WS-2019-0332 - Medium Severity Vulnerability

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /finos-fo/website/package.json

Path to vulnerable library: /tmp/git/finos-fo/website/node_modules/handlebars/package.json

Dependency Hierarchy:

• typedoc-0.15.0.tgz (Root Library)
  • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.

Publish Date: 2019-12-05

URL: WS-2019-0332

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Date

Wednesday, MAR 10 2021 - 9am ET / 2pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• Volunteer introduction
• Overview of the initiative
• Legend Studio Walkthrough
• Share indicative vendor model via Legend Studio
• Q&A

Minutes of the meeting

• Approval on past meeting minutes and introduction of volunteers.
• Basic overview by project leads. Initiative and its benefits re-emphasized with the working group. Proof of Concept focus area highlighted for the next 4 meetings with indicative model to model mapping using Legend Studio.
• Points raised in the meeting that require further discussion with project maintainers:
  - Discussion on further alternative solutions as part of the working group to meet the ultimate objective of the working group basis its feasibility.
  - Legal protection of data and the alternative solution and a comprehensive guideline on how the IP will be protected.
  - Banks and vendors raised topics on governance and ownership in terms of ownership the developed model. FINOS has an IP policy that neutralizes LEGEND Studio. Discussion on CCLA agreement to start contributing to legend studio.
• Given Legend runs on web browser, working group needs to confirm if participants, vendors, banks be allowed to use Legend/CDM in their local instance and the open security issues.
• Legend Studio presentation and demonstrated how to a sample data model for equity vanilla option template.
• Discussion on legend supporting multiple date formats.

Action Items

• RVS to provide alternative solution for our proposed objective in the next working group.
• FINOS to revert on Legend IP protection and ownership of the proposed working model.
• Provide solution on multiple date format support in Legend Studio (UK/US date formats).
• GS to merge the indicative common template model to the Product Control common template project in FINOS Legend space. Participants to review and revert with feedbacks, if any.

As discussed, please find below the learning material for Legend Studio.
Link to Youtube
Legend working guide

• ...

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m6e9255a2368279a9f1857f176cbf2c1a
• Meeting number: 127 642 4586
• Password: J2SqF2Kp5X2
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 642 4586

Background

• This issue stems from a discussion between participants at the February 22nd Product Control Common Template meeting, and the corresponding action item to define a Governance model to approve proposed changes to the Product Control Common Template.
• Product Common Template is a work stream of the recently revamped Financial Objects project, which itself might want to adopt a new governance that best suits its new scope, participants and work streams.
• The intent in the FINOS governance is for Projects to be able to amend their own governance (within the boundaries of FINOS policies), to allow flexibility.

Proposal

Financial Objects project to adopt an overarching governance, as well as one that governs individual existing and future work streams under the Financial Objects project (e.g. Product Control Common template. The new Governance can be adopted by consensus or simple majority vote of the current project maintainers

The recommendation is to start from the existing FINOS provided governance templates and amend as needed. The existing options are:

• the FINOS Software project governance model, which is simple but code centric
• the FINOS Standards project governance model, which is standard centric

A potential third, and intermediate approach that the Linux Foundation is standardizing on and that FINOS is also considering is the Community Specification Contribution Policy.

Call to Action

Please review:

1. The FINOS Software project governance model
2. The FINOS Standards project governance model - standard centric
3. The Community Specification Contribution Policy

and provide feedback in the comments section below by {3/15/2021}. If you'd rather see FINOS put forward a proposed governance model, please provide that feedback as well.

Date

Monday, Mar 22 2021 - 10am ET / 2pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• Follow up discussion on the alternative solution from previous week
• Discussions on essential details for the common template model
• Model to Model mapping discussion continued
• Q&A

Minutes of the meeting

• Approval on past meeting minutes
• Clarification on the legend common model being an indicative one for model to model mapping proof of concept and not the final production version yet.
• Discussion on the proposed alternative solution based on bespoke API- participant to share with WG the open source materials and working knowledge of the bespoke API.
• Discussed the need for common terminologies for vanilla and exotic products for standardized representation of the data.
• Participants to review if the open source bespoke model can be leveraged for the initiative in conjunction with FINOS open source policy.
• Kick-off a discussion on the vendor template attributes to be included/excluded in the common template so as to cover all vendor's requirements
• Vendor to CDM template model to model mapping example shared with the group, pending discussion on adding missing attributes to the existing CDM Model

Decisions Made

• N/A

Action Items

• Follow up discussion on the proposed alternative solution and its viability.
• Continue discussion on model to model mapping (CDM to Vendor template)

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m6e9255a2368279a9f1857f176cbf2c1a
• Meeting number: 127 642 4586
• Password: J2SqF2Kp5X2
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 642 4586

Date

Thursday, 18 03 2021 - 11am ET / 4pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• ISDA ARC Feedback on Frequency & Rounding Proposals - Revisions Needed
• PricingDates Discussion Continued

Discussion Points

• Previous meeting minutes approved
• Group talked through the feedback from the ARC on proposals for Quantity Frequency & Rounding.
• Quantity Frequency: Feedback given from ARC was 1. Addition of DayType accepted 2. Suggestion to create commodity specific extended enum for this use case 3. Question if HalfYear could be represented as 6M 4. If pointers could be used or period could be explicitly stated instead of adding perCalculationPeriod & perSettlementPeriod. The group talked through this feedback and worked through each of the proposed enums & neared agreement on a) perSettlementPeriod & perCalculationPeriod can likely be represented through an explicit period value (e.g. 3m) b) PerHalfYear if = to 6 months could instead be represented as 6M (GS to explore this as a takeaway) c) If a & b are agreed, then perHour should be proposed to be added into PeriodEnum as would only be 1 additional value required.
• Rounding: Feedback given from the ARC was that the concept of adding a rounding rule makes sense however asked if the group could explore if this is the optimal way to represent this feature. Additionally the proposed enum of 'Average' was suggested to be alternatively given as 'Calculation' so it could be applied more generally across the model. The group focused on how the pricingDates element should be represented within the model with the view that once this is established a decision can be made whether it is appropriate to represent rounding at various levels of the Averaging model.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m67d73e1fc1592e699f3cf95d4627de8d
• Meeting number: 127 391 7484
• Password: JMrsuEmY376
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 391 7484

Date

Thursday, 22 04 2021 - 11am ET / 4pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• Vanilla European Option Discussion

