Conversation
document vulnerability management in relation to security management and problem resolution Resolves: ##1941
masc2023
requested review from
PandaeDo,
aschemmel-tech and
pahmann
as code owners
|
|
|
The created documentation from the pull request is available at: docu-html |
|
|
||
| For safety-relevant components (ASIL B), additional analysis addresses: | ||
|
|
||
| * Potential for vulnerability to cause hazardous behavior |
There was a problem hiding this comment.
| * Potential for vulnerability to cause hazardous behavior | |
| * Potential for vulnerability to cause hazardous behaviors |
|
|
||
| Regarding platform specifics: | ||
|
|
||
| * Vulnerabilities are classified by severity (Critical, High, Medium, Low) based on CVSS scores and platform-specific impact |
There was a problem hiding this comment.
Is there a reason why we don't use none as severity?
There was a problem hiding this comment.
That can be mapped to ISO 21434 feas. rating 1:1, there are only 4, low is more or less accepted
|
|
||
| * Vulnerabilities are classified by severity (Critical, High, Medium, Low) based on CVSS scores and platform-specific impact | ||
| * Security-relevant components receive priority attention in vulnerability scanning and remediation | ||
| * Module-specific vulnerability management is coordinated through module security plans |
There was a problem hiding this comment.
Vulnerability management isn't mentioned in the process description and also not in the template. We might give this as a input into the work of @sunildevda, @CryptoNutcase to make it a little bit clearer / easier to find for contributers.
There was a problem hiding this comment.
Yes, correct, but this time we want to implement something faster the defined, will create ticket for them. As you can see in the top, should be not own process area, but part of Security Management, Problem Resolution, eclipse-score/process_description#575
| * The tailoring is divided into project-wide and module-specific rules | ||
| * Project-wide tailoring is documented in this document based on platform OoC development | ||
| * Module OoC specific tailoring is documented in module development security plans | ||
| * Vulnerability management follows the Eclipse Foundation Security Policy and procedures |
There was a problem hiding this comment.
| * Vulnerability management follows the Eclipse Foundation Security Policy and procedures | |
| * Vulnerability management follows the Eclipse Foundation Security Policy (`Eclipse Foundation Security Policy <https://www.eclipse.org/security/policy/>`_) and procedures |
|
|
||
| * Vulnerabilities are classified by severity (Critical, High, Medium, Low) based on CVSS scores and platform-specific impact | ||
| * Security-relevant components receive priority attention in vulnerability scanning and remediation | ||
| * Module-specific vulnerability management is coordinated through module security plans |
There was a problem hiding this comment.
| * Module-specific vulnerability management is coordinated through module security plans | |
| * Platform-specific vulnerability management is coordinated through platform security plan | |
| * Module-specific vulnerability management is coordinated through module security plans |
|
|
||
| *Manual* | ||
|
|
||
| * Security code reviews as defined in :doc:`software_development` |
There was a problem hiding this comment.
To be honest. I think we (and you can address it to me if you agree on my thoughts) shall add this to the SDP
There was a problem hiding this comment.
Sure, the idea is here, only to mentioned in in the draft version and you can move it after merging to the other documents and cross link, agreed? If yes, please make a ticket and we can add it here to the PR
| *Manual* | ||
|
|
||
| * Security code reviews as defined in :doc:`software_development` | ||
| * Security-focused verification activities per :doc:`software_verification` |
There was a problem hiding this comment.
Also here. I think we can improve the description of security focused verification activities a little bit.
|
|
||
| * Security code reviews as defined in :doc:`software_development` | ||
| * Security-focused verification activities per :doc:`software_verification` | ||
| * Architecture and design security reviews (security analysis) |
There was a problem hiding this comment.
| * Architecture and design security reviews (security analysis) | |
| * Architecture and design security reviews (by performing security analysis) |
|
|
||
| *Initial* | ||
|
|
||
| Upon discovery, vulnerabilities are triaged within T.B.D. working days: |
There was a problem hiding this comment.
Isn't it defined in the following table under vulnerability remediation?
There was a problem hiding this comment.
this is from the identification to the decision, that it is an vulnerability and needs remdiation, below table is after that, the remediation has to be implemented, another time
| * Labels: T.B.D. ``security``, ``vulnerability``, plus severity labels (``critical``, ``blocker``, ``major``, ``minor``) | ||
| * Template: :need:`gd_temp__problem_template` extended with vulnerability-specific attributes | ||
| * Workflow: Problem Resolution workflow (open → in review → in implementation → closed/rejected) | ||
| * `Projects dashboard for visual tracking and status management <https://www.eclipse.org/security/policy/>`_ |
There was a problem hiding this comment.
