Project Name: Keycloak
Github URL: https://github.com/keycloak/keycloak
Website: https://keycloak.org
TOC Link: https://github.com/cncf/toc/issues/406 (sandbox)
Security Provider: yes (e.g. Is the primary function of the project to support the security of an integrating system?)
Project / Security Lead: Stian Thorgersen (github: @stianst)
Project self assesment document: https://docs.google.com/document/d/14IIGliP3BWjdS-0wfOk3l_1AU8kyoSiLUzpPImsz4R0/edit?usp=sharing
Keycloak has been submitting to CNCF late 2018 although has been impacted with process changes and lack of bandwidth from TOC side which led to stop new projects intake. As new process settled and after new TOC elections we would like to re approach CNCF Sandbox submission. With new process this requires CNCF SIG Security recommendation. Keycloak already has approached SIG Security mid 2019 although this has also been impacted with process evolution and lack of bandwidth at that time.
One of highlights which is worth to make is in the meantime Keycloak received a professional external Pen Testing from Cure53 which is captured here: https://cure53.de/pentest-report_keycloak.pdf
(This is highlighted in Self Assessment document as well)
@lumjjb: added to blocked? More details here?
From the project side I believe all initial steps are covered and awaiting additional asks or feedback from SIG Security to move forward. If there is anything in addition required I would be interested to know.
Hi @bdaw is there a toc issue link for keycloak that we can add to the reference? Thanks.
I would like to participate as a reviewer. Here's my conflict declaration:
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
Hello,
I am new to the security research area and do have some experience with security testing. I would like to participate as a security reviewer on this project. Since I don't have prior experience of doing a formal security review for CNCF projects, I am okay to participate through shadowing as well. Below is the conflicts declaration for me:
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
@lumjjb : Edited this to make soft conflict more visible
Okay, added @Krishan-Sharma and @ashutosh-narkar to the list.
Looking for a lead and 2-3 more reviewers!
I would like to participate as a reviewer. Here's my conflict declaration:
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - Yes
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
@lumjjb
I would like to participate as a reviewer. Here's my conflict declaration:
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
Okay, it looks like we're mostly missing the lead reviewer. Any volunteers? @ashutosh-narkar , do you qualify and if so do you have time?
@JustinCappos I haven't yet been a lead on any other assessment so it would be helpful to be a reviewer on this assessment before leading one. Hope that's fine.
Okay, I'll ask for volunteers tomorrow and see if we can get someone else. We've had good experience with a past project lead taking the lead on a review, so if you were willing to lead (if we can't find someone else), this is likely to be permitted.
Since the chairs are pre-occupied, I'll sign off on the reviewer conflict of interest forms.
I'm not able to spend enough time on this due to some work related commitments. So for now, I'll like to withdraw my name from list of reviewers for this assessment.
I'm not able to spend enough time on this due to some work related commitments. So for now, I'll like to withdraw my name from list of reviewers for this assessment.
@ashutosh-narkar Do you feel like you have enough people looking at this? Should we try to recruit someone else to help out?
@JustinCappos it would be helpful to have one more reviewer.
@JustinCappos it would be helpful to have one more reviewer.
I'll work on this.
My apologies as I too am unable to dedicate enough time on this security review due to pressing urgent work on my plate currently, and will need to withdraw my name to avoid holding back the team's assessment.
@TheFoxAtWork , you'd mentioned you would be willing to participate. If so, would you kindly list your conflict statement?
This would be my first assessment.
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
This would be my first assessment.
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NOSoft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
Great, I've added you.
Happy to help
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO*
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
*I oversee a team conducting research on this capability. It is not in use at this time.
@dshaw @ultrasaurus @pragashj , will you kindly sign off of on the reviewer conflict statements? (It should be very straightforward.)
@JustinCappos: checking in on the status of this review? Thanks!
It's getting close. @ashutosh-narkar do you want to give a more detailed update?
We have been working closely with the Keycloak team on their self-assessment doc. We have gone through multiple rounds of questions/clarifications over the document and the Keycloak team has been very prompt in addressing the review team's comments. The review team submitted a list of consolidated recommendations on July 9th and the Keycloack team addressed them last week. We'll go over the doc again next week and if it looks good, we can move to the next stage of the assessment process.
@amye please let me know if you have any questions. Thanks
This issue has been automatically marked as inactive because it has not had recent activity.
@ashutosh-narkar is this all good yet? can we close this?
@lumjjb yes ! We have already closed this pull request.
Awesome! Closing this then! Thanks!
Most helpful comment
One of highlights which is worth to make is in the meantime Keycloak received a professional external Pen Testing from Cure53 which is captured here: https://cure53.de/pentest-report_keycloak.pdf
(This is highlighted in Self Assessment document as well)