Discussion Points

• Group walked through 3 fPML samples of vanilla European Options covering both Cash & Physical Commodities.
• Was identified that there was value in doing the Asian scenario first as the proposal for observations is relevant for certain option scenarios too.
• The existing design of Option with the CDM largely covers the Cash Settled use case for commodities however further thought needs to be given on the Physical side.
• Discussion was raised around the representation of Premium in Commodities which can be given as both a premium per unit (of Commodity) or total premium. Current CDM design allows for both to be represented however thought needs to be given if the Settlement of the premium exists in TradableProduct would handle the calculation of PremiumPerUnit & Quantity to determine the payment. GS & Regnosys to form a proposal on this point.
• The physical scenario of Vanilla European Options has historically been represented in fPML as a Option with an underlying Forward (or Swap). The existing design of OptionPayout in CDM does handle physical settlement however the group will assess if this is appropriate for Commodities or whether a new Payout is potentially required. Additional physical settlement examples will be prepared for next week.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m67d73e1fc1592e699f3cf95d4627de8d
• Meeting number: 127 391 7484
• Password: JMrsuEmY376
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 391 7484

Date

Jul 30th 2020 - 11am EST

Untracked attendees

• Johan Sandersson / Factset / @donbasuno
• Hammad Akbar / Citi / @HammadNYC
• Nick Kolba / Genesis / @nkolba
• Stephen Murphy / Genesis
• Will Brown / Genesis
• Ffion Wiggins / Goldman Sachs / @ffionwiggins
• Rich Robinson / Bloomberg / @ rcr203
• Daniel Schwartz / FT Advisory / @dschwartznyc
• Rob Underwood / FINOS / @brooklynrob
• Aitana Myohl / FINOS / @aitana16

Confluence page

• https://finosfoundation.atlassian.net/wiki/spaces/FO/pages/123404294/Financial+Object+Working+Group

Agenda

• Convene & roll call (5mins)
• Recap of FO project focus over the past couple of years
  • Define agnostic financial object, something that stands alone and can be translated and used in any language, scaled and broadly used. Make financial objects discoverable
  • Goal was not to create a list of financial object libraries for the sake of it, but rather to drive it based on specific use cases, focusing on a solution that's driving some workflow solution or improvement
• Discussion on the future of the FO project
  • some participants highlighted the need to identify a problem before defining a solution
  • problem is that lack of standard data structures means that organizations implement their functionalities in different ways
  • a participant involved with a wide range of use cases proposed to get buy side and sell side firms together and market the FO project as an infra clearinghouse
  • another participant suggested the project focus on translation between these different ways of representing things, instead of developing a new one
  • someone highlighted the close work done between FDC3 and FO: work has been to standardize interfaces to have a common "rosetta stone" layer to connect those identifiers. As that standard matures, it would be useful to have more of those standardized sets of interface data that can be used to connect all those workflows end to end across the desktop. This participant expressed interest in going back to backends and do further work with what's happening within applications
• AOB, Q&A & Adjourn (5mins)

Decisions Made

• @dschwartznyc and Stephen Murphy expressed interest in eventually leading the FO project

Action Items

• @brooklynrob to draft an RFC to re-visit discussion
  • See #38

WebEx info

• WebEx Meeting URL
• Meeting Number: 668 814 413
• Call from USA: +1-415-655-0003
• Call from CANADA: +1-647-484-1596
• Call from UK: +44-20319-88141
• Call from Spain: +34-93545-2895
• Recording URL: https://finos.webex.com/mw3300/mywebex/default.do?siteurl=finos&service=1
• Recurrence: Monthly on the 4th Thursday

Date

Thursday, 25 02 2021 - 11am ET / 4pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• Revisit fPML example that has been updated to represent single period.
• Brief discussion on Quantity Frequency update that is required
• Studio Proposals - PaymentDates, PricingDates, Rounding

Discussion Points

• Group walked through the updated fPML example which represents a single period Asian Option.
• Discussion around how quantity/unit/frequency should be represented and suggestions were made to re-adjust the refactored quantity class to bring the frequency out of the unit class and directly within quanitity. Proposals will be put together for next weeks session.
• The topic of how strike and premium are represented was discussed and it was explained that both will leverage the price refactor in the new version of the model.
• Initial model additions were proposed to cover the commodities use case. PaymentDates class that was proposed is captured elsewhere on the model so not required. PricingDates which is a specific Commodities class needs more thought before next weeks session. Initial proposal regarding rounding looks like it fits into the CDM principles, will dive into this in more detail in future sessions.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m67d73e1fc1592e699f3cf95d4627de8d
• Meeting number: 127 391 7484
• Password: JMrsuEmY376
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 391 7484

CVE-2017-16119 - High Severity Vulnerability

Vulnerable Library - AndroidUtilCode1.23.6

🔥 Android developers should collect the following utils(updating).

Library home page: https://github.com/Blankj/AndroidUtilCode.git

Found in base branch: master

Vulnerable Source Files (0)

Vulnerability Details

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16119

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/526

Release Date: 2018-06-07

Fix Resolution: fresh - 0.5.2

Date

Thursday DD MMM yyyy - 12pm EST

Untracked attendees

• Fullname, Affiliation, (optional) GitHub username
• Add items here

Confluence page

https://finosfoundation.atlassian.net/wiki/spaces/FO/pages/123404294/Financial+Object+Working+Group

Agenda

• Convene & roll call (5mins)
• Add items here
• AOB, Q&A & Adjourn (5mins)

Decisions Made

• Add items here

Action Items

• Add items here

WebEx info

• WebEx Meeting URL
• Meeting Number: 668 814 413
• Call from USA: +1-415-655-0003
• Call from CANADA: +1-647-484-1596
• Call from UK: +44-20319-88141
• Call from Spain: +34-93545-2895
• Recording URL: https://finos.webex.com/mw3300/mywebex/default.do?siteurl=finos&service=1
• Recurrence: Monthly on the 4th Thursday

CVE-2020-7598 - Medium Severity Vulnerability

Vulnerable Library - opennmsopennms-source-25.1.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 8a85da74af12dda4095dcafaf3ad66599e8d67ba

Vulnerable Source Files (0)

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

WS-2019-0331 - Medium Severity Vulnerability

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /finos-fo/website/package.json

Path to vulnerable library: /tmp/git/finos-fo/website/node_modules/handlebars/package.json

Dependency Hierarchy:

• typedoc-0.15.0.tgz (Root Library)
  • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-12-05

