lot
of
different
metadata
which
I'll
talk
about
when
I
get
to
the
demo
within
the
integration.
A
We
basically
are
looking
where
a
actual
project
with
an
open
ship.
So
when
you
install
it,
it
creates
a
project
and
creates
a
set
of
containers.
A
couple
of
those
containers
are
looking
at
the
open
shift
to
kubernetes
api,
the
image
stream
api,
which
is
specific
to
openshift
and
then
the
pod
creation
api,
which
is
a
native
kubernetes
api
as
well.
So
whenever
an
image
hits
those
events,
it's
created,
you
do
an
s2i,
you
instantiate
it
in
a
pod.
Our
processors
will
find
that
image
and
speak
to
another
core
container.
A
That
then
launches
a
scan
of
that
image
essentially
what's
happening.
Is
we're
exporting
that
image
to
a
tar
file
and
we're
scanning
that
tar
contents.
Black
tux
scanner
is
basically
a
one
line
command
that
you
can
scan
really
any
files
binary
source
code
for
it
to
detect
the
open
source
within
that
scan
target.
A
There's
two
pieces
actually
to
this
pod
here
this
pod
right
here:
the
actual
scanner,
that's
instantiated,
when
it's
ready
when
it
gets
an
image
event,
and
then
the
image
getter
is
really
the
only
privileged
container
running
in
this
infrastructure,
because
it
needs
to
do
that.
Docker
sock
connection
to
do
the
docker
pol.
A
So
there's
various
ways
you
can
implement
the
the
image
getter,
because
if
it
essentially
calls
to
api's
to
let
the
skin
or
know
that
it's
ready
to
be
scanned,
the
scan
is
essentially
taking
what
we
call
fingerprints
of
all
the
files
within
that
tar
file.
So
it
goes
through
all
the
layers
takes
these
signatures
or
fingerprints
of
the
actual
files,
the
date
of
the
file,
the
path
of
the
directory
structure
and
sends
that
to
the
hub
and
those
signatures
go
up
to
do
a
matching
algorithm
in
the
knowledge
base.
A
The
knowledge
base
then
sends
down
the
matches
to
the
hub
and
the
hub
builds
what
we
call
the
Bill
of
Materials
or
the
component
list,
which
I'll
show
you
here
in
a
minute
of
of
the
open
source
it
found,
and
then,
along
with
that,
we
get
known
vulnerabilities.
We
get
licensing
information
as
well
as
operational
information.
A
Now
you
only
have
to
scan
once
unless
you
change
an
image
and
after
a
scan,
the
hub
and
Blackduck
are
continuously
monitoring
your
image
content.
So
you
basically
have
an
inventory
of
your
open
source
components
and,
as
we
watch
the
duct
here,
if
new
vulnerabilities
are
published,
they
will
be.
The
information
will
be
pushed
back
into
open,
shipped,
so
I
didn't
mention
after
our
scan
is
complete.
A
We
also
can
be
installed
as
an
option
with
a
Prometheus
master,
we're
pushing
all
sorts
of
stats
to
certain
ports
and
you
can
use
Prometheus
or
you
can
use
your
own
implementation
to
look
at
those
ports
and
get
statistics
like
what
scans
are
running.
For
example,
and
I'll
show
you
some
of
that
as
well
all
right.
So
let's
go
to
a
demo.
A
The
Internet's
been
kind
of
fun
lately,
so
I
have
some
canned
screens,
but
I'll
try
to
try
to
make
the
internet
work.
One
thing
to
note
is
this:
integration
is
open-source
Blackduck
hub
in
the
knowledge
base?
Is
a
product
it's
a
subscription
based,
so
once
you
purchase
galactic
hub,
you
can
get
this
integration
for
free
and
we
have
an
upstream
and
downstream
project
the
upstream
project.
The
open
source
project
is
labeled
perceptor.
A
So
if
you
go
to
Black,
Ducks
github
site
and
search
on
perceptor
you'll
see
all
sorts
of
projects
related
to
it,
and
this
project
is
a
sort
of
an
example
of
how
you
can
take
that
image
getter
container
and
swap
it
out
with
something
else
that
doesn't
use
privileged
containers
if
you're
interested
in
doing
that.
But
it's
just
an
example.
Example
shouldn't
be
put
in
production,
but
but
it'll
it'll
guide
you
through
how
to
create
and
use
another
container
for
that
actual
install
for
that
image,
getter.
So
a
lot
of
good
stuff
out
in
github.
A
Here's
a
look
at
what
Blackduck
would
provide
and
after
a
scan
occurs
so
scans
usually
take
minutes.
It
depends
on
what
you're
scanning,
if
it's
one
file
a
scan,
will
take
less
than
30
seconds
if
it's
an
application
that
typically
takes
around
a
minute
or
so,
if
it's
a
container
containers
are
a
lot
bigger
some
containers
are
it
usually
takes
five
minutes?
If
it's
taking
longer
than
five
minutes,
you
can
scale
up
your
hub.
A
We've
got
job
runners
and
horizontally
scaling
capabilities
to
make
those
scan
times
go
down,
but
it
scan
results.
Give
you
things
like
the
list
of
open
source
components
down
to
the
actual
version
versions
are
very
important,
specifically
for
understanding
what
license
is
tied
to
that
version,
as
well
as
what
security
vulnerabilities
are
known
to
that
version,
and
then
there's
things
like
operational
risk,
which
are
also
version
specific,
but
also
specific
to
the
project.
So,
for
example,
in
this
case,
there's
18
newer
versions
available
of
our
sink.