I guess the Link isn't correct
| * :need:`rl__project_lead` - Escalation point and resource allocation for critical vulnerabilities | ||
| * Committers - Responsible for implementing vulnerability fixes within their areas | ||
| * Module Security Managers - Coordinate vulnerability management for specific modules | ||
|
|
There was a problem hiding this comment.
Where is the role Module Security Manager defined => shall be linked
| * Relevant committers with domain expertise | ||
| * Quality Manager for verification coordination | ||
| * Safety Manager for safety impact analysis (if applicable) | ||
|
|
|
General topic: unclear, which releases to be examined. Only latest? All releases? And which one shall be repaired? Is it sufficient to announce with a new release that older versions are replaced and not valid and have issues inside? |
Add link to Project Management Plan, as there are Milestones Roadmap defined, so for all planned Releases |
sunildevda
left a comment
sunildevda
left a comment
There was a problem hiding this comment.
@masc2023 added some points/questions from my side.
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
|
||
| The S-CORE project embraces a culture of proactive vulnerability management and responsible disclosure. | ||
| Every contributor and committer is encouraged to report potential vulnerabilities through appropriate channels. |
There was a problem hiding this comment.
It is better to describe what is appropriate channels or just give a link for eclipse process and "say as explained in ... "
|
|
||
| For confirmed vulnerabilities, detailed analysis includes: | ||
|
|
||
| * CVSS v3.1 scoring |
There was a problem hiding this comment.
- why v3.1? latest version is 4.0.
- Also, we can give a link to the page for faster access (or guide the user to see end of the document for links). example: https://www.first.org/cvss/calculator/4.0
|
|
||
| * **GitHub Issues** - Primary tracking system: | ||
|
|
||
| * Issue type: Problem Report with type ``Security Vulnerability`` |
There was a problem hiding this comment.
We need to also include that "Category Security Related is set in the issue".
Additionally if the vulnerability affects safety then safety related has to be also set.
Example https://github.com/eclipse-score/process_description/blob/main/.github/ISSUE_TEMPLATE/1-bugfix.yml
|
|
||
| *Remediation Timelines* | ||
|
|
||
| Remediation Time Lines are based on vulnerability severity (mapped to problem classification): |
There was a problem hiding this comment.
which version should be fixed? only the latest version?
| @@ -0,0 +1,363 @@ | |||
| .. | |||
There was a problem hiding this comment.
I have some generic points that we need to consider for vulnerability management process. Don't know which is the right place where this should be mentioned (preferred would be this document itself). or may be these points are already mentioned but i didn't find them (if this is the case, please guide me to where i can find this).
- Vulnerabilities could be identified internally by SCORE community or externally. What is missing is the flow of how internally identified vulnerabilities be handled. I mean the general flow for internally identified defect would be a 1. defect is identified -> 2. then for each defect a question has to be answered, is this security relevant or not -> if yes, then all the additional steps mentioned here has to be followed. and we need to explain "when is a defect security relevant"
- What is the flow for creating CVEs and who will do it?
- Think we are missing the process of Lessons learnt at the end of the vulnerability handling. for each security vulnerability we should also do a lessons learnt and spread the lessons internally within the community so that we can build the culture of security.
- If i get it right, all the known vulnerabilities will ultimately show up here: https://www.eclipse.org/security/known/ and there is no separate or dedicated page for SCORE vulnerability. or? Also, in this page i miss the information which software releases are the vulnerability fixed, is this documented anywhere?
|
|
||
| * **Branch Protection** - All release and main branches have protection enabled | ||
| * **Security-First Development** - Security integrated throughout development lifecycle | ||
| * **Supply Chain Security** - SBOM generation for all releases per :need:`wp__sw_platform_sbom` |
There was a problem hiding this comment.
how does notification work? will security manager get an email when new vulnerability shows up?
|
|
||
| *Automated* | ||
|
|
||
| * **GitHub Dependabot** - Automated dependency vulnerability detection and update pull requests |
There was a problem hiding this comment.
Is there an example where Dependabot is already set up for other eclipse project? want to see how it looks, how the vulnerabilities are triaged in the tool, which sbom format (cdx or spdx) is used and so on..
There was a problem hiding this comment.
We should talk with the eclipse security team: https://www.eclipse.org/security/policy/
There was a problem hiding this comment.
Also take a look here: https://eclipse-csi.github.io/security-handbook/developer/branches.html
5 participants
document vulnerability management in relation to
security management and problem resolution
Resolves: ##1941