URL: WS-2019-0331

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.2

Roll-out ODP / Github meeting minutes to FO project

Date

Monday, MAR 01 2021 - 10am ET / 3pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• Vendors questions
• CDM introduction
• Legend Studio introduction
• Transition Approach: Indicative Model to Model Mapping
• Constituents and Structure of Governance Process
• Open discussion: How can we get more banks and suppliers to this working group

Minutes of the meeting:

• Approval/questions on past meeting minutes. Remaining participants to review the circulated meeting minutes and raise questions, if any.
• Product Coverage re-emphasized with vendors with broader long term industry benefits on standardization.
• Discussion on sharing across the attributes on the current vanilla option template from various vendors in the working group to arrive at industry-wide common model to model mappings.
• Basic overview of CDM (Common Domain Model) by ISDA - Benefits, Interoperability, Transparency & Accelerated Innovation.
• Basic introduction of FINOS Legend Studio by project leads and indication of the working of the model to model mapping using Legend Studio.
• Discussion on the proposed transition approach using Indicative Model to Model Mapping via Legend Studio.
• Couple of outstanding agenda that needs to be discussed in a later meeting – Governance process & Onboarding of a larger group of banks that currently use these consensus services on the common template working group.

Decisions Made

• Proposal for kick off of a wider Working group to explore feasibility of the proposal and the indicative template model to model mapping idea.

Action Items

• Participating Banks & Vendors to appoint volunteers for the working group to meet every week and create the model for ~ 1 month and then get back to the project maintainers to review the progress.

As a Follow up from the meeting, can we request you to please

• Get a GitHub account at github.com/join for all members/volunteers,
• "watch" the FO repository in GitHub,
• Request a legend account at finos.org/legend for all members/volunteers, and
• Send across names, email id and GitHub id of volunteers for the working group by Friday, so that we can reach out to them ahead of the meeting next week.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m6e9255a2368279a9f1857f176cbf2c1a
• Meeting number: 127 642 4586
• Password: J2SqF2Kp5X2
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 642 4586

Date

Monday, MAR 29 2021 - 10am ET / 3pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• Participant feedback and progress on the working on Legend Studio and Model mapping creation.
• Discuss scope of Proof of Concept for the PoC.
• Discuss Success Metrics of the PoC.
• Continue discussion on model to model mapping.
• Q&A

Minutes of the meeting

• Approval of the past meeting minutes.
• Participants feedback on user experience on legend studio and CDM mappings.
• Participants to explore CDM to extract attributes from CDM Mapping.
• Shared initial scope of proof of concept-WG will focus on creating only 2 set of model to model mappings (a sample vendor template to CDM model and vice versa).
• Shared initial success metrics of the proof of concept.
• Pending discussion with project maintainers on the scope of models that would be open sourced.
• Continued discussion on model to model mapping (CDM to sample vendor template).
• Quick demo on the transformation logic in legend studio.

Decisions Made

• N/A

Action Items

• Participants to review the legend studio and explore working on model to model mapping locally and feedback the user experience to the working group.
• Participants to look up for sample CDM structure data in Rosetta platform.
• Share description of the missing attributes in CDM with ISDA to provide reference of the same in CDM.
• Complete discussion on the proof of concept by the next two working group meetings.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m6e9255a2368279a9f1857f176cbf2c1a
• Meeting number: 127 642 4586
• Password: J2SqF2Kp5X2
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 642 4586

Date

Monday, FEB 22 2021 - 10am ET / 3pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide
• Quick intro from participants (company / background)
• Overview of the initiative (Attached - Problem statement / proposed solution / approach)
• Introduction to CDM and Legend Studio
• Q&A

##Minutes of the meeting:

• Project Overview by Goldman Sachs. Core idea and its benefit highlighted and agreed upon by participants.
• Additional benefit in terms of regulatory environment and FRTB filing from standardisation.
• Additional consideration points raised during the meeting relating to the project:
• Proposal of template governance process and including it in CDM ARC (Architecture and Review Committee).
• Proposal of change management process.
• Interchangeability of the model from current vanilla equity proof of concept to more Exotic templates.
• Discussed the need for a Steering Committee.
• Discussion on convergence of the existing contractual agreement with the existing vendors and creation of an interim process to facilitate the transition.
• Incorporation of the model for consensus pricing to be discussed in-depth.
• Discussion on exploring how to expand this initiative to the existing complete group participating banks in the consensus, common identifier for the template, bespoke subscription requirement for different banks.

Decisions Made

• Decision to float the governance process in place before the data model finalisation.
• Decision on making it an open meeting with active participation, minimum attendance quorum, voting process on process discussed.

Action Items

• creation and maintenance of a formal governance process guiding the common template model.
• Proposal of change management process.
• Set up further meeting to help the working group with an initial overview and working knowledge of CDM and Legend Studio.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m6e9255a2368279a9f1857f176cbf2c1a
• Meeting number: 127 642 4586
• Password: J2SqF2Kp5X2
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 642 4586

WS-2020-0163 - Medium Severity Vulnerability

Vulnerable Library - marked-0.7.0.js

A markdown parser built for speed

Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.7.0/marked.js

Path to vulnerable library: finos-fo/website/node_modules/marked/lib/marked.js

Dependency Hierarchy:

• ❌ marked-0.7.0.js (Vulnerable Library)

Found in HEAD commit: 8a85da74af12dda4095dcafaf3ad66599e8d67ba

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/v1.1.1

Release Date: 2020-07-02

Fix Resolution: marked - 1.1.1

Date

Monday, APR 26 2021 - 10am ET / 3pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• FINOS Governance Policy update
• Continue to discuss and finalize the EqOption template attributes
• Q&A

Minutes of the meeting

• An overview of the FINOS Governance Policy "Community Specification" has been shared with the working group.
• Discussed and went through the entire sample EqOption template in the meeting.

Decisions Made

• Participants to fully review the sample EqOption template and come back with any feedback by 2 May 2021.

