Node.js Security team Meeting 2023-11-09

[mhdawson]

Time

UTC Thu 09-Nov-2023 15:00 (03:00 PM):

Timezone	Date/Time
US / Pacific	Thu 09-Nov-2023 07:00 (07:00 AM)
US / Mountain	Thu 09-Nov-2023 08:00 (08:00 AM)
US / Central	Thu 09-Nov-2023 09:00 (09:00 AM)
US / Eastern	Thu 09-Nov-2023 10:00 (10:00 AM)
EU / Western	Thu 09-Nov-2023 15:00 (03:00 PM)
EU / Central	Thu 09-Nov-2023 16:00 (04:00 PM)
EU / Eastern	Thu 09-Nov-2023 17:00 (05:00 PM)
Moscow	Thu 09-Nov-2023 18:00 (06:00 PM)
Chennai	Thu 09-Nov-2023 20:30 (08:30 PM)
Hangzhou	Thu 09-Nov-2023 23:00 (11:00 PM)
Tokyo	Fri 10-Nov-2023 00:00 (12:00 AM)
Sydney	Fri 10-Nov-2023 02:00 (02:00 AM)

Or in your local time:

• https://www.timeanddate.com/worldclock/fixedtime.html?msg=Node.js+Foundation+Security%20team+Meeting+2023-11-09&iso=20231109T1500
• or https://www.wolframalpha.com/input/?i=03PM+UTC%2C+Nov+09%2C+2023+in+local+time

Links

• Minutes Google Doc: https://docs.google.com/document/d/1-UhZErqJLAQaSYLEWcxYveg0rCysywXo8RYNnfRrGLM/edit

Agenda

Extracted from security-wg-agenda labelled issues and pull requests from the nodejs org prior to the meeting.

nodejs/security-wg

• Amir from ostif.org - Discuss possibility of consulting engagement with security expert in November/December at 2023-11-09 3pm Security-WG meeting #1145
• Have a SBOM for Node.js? #1115
• License checker process/script #1104
• Audit build process for dependencies #1037
• Initiative for CII-Best-Practices for Nodejs Projects #953
• Permission Model - Roadmap #898

Invited

• Security wg team: @nodejs/security-wg

Observers/Guests

Notes

The agenda comes from issues labelled with security-wg-agenda across all of the repositories in the nodejs org. Please label any additional issues that should be on the agenda before the meeting starts.

Joining the meeting

https://zoom.us/j/92309450775

• link for participants: <>
• For those who just want to watch We stream our conference call straight to YouTube so anyone can listen to it live, it should start playing at https://www.youtube.com/c/nodejs+foundation/live when we turn it on. There's usually a short cat-herding time at the start of the meeting and then occasionally we have some quick private business to attend to before we can start recording & streaming. So be patient and it should show up.
• youtube admin page: https://www.youtube.com/my_live_events?filter=scheduled

[marco-ippolito]

Maybe we will have to skip this meeting since we will be all travelling from NodeConf
Cc @prabhu

[RafaelGSS]

FYI @Amir-Montazery, it is likely this meeting will be cancelled due to most of us attending NodeConfEU.

[Amir-Montazery]

Ok, thank you Rafael! Regardless of whether this meeting gets cancelled or not, I'll have some more info for the group in the coming days.

[Amir-Montazery]

I'll be ready for the 11/23 meeting. I will provide more information as soon as possible, I am waiting on an update and should have it this week.

[Amir-Montazery]

Here's what we have in mind for the node.js security work for December. It will require minimal input and time commitment from existing developers. I will have more info at the 11/23 meeting. See below:

There are currently two projects integrated into OSS-Fuzz which are targeting code of nodejs:

• Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs
• llhttp: https://github.com/google/oss-fuzz/tree/master/projects/llhttp

The llhttp project is doing well and has been for a long time: https://introspector.oss-fuzz.com/project-profile?project=llhttp

The Nodejs has been broken for a long time and the fuzzer of it is not running. It makes sense to make sure the Nodejs project gets back to running and also update the fuzzer accordingly as well as extend the setup. The fuzzer for the Nodejs project in OSS-Fuzz is the fuzzer in the Node codebase here: https://github.com/nodejs/node/tree/main/test/fuzzers. Note that it was David Korczynski who did the initial work for getting Node into OSS-Fuzz, so he's familiar with the existing work from that perspective.

Another improvement that has happened in OSS-Fuzz the last year has been improved support for javascript fuzzing. As such, we will be looking at applying this on the Nodejs codebase as well.