A
That
I
could
be
using
the
project's
stable,
but
there's
only
two
contributors,
so
that
might
cause
some
concern.
You
want
to
make
sure
your
open
source
projects
are
healthy
and
they
have
a
pretty
rich
community
around
it.
That's
operational
risk
license.
Risk
is
more
for
those
who
are
interested
and
distributing
applications
and
they
don't
want
their
IP
lete.
For
example,
if
I'm
I've
got
an
external
distribution
and
I
have
GPL
licenses,
that's
a
high
risk,
because
the
GPL
license
has
obligations
that
says,
if
you
use
this,
you
have
to
open-source
your
application.
A
Lawyers,
obviously
don't
like
that
and
commercial
companies,
but
you
can
change
the
distribution
here
to
be
internal
GPL
is
fine
or,
if
you're,
actually
creating
your
own
open-source
project.
That
would
be
fine
as
well
now
security
risk,
let's
see
if
the
Internet's
gonna
work
for
me
here,
I
think
I
actually
owe
ya.
So
security
risk
is
the
known
vulnerabilities
for
that
open
source
component
inversion.
We
use
the
national
vulnerability
database,
but
those
results
tend
to
be
slow
and
also
don't
really
give
a
lot
of
actionable
information.
A
After
a
scan,
we
don't
alert
our
customers
that
they
have
to
worry
about
these
vulnerability,
but
what
we
do
also
look
at
are
the
things
that
Red
Hat
doesn't
have
insight
into
and
that's
the
application
layer,
the
the
dependencies
that
developers
are
pulling
in,
that
aren't
Red
Hat,
curated,
open
source,
and
so
that's
sort
of
the
complementary
nature
that
Blackduck
provides
with
Red
Hat.
Let
me
see
if
I
can
pull
in.
A
Let's
see
if
I
can
do
a
search
here,
so
we'll
do
a
search
for
CVE,
20,
17,
5,
6
3.
You
don't
have
to
scan
things
within
black
tuck
to
get
open
source
information
you're
basically
connected
to
our
knowledgebase.
So,
for
example,
if
I
wanted
to
search
on
components
and
be
proactive
in
terms
of
what
components
I
want
to
use,
you
can
do
that.
There's
also
IDE
plugins
chrome
plugins
that
give
developers
insights
into
the
things
that
they're
looking
at
as
they're
developing
and
pulling
down
open
source
software.
A
Let's
see
if
the
Internet's
working
here.
So
if
I
click
this
link,
this
link
is
BTSA
2017,
it
maps
to
this
cv
a
BDS
a
is
black
text
security
advisory?
It's
the
enhanced
vulnerability
data
that
we
provide
to
our
customers.
Look
like
the
Internet's
behaving.
So
it's
things
like.
What's
the
workaround,
this
was
fixed,
here's,
the
actual,
github
location
of
the
fix.
You
can
see
the
code
itself,
here's
the
exploit
code,
here's
the
technical
information,
so
we
want
to
provide
more
actionable
information
to
our
to
our
customers.
A
Doesn't
look
like
it's
working,
but
I'll
try
to
get
back
to
that
now.
So,
from
a
OpenShift
perspective,
there's
two
things
that
we're
pushing
back
into
openshift
after
a
scan
occurs.
One
is
the
vulnerability
information.
So
is
this
image
vulnerable?
Is
this
pod
vulnerable
and
how
many
components
are
vulnerable?
A
The
second
thing
is
policy
management,
so
policy
management
in
black
duck
and
take
this
screen
gives
you
the
ability
to
create
all
sorts
of
policy
rules
based
on
conditions,
open
source
and
project
conditions.
So,
for
example,
I
can
create
a
black
list
of
open
source
components.
I
can
create
project
specific
conditions,
component
conditions,
so,
for
example,
if
I
go
back
to
my
list
of
components
and
filter
on
the
policy
violations,
let's
do
that.
Ok,.
A
In
violation
its
it's
thinking
about
it,
yep
the
Internet's,
not
working
very
well.
There
is
a
component
in
here,
that's
on
my
blacklist,
so
basically
what
that
means
is
this
project
is
in
violation.
So
what
that
means
with
an
open
shift
is
that
we
are
then
labeling
pods
with
this
information.
So
you
can
see
here
in
this
nodejs
image
that
I
created
a
little
while
ago.
It
is
in
violation,
you
can
have
multiple
images
per
pod,
so
there's
an
overall
status
and
then
there's
a
specific
image
violation
status
as
well.
A
You
can
see
how
many
components
there's
one
component
that
has
a
policy
violation,
so
this
is
through
the
UI
or
you
can
actually
query
it.
So
most
OpenShift
operators
like
to
query
I
can
do
an
OC
describe,
let's
see
if
the
Internet's
working
here
and
I
could
do
either
pods
or
images
and
use
that
label.
This
is
actually
where
the
integration
stops.
We've
had
a
lot
of
discussions
on
hey.
What
do
we
do?
Next?
How
do
we
use
these
labels?
A
We
do
the
same
labeling
with
images,
but
we
also
annotate
them.
So
if
I
go
to
the
latest
and
annotate
and
see
the
annotations,
we've
worked
with
Red
Hat
on
this
specification.
Actually,
so
you
can
see
some
specific
image
annotations
within
OpenShift.
This
is
specific
for
OpenShift.
You
can't
really
get
this
with
kubernetes.
They
don't
have
that
that
concept
yet,
but
they
may
they
may
in
the
future.
So
so
that's
how
we
sort
of
push
that
information
back
into
OpenShift.