Action Items

• FINOS to share the presentation deck, Community Specification licenses and existing license example.
• Project leads to circulate the latest sample EqOption template for participants to review before the next meeting.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m6e9255a2368279a9f1857f176cbf2c1a
• Meeting number: 127 642 4586
• Password: J2SqF2Kp5X2
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 642 4586

Date

Thursday, 04 03 2021 - 11am ET / 4pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• PriceQuantity Proposal
• Other Attributes for Review from Sample fPML: PricingDates, BalanceOfFirstPeriod
• Proposed Addition: RoundingRule

Discussion Points

• Previous meeting minutes approved
• PriceQuantity: The refactor of PriceQuantity supports the commodity use case however updates need to be made to the PeriodEnum see to cover the Commodities use case. The group discussed various ways in which this could be performed, with the tentatively agreed approach to model enums that reference a time period in PeriodEnum & those that fall outside of that category in PeriodExtendedEnum. There are additional enums that require more though due to them being more abstract in the context of period (e.g. seasonal).
• BalanceOfFirstPeriod: This feature was captured in work completed last year and will be available in upcoming release.
• PricingDates: Requirement to add the terms included within pricingDates was highlighted and the group discussed whether it is appropriate to add the PricingDates class within ObservationDates or to add the required terms directly into periodicDates. Proposal will be put together before the next session.
• Rounding: Topic deferred.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m67d73e1fc1592e699f3cf95d4627de8d
• Meeting number: 127 391 7484
• Password: JMrsuEmY376
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 391 7484

Date

Thursday, 25 03 2021 - 11am ET / 3pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• Continue discussion on Quantity Frequency, PricingDates & Rounding.
• Agree if ready for proposal to ARC on 30th Mar
• Proposed break week for session scheduled 01 Apr

Discussion Points

• Previous meeting minutes approved.
• Quantity Frequency Discussion: Group walked through feedback from GS related to quantity frequency.
  - [ ] • Does HalfYear = 6Month in the context of Quantity Frequency? This concept is used in Gas & Power space where 6 month periods can represent seasons (e.g. Summer: Apr-Sep, Winter: Oct-Mar). In this context HalfYear = 6M and means that the value of HalfYear does not need to be added.
  - [ ] PerHour: Enum to be added to PeriodExtendedEnum in proposal.
  - [ ] • Instead of stating PerCalculationPeriod, can a pointer be used or explicitly state in period terms (e.g. 3M)? Group agreed that a pointer could be used to specify the quantityFrequency in relation to the calculationPeriod or alternatively could be explicitly stated as period.
  - [ ] PerSettlementPeriodEnum: Appears this is used in relation to power contracts where SettlementPeriods is a specfic object with fPML that defines delivery electricity. This was deferred through the commod swap work last year and group agreed to bucked the addition of this enum with that work when it is addressed.
  - [ ] QuantityFrequency proposal encapsulating the above points will be presented to the ISDA ARC on 30/03/21.
  -[ ] PricingDates: Group looked to address the topic of pricingDates before moving onto the issue of rounding & walked a number of fPML samples for how this class is intended to be used. Through discussion the group lead to identify the potential addition of calculationPeriodDates being required however noted that this would could duplication/conflicts for the FX usage of AveragingRateFeature. GS to takeaway and explore solution that will satisfy both.
  -[ ] Group agreed that meeting next week (1-Apr) will be cancelled and will reconvene the following week (8-Apr).

Action Items

• Action 1
• Action 2
• ...

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m67d73e1fc1592e699f3cf95d4627de8d
• Meeting number: 127 391 7484
• Password: JMrsuEmY376
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 391 7484

CVE-2019-20149 - High Severity Vulnerability

Vulnerable Library - io.jsv10.23.2

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/iojs/io.js.git

Found in HEAD commit: 8a85da74af12dda4095dcafaf3ad66599e8d67ba

Vulnerable Source Files (0)

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution: 6.0.3

CVE-2021-23358 - High Severity Vulnerability

Vulnerable Libraries - underscore1.12.0, underscore-esm-1.12.0.js, underscore-1.12.0.js

underscore-esm-1.12.0.js

JavaScript's functional programming helper library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.12.0/underscore-esm.js

Path to vulnerable library: finos-fo/website/node_modules/underscore/underscore-esm.js

Dependency Hierarchy:

• ❌ underscore-esm-1.12.0.js (Vulnerable Library)

underscore-1.12.0.js

JavaScript's functional programming helper library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.12.0/underscore.js

Path to vulnerable library: finos-fo/website/node_modules/underscore/underscore.js

Dependency Hierarchy:

• ❌ underscore-1.12.0.js (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Publish Date: 2021-03-29

URL: CVE-2021-23358

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

Release Date: 2021-03-29

Fix Resolution: underscore - 1.12.1,1.13.0-2

Date

Monday, MAR 15 2021 - 10am ET / 2pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• Equity option template model discussion
• Alternative solution - RVS
• AOB, Q&A & Adjourn (5mins)

Minutes of the meeting

• Addressed questions from past meeting (IP protection / Date format support in Studio).
• Walked through the Eq Option Template model and some of the potential mapping with CDM attributes
• An alternative solution "Bespoke API" has been presented.

Action Items

• FINOS to provide the Legend Pilot WG participants breakdown.
• GS to merge the indicative common template model to the Product Control common template project in FINOS Legend space.
  Participants to review and revert with feedbacks, if any.
• GS to provide mapping example between the Eq Option template and CDM.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m6e9255a2368279a9f1857f176cbf2c1a
• Meeting number: 127 642 4586
• Password: J2SqF2Kp5X2
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 642 4586

CVE-2020-26237 - Medium Severity Vulnerability

Vulnerable Library - highlight.js9.18.5

Javascript syntax highlighter

Library home page: https://github.com/highlightjs/highlight.js.git

Found in base branch: master

Vulnerable Source Files (1)

finos-fo/website/node_modules/highlight.js/lib/highlight.js

Vulnerability Details

Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector. If your website or application does not render user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release.

Publish Date: 2020-11-24

URL: CVE-2020-26237

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vfrc-7r7c-w9mx

Release Date: 2020-11-24

Fix Resolution: 9.18.2, 10.1.2

The 3 Github teams for FO do not represent either the FINOS' revised governance nor the actual historical leaders and participants in the project.

• https://github.com/orgs/finos/teams/fo-pmc
  • Zero members; the PMC was @donbasuno and @HammadNYC
• https://github.com/orgs/finos/teams/fo-program
  • @maoo @mcleo-d How is the group intended to be different from the fo-pmc group?
  • Currently Colin, Johan, and Jamie
• https://github.com/orgs/finos/teams/fo-standards
  • @maoo @mcleo-d, is this intended to be the "FO project" (not the program) team?

The PMC, for now, should be @donbasuno and @HammadNYC. I am not sure why @jbjonesjr is in the FO teams. Ditto @ColinEberhardt. I can't recall either Jamie or Colin being involved in FO.

@mcleo-d @maoo, Can we delete the PMC group, especially given we have zero people in it and we've done away with programs/PMCs?

Note this will be the first step of clean-up -- there will additional clean up and updates if/as new project leads are chosen.

Both @HammadNYC and @donbasuno have announced their intention to step down as FO project leads.

By September 2020 or so, we should select new leads for the FO scope, likely concurrent with refining the scope/charter of the project.

At the July 30, 2020 FO meeting both Daniel Schwartz (Independent) and Stephen Murphy (Genesis) have expressed an interest in being leads.

Let's remove the Contribute piece with the forking instructions. It's too technical for the FO group.

Any concerns?

Johan

WS-2019-0291 - High Severity Vulnerability

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /finos-fo/website/package.json

Path to vulnerable library: /tmp/git/finos-fo/website/node_modules/handlebars/package.json

Dependency Hierarchy:

• typedoc-0.15.0.tgz (Root Library)
  • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

handlebars before 4.3.0 is vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-10-06

URL: WS-2019-0291

CVSS 2 Score Details (7.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1164

Release Date: 2019-10-06

Fix Resolution: 4.3.0

The FINOS Financial Objects ("FO") project has existed for several years and is one of FINOS’ oldest projects.

Our two current lead maintainers of the project (previously the PMC for the FO program, before programs were deprecated), Hammad Akbar of Citi (@HammadNYC) and Johan Sandersson (@donbasuno) of Factset, both have announced they need to step down as leads due to new roles they’ve taken in their respective firms.

Meanwhile, progress in the project has slowed in the last few months after an active 2018 and 2019, during which time much of the work was focused on 1) modeling RFQ in the context of an Interest Rate Swap, and 2) working on a set of base entity and instrument objects (see example). The objects developed by the FO project are used in the FDC3 standard and also have been used in production use cases w/ trading workflows that several sell-side FINOS members have created with a couple buy-sides.

Of note and as context, there also has been object modeling work occurring within FINOS beyond FO, specifically and especially in the Alloy pilot project.

Per the discussion had at the FO meeting on July 30, and before we choose new project leads, now would be the right time to affirm whether we should continue a Financial Objects project within FINOS and, if so, what the remit (scope) of that project should be.

With that context, this is an Request for Comment (RFC), to conclude August 11, in which we’d like to hear input on:

• Should there continue to be a “Financial Objects” project within FINOS?

• If you think the Financial Objects project should continue on, how should the scope and focus change, if at all?

• Does it makes sense to have a “central clearinghouse” project (i.e., “Financial Objects”) that is the de facto place where object modeling / type dictionary type work happens?

  • Alternatively, should modeling be done, as needed, within the scope of other FINOS projects?

• To what degree would it be valuable for the FO project to be an envoy of sorts to similar initiatives and standards bodies in the industry? In other words, can this project be helpful by also knowing the "lay of the land" of other taxonomies, type dictionaries, standards, etc. out there?

• What is the connection/overlap with the work/scope of the Security Reference Data project, and, in particular, the newly launched Currency Reference Data work stream?

• To what degree is FINOS the right venue to define common object/components for the industry?

• Should the two modeling initiatives within the Alloy pilot - the FX Options work steam to extend the existing FX Option model in ISDA CDM, and the Commodity Reference Data work stream - move into FO once Alloy is open sourced, creating a cleaner separation of concerns between the project to build out the Alloy platform (the Alloy project in FINOS) from modeling work that makes use of that platform?

• Overall, how can the work of FO be maximally useful to other FINOS projects as well as other efforts within the industry?

Our intention is to use your feedback here as input to a subsequent FO meeting, to be scheduled for late August, at which we expect to:

• Affirm that FO should continue on as a project (or, instead recommend to the FINOS ED and board that the project be archived, and the project effectively ceased). Provided the group decides FO should live on then additionally at that meeting we will/would...

• Discuss, deliberate, and set a revised remit/scope

• Choose new project maintainers and lead maintainers (If you’re interested in serving as lead or maintainer, please let us know in the comments here too; I believe Daniel Schwartz, an independent consultant active in several FINOS project, and Stephen Murphy, CEO of FINOS member Genesis, have expressed interest to date).

Overall I think the necessary pre-conditions for the FO project to continue on and thrive are:

• A clear scope/remit/charter that connects to specific, targeted, concrete, and pressing problems/opportunities in the industry w/ propensity to create EBITDA measurable value for FINOS members, the community and the wider financial services ecosystem.
• Motivated project lead maintainers, maintainers, and contributors ready to roll up sleeves to commit time, definitions, and code to the project on a sustained basis.

Thank you for taking the time to add your thoughts.

Rob U

This repository contains code and content that is not maintained, such as code generation tools for basic object modeling.

I would suggest to create a branch called pre-2021 and then clean up the master branch.

As I was the one designing code and website contents, I'd be happy to take care of this.

Date

Monday, APR 07 2021 - 11am ET / 4pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• Participant feedback and progress on the working on Legend Studio and model to model mapping creation.
• Discuss the follow up action point for missing CDM attributes for model to model mapping.
• Discussion on underlier identifier mapping details to be used in common model- RIC/BBG id/ISIN, etc.
• Initiate discussion on conclusion of the proof of concept and complete by next week’s meeting
• Q&A

Minutes of the meeting

• Approval of the past meeting minutes.
• Participants feedback on user experience on legend studio and CDM mappings.
• Discussed the missing CDM attributes for model to model mapping and the minimum required attributes to be added into CDM model to enhance the common template model in legend.
• Discussed the need for an industry standard common underlier identifiers for model to model mapping to eliminate the need to maintain multiple underlier mappings.
• FINOS is hosting a Securities Reference Data working group on an industry standard common identifiers for trades. Participants to connect with FINOS if they want to join this Working group.

Decisions Made

• N/A

Action Items

• Participants to review the legend studio and explore working on model to model mapping locally and feedback the user experience to the working group before the Project maintainers meeting on Monday, 19th April.
• Project Lead to reach out to ISDA for potential solutions on adding the missing attributes in CDM for model to model mapping.
• Project Lead to send an initial version of the equity vanilla model attributes to the participants and gauze suggestions on further inclusions or exclusions vis-à-vis the individual template.
• FINOS to share the IP/Governance policy updates in the upcoming meetings.
• FINOS to invite the Securities Reference Data Working Group leads to provide overview and objectives of the project.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m6e9255a2368279a9f1857f176cbf2c1a
• Meeting number: 127 642 4586
• Password: J2SqF2Kp5X2
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 642 4586

CVE-2021-24033 - Medium Severity Vulnerability

Vulnerable Library - [email protected]

Set up a modern web app by running one command.

Library home page: https://github.com/facebook/create-react-app.git

Found in HEAD commit: 8a85da74af12dda4095dcafaf3ad66599e8d67ba

Vulnerable Source Files (1)

finos-fo/website/node_modules/react-dev-utils/getProcessForPort.js

Vulnerability Details

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.

Publish Date: 2021-03-09

URL: CVE-2021-24033

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.facebook.com/security/advisories/cve-2021-24033

Release Date: 2021-03-09

Fix Resolution: react-dev-utils-11.0.4

Date

Thursday, 11 03 2021 - 11am ET / 4pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• Agree on Proposals for ISDA ARC Meeting next week:
  • Frequency Extensions: DayType Addition, Enum Additions
  • PricingDates representation in ObservationDates
  • Rounding?
• Asian Option Multi Period - Discussion
• AOB, Q&A & Adjourn (5mins)

Discussion Points

• Previous meeting minutes approved
• Frequency Extension: Group agreed on the proposed addition of DayType to the Frequency object to give the differentiation between business and calendar days. There was a number of different views in terms of how the Enum Additions should be added to the existing Period and PeriodExtended Enum objects. The group agreed that Period would be let unchanged and new additions that are needed for the commod use case would be captured in PeriodExtendedEnum.
• Rounding - proposal to add a RoundingRuleType to the rounding object in order to be able to represent the different points applied in the calculation was agreed.
• Rounding & Frequency Enhancements to be proposed to ISDA ARC in next session.
• PricingDates topic was discussed and will require further discussion in the future sessions. The discussion focused predominantly on 1. where in AveragingRateFeature the attributes should sit 2. if the existing parametricDates class is leveraged or instead just add the required attributes themselves to an existing class.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m67d73e1fc1592e699f3cf95d4627de8d
• Meeting number: 127 391 7484
• Password: JMrsuEmY376
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 391 7484

Date

Thursday, 11/02/2021 - 11am ET / 4pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Group Introductions
• Brief Recap of CDM Commodities Changes 2020
• Agree Working Group Target Deliverables

Discussion Points

• Brief recap of Commodities CDM developments from last year was given. The enhancements to the CDM model are expected to be release in to Rosetta imminently.
• Current ISDA CDM version in Legend Studio is slightly dated, aim to get model sync update before the next session.
• Group discussed roadmap items for the working group & agreed that 3 near term topic will be addressed:
  1. Asian Options
  2. Bullet/Vanilla European Options
  3. Option Strategies Representation

Action Items

• ISDA to give overview of the existing OptionPayout structure at the beginning of the next session which will form platform for identifying enhancements that need to be made to address the 3 topics above.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m67d73e1fc1592e699f3cf95d4627de8d
• Meeting number: 127 391 7484
• Password: JMrsuEmY376
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 391 7484

WS-2019-0333 - Medium Severity Vulnerability

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /finos-fo/website/package.json

Path to vulnerable library: /tmp/git/finos-fo/website/node_modules/handlebars/package.json

Dependency Hierarchy:

• typedoc-0.15.0.tgz (Root Library)
  • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

Prototype Pollution vulnerability found in handlebars 1.0.6 before 4.5.3. It is possible to add or modify properties to the Object prototype through a malicious template. Attacker may crash the application or execute Arbitrary Code in specific conditions.

Publish Date: 2019-12-05

URL: WS-2019-0333

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1325

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Date

Thursday, 08 04 2021 - 11am ET / 4pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• ARC Feedback on Quantity Frequency Proposal
• Continued Discussion on PricingDates Enhancement

Discussion Points

• Quantity Frequency - initial proposal to ISDA ARC was to add DayType to existing CDM Frequency type (to differentiate Business and Calendar Days), and new enum 'H' (hour) to periodExtendedEnum. There were some points raised from the ARC suggesting that the usage of the 'Frequency' data type itself may not be correct here however the ARC discussion was not closed off so will need to be revisited in that forum before finalized feedback needs to be considered by this group. Members who were involved in that design did not receive any opposition at the time however the usage may have been expanded. This will be revisited post next discussion with ARC.
• An additional question was raised in relation the the Business Day Convention that is applied to dates within the model and whether the model caters for it in relation to the different day types that can be used. It was demonstrated that the BDC is handled in multiple places within the model and also at the contract level which is used if not other BDC is specified at a sub level.
• PricingDates: Group walked through the 3 fPML samples of pricingDates to give context of the potential enhancement that is needed within AveragingRateFeature to handle the Commodities use case. Currently within the existing design, ObservationDates object is used to specify either specific dates when a price is observed or periodic dates that would specify a frequency within a time period. The commodities use case for Asian options requires both the CalculationPeriods (frequency/interval the calculation is measured within the term of the contract) and the PricingDates (the specific/relative dates that the price is observed WITHIN each calculation period). This conflicts with the existing design and the group discussed through potential changes that would handle both the existing use case and the proposed commodities use case. Discussion was left open on proposal to potentially add CalculationPeriodDates to the AveragingRateFeature, remove PeriodicDates & add ParametricDates to ObservationDates. To be picked up again next week.
• Takeaway: GS to share discussion material & examples.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m67d73e1fc1592e699f3cf95d4627de8d
• Meeting number: 127 391 7484
• Password: JMrsuEmY376
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 391 7484

Description

This issue has been created to encapsulate materials provided by the Financial Objects project team to directly drive the FINOS Financial Objects project to an Active state.

Steps to Complete

For each criteria listed below, the Financial Objects team must provide evidence that describes the project's maturity to progress the project state from an Incubating Project to an Active Project.

The supporting evidence and commentary should be provided in the comments of this issue prior to any further discussion and deciding vote.

FINOS Activation Criteria

https://finosfoundation.atlassian.net/wiki/spaces/FINOS/pages/75530376/Activation

@maoo @aitana16 Can you create a kanban (project) for the FO project?

Update fo.finos.org according to the new team composition and initiatives.

Content must be taken from README.md

Date

Monday, APR 19 2021 - 10am ET / 3pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• Opening remarks by project leads, progress of the working group and discuss the roadmap ahead.
• Common Unique Identifier walkthrough by OpenFIGI team.
•  Showcase an indicative Model to Model mapping in Legend.
• Participant’s user experience feedback on model to model mapping creation in legend.
• Q&A

Minutes of the meeting

• Approval of the past meeting minutes.
• Project leads shared the progress of the PoC working group and discussed the roadmap ahead.
• Guest speaker provided an overview of open data FIGI (Financial Instrument Global Identifier).
• Presentation of the indicative Model to Model mapping in Legend Studio.

Decisions Made

• Continue to work on the sample EqOption template and the model to model mappings in the next 4 meetings.

Action Items

• Require further discussion on below open points:
• Initiate discussion with openFIGI with the group to arrive at industry common identifier.
• How to handle/govern the model change management.
• Finalize the sample EqOption template attributes and include missing attributes into CDM.
• Attain more details from vendors on their IP considerations.
• Discussion on how much model to model mapping should be open sourced.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m6e9255a2368279a9f1857f176cbf2c1a
• Meeting number: 127 642 4586
• Password: J2SqF2Kp5X2
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 642 4586

Date

Thursday, 29 04 2021 - 11am ET / 4pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• ISDA ARC Feedback on Quantity Frequency & AveragingObservation Changes
• Begin Options Strategies Discussion
• Deferred Item to 6th May - Continued Physical European Option Discussion

Discussion Points

• Feedback on ARC Proposals 1) Quantity Frequency: Group were advised that the proposed change relating to quantity frequency has been approved by the ISDA ARC & means that additions of 'DayType' to the Frequency object and a number enum of 'H' (Hour) will be added to periodExtendedEnum. 2) The proposals to refactor the current averaging feature are still open with the ARC. The reviews yielded question marks over the broader representation of date parameters within the CDM that need to be considered in line with the AveragingObservation changes.
• Option Strategies Discussion: Group talked through different methods in how option strategies with multiple components could be represented. There were 2 possible approaches identified, i) leverage multiple optionPayouts within a single contract & ii) link multiple contracts via some form of identifier. The general consensus was the the first approach makes most sense and this is in line with other standard practices for representing structures/packages in the industry. The topic is due to continued to be discussed in future sessions so a finalized view can be formed and fed back into ISDA.
• GS to takeaway and provide example scenarios of physical option contracts (deferred item) & also additional potential scenarios for options strategies for added context.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m67d73e1fc1592e699f3cf95d4627de8d
• Meeting number: 127 391 7484
• Password: JMrsuEmY376
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 391 7484

Description

The name of the Financial Objects repository on GitHub finos-fo does not describe the project and is potentially difficult to find in the FINOS organisation and through GitHub and Google Search.

Potential Solution

By renaming the FINOS Financial Objects repository from finos-fo to financial-objects the new repo name describes the project and becomes easier to find in the FINOS GitHub organisation and through search.

The reference to FINOS is also maintained through the FINOS organisation on GitHub which is referred to within the following URL - https://github.com/finos/financial-objects

Potential Risks

1. The current url https://github.com/finos/finos-fo/ is indexed on Google and is driving traffic to the project.
2. The current url https://github.com/finos/finos-fo/ is referred to in documentation and will potentially need to change.
3. The current url https://github.com/finos/finos-fo/ is referred to in code and will potentially need to change.

Next Steps

The viability of the change should be assessed by the Financial Objects project and potentially be discussed on an Open Developer Platform project call before prioritising the change if relevant.

Date

Thursday,18 02 2021 - 11am ET / 4pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• Existing OptionPayout Review - Ted (ISDA)/All
• Asian Option fPML Sample Review - Shaun (GS)/All
• AOB, Q&A & Adjourn (5mins)

Discussion Points

-[ ] ISDA walked the group through the existing optionPayout, the price/quantity refactor and the commodities underlier representation that is held within the CDM. During the walkthrough some points were called out:
- Quantity Frequency in the Quantity refactor is misrepresented and needs to be updated to be able to represent commodities quantities as a combination of Quantity/Unit/Frequency.
- The underlier representation currently holds the terms that allow specification of which nearby contract is being referenced in relation to the benchmark commodity.
- ISDA are looking to refactor the existing OptionStyle class within the CDM and could be addressed through this group.
- A number of classes were identified as potentially being able to be incorporated into the OptionPayout to cover basic Commodities use case, with those being (PricingDates, Paymentdates & Rounding). This will be explored further in future sessions.
-[ ] Group walked through an fPML example of a multi month asian option. It was suggested that optimal approach would be to focus on single period option to start and address multi period at a later date. The example fPML will be updated before the next session to factor this in.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m67d73e1fc1592e699f3cf95d4627de8d
• Meeting number: 127 391 7484
• Password: JMrsuEmY376
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 391 7484

CDM Event Modelling - KnockIn Function

As part of Phase 2 of the FX Pilot for Legend Studio, the WG had designed a CDM event function for KnockIn (KI) lifecycle events:
See Minutes 9Jul20 for details.

At the time the Studio feature for creating functions was to be built and submission was pending, but now the feature is ready for use.

The following CDM primitives formed the proposed KI function:

• ObservationPrimitive
• ExercisePrimitive

However the CDM event model has since evolved and these primitives are deprecated. As a result, the proposed KI function will need further review and update, and ask is to collaborate on creating a new KI function solution for the CDM.

Date

Tuesday Aug 25th 2020 - 11.30am EST

Untracked attendees

• Ffion Wiggins / GS
• Rich Robinson / Bloomberg
• Minesh Patel / Regnosys
• Azeef Jalaludin
• Will Brown

Agenda

• Convene & roll call (5mins)
• Approve July 30th meeting minutes - meeting minutes were approved
• RFC: The Future of the Financial Objects project
• AOB, Q&A & Adjourn (5mins)

Decisions Made

• Commodities Reference Data: 
  • Reference Data Model: there was general agreement to move forward with the proposal that the current "Securities Reference Data" project expands its scope to become the "Reference Data project" and that the Commod. Reference Data underlier piece (i.e. the reference data model) moves into that project under its own "Commodity Reference Data" workstream. This proposal has been added to the agenda of the next Securities Reference Data meeting on September 1st for discussion.
  • Commodity Payout model: As the Alloy Commodity Reference Data working group is expected to finalize the commodity payout model by early September, there is no need to define a "home" for this working group's collaboration.
• Financial Objects: a decision was made to keep the FO project infrastructure (i.e. mailing lists, github repo) open and available to the group for asynchronous collaboration. Recurring meetings will be cancelled and meetings will be scheduled on an ad-hoc basis.all meeting attendees were encouraged to sign up to the Financial Objects project mailing list - which can be done by emailing [email protected]. All communications relevant to the future and potential scope of the project will be carried out through the [email protected] mailing list and the GitHub issues raised in the Financial Objects GitHub repo (https://github.com/finos/finos-fo/issues).
• CDM: the group will continue discussing the creation of a FINOS project to continue CDM Extension work after the Alloy Pilot. It was acknowledged that this workstream could potentially move into the Financial Objects projects but will be explored as an independent workstream/ project for now.

Action Items

• Add items here

WebEx info

• WebEx Meeting URL
• Meeting Number: 668 814 413
• Call from USA: +1-415-655-0003
• Call from CANADA: +1-647-484-1596
• Call from UK: +44-20319-88141
• Call from Spain: +34-93545-2895
• Recording URL: https://finos.webex.com/mw3300/mywebex/default.do?siteurl=finos&service=1
• Recurrence: Monthly on the 4th Thursday

WS-2019-0318 - Medium Severity Vulnerability

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /finos-fo/website/package.json

Path to vulnerable library: /tmp/git/finos-fo/website/node_modules/handlebars/package.json

Dependency Hierarchy:

• typedoc-0.15.0.tgz (Root Library)
  • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Vulnerability Details

A Denial of Service vulnerability found in handlebars 4.x before 4.4.5.While processing specially-crafted templates, the parser may be forced into endless loop. Attackers may exhaust system resources.

Publish Date: 2019-12-01

URL: WS-2019-0318

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2019-12-01

Fix Resolution: handlebars - 4.4.5

Originally brought up by @lspiro-Tick42 during an FDC3 call.

While ISIN, SEDOL etc might be somewhat self-explanatory, it would be beneficial if we could specify further what exactly what data items should be used for the different ID types. Eg "BBG" doesn't really clarify if it should be the "Bloomberg Terminal Symbol" or the "BPod Symbol".

Ideally I think these items should be specified by the provider or owner of the individual symbology scheme but as a start I think it makes sense if we document our thoughts and thus drive adoption and standardization that way.

A great topic for our next call and for us to form a subgroup to focus on this.

Date

Monday, APR 12 2021 - 10am ET / 3pm BST

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• FINOS IP Policy overview
• Common Unique Identifier discussion
• CDM attributes mapping discussion continues
• Recap of latest status for model to model mapping
• Q&A

##Minutes of the meeting

• Approval of the past meeting minutes.
• Participants provided feedback on user experience on legend studio and CDM mappings.
• Brief overview of the Project Governance & IP policy shared by FINOS. Participants to review the policy (https://github.com/CommunitySpecification/1.0) and share feedback with FINOS.
• Feedback on the initial version of the equity vanilla model attributes shared with the participants.
• Continued discussion on the optional/mandatory attributes for the equity vanilla option common template to be added to CDM.
• Discussion to adopt industry standard common identifier for submission purpose to eliminate the need to maintain multiple mappings.
• Revisited the latest model to model mapping in Legend Studio, the latest version is available in the product control common template project for participants to review.

Decisions Made

• N/A

Action Items

• Participants to feedback on the required attributes for the common template before the project maintainers meeting on Monday, 19th April.
• Participants to feedback on the regional pricing time snap and the format to be used for the same in CDM.
• Project Lead to reach out to ISDA on the additional attribute requirements mapping in CDM.
• FINOS to invite the Securities Reference Data project leads to provide overview and objectives of the project in a future meeting.

Please note we are scheduled to run through the proof of concept working group updates with the project maintainers on Monday, 19th April. Please let us know if you want to discuss any points from the previous WG meetings next week.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m6e9255a2368279a9f1857f176cbf2c1a
• Meeting number: 127 642 4586
• Password: J2SqF2Kp5X2
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 642 4586

CVE-2019-12043 - Medium Severity Vulnerability

Vulnerable Library - hello-algorithm3c8367b3dbc7e7174d30bfa1a9270b3ab863ff7f

??????1???? 30w ??????? 2?100 ??????????? 3?????????? 4?100 ??????? 5????????? 100 ?

Library home page: https://github.com/geekxh/hello-algorithm.git

Found in HEAD commit: 8a85da74af12dda4095dcafaf3ad66599e8d67ba

Vulnerable Source Files (1)

finos-fo/website/node_modules/remarkable/lib/parser_inline.js

Vulnerability Details

In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters, as demonstrated by a \x0ejavascript: URL.

Publish Date: 2019-05-13

URL: CVE-2019-12043

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Date

Thursday, 15 04 2021 - 11am ET / 4pm GMT

Untracked attendees

• Fullname, Affiliation, GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• Pricing Dates/Rounding Discussion Continued.
• AOB, Q&A & Adjourn (5mins)

Discussion Points

• Group walked through new proposal formed between Regnosys/GS/ISDA to be able to facilitate the changes required to support commodities within the existing Option/AveragingRate design. The proposed changes are:
• Removal of observationDates, observationTime & fxRateObservable from ObservationDates object.
• Creation of new ObservationTerms object which will be a property of the OptionPayout directly. The newly created class will allow for Observation elements to be specified across single and multiple dates and means that usage is not restricted to the Asian/Average scenario.
• Asian/Average option will specify the date terms through ObservationTerms and then add additional averaging information into the pre-existing AveragingRateObservation (Class name will need to be changed as no longer covers the observations).
• The updated proposal handles the concept of rounding in different places. The group have previously discussed creating a new RoundingRuleType enum to capture the application of rounding precision at the observation & average calculation level separately. The introduction of ObservationTerms allows for the existing rounding data type to be represented here and also in the pre-existing AveragingObservation to represent the 2 different applications that can be applied within the contract.
• Additional consideration of the use of existing AveragingObservation type in the averagingStrikeFeature is needed & takeaway on GS & Regnosys to review what changes may also be required here.
• Proposal for Asian Options (first deliverable of WG) will be put forward in the next ISDA ARC session in line with the changes above.
• Group will turn focus to review Vanilla European Options in the next session. GS to provide samples for review beforehand.

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=m67d73e1fc1592e699f3cf95d4627de8d
• Meeting number: 127 391 7484
• Password: JMrsuEmY376
• Call-in:
  • Join by video system: Dial [email protected]. You can also dial 173.243.2.68 and enter your meeting number.
  • Join by phone: +1-415-655-0003 US Toll | +44-20319-88141 UK Toll | Access code: 127 391 7484