External dependency release maturity #10471
Labels
area/security
design proposal
Needs design doc/proposal before implementation
no stalebot
Disables stalebot from closing an issue
Comments
htuch
added
area/security
design proposal
|
Other problematic repositories: |
|
Also CC @qiwzhang @kyessenov, do you folks know if you could add versioned releases and release notes to the repositories you own and pin Envoy to them? Thanks. |
|
How do we reconcile support for older Envoy releases with the need to pick up security fixes for base dependencies? We can't count on base libraries releasing fixes on a particular schedule. I think we wanted to avoid frequent updates to older releases. Also, what can we do about existing dependencies that don't have regular releases? |
|
FYI I'm going to raise this issue with CNCF SIG-security as dependency tracking is an issue that has come up multiple times for many projects.
We probably need to start by enumerating all of our dependencies as we have started to do above, trying to get rid of as many dependencies as possible that we don't actually need, and then looking at the remainder on a case by case basis. The obvious issues here is that just because a dependency has released doesn't actually mean anything security wise so per @htuch we probably need to get some idea of what we want to see from dependencies in addition to arbitrarily snapped releases. |
Yep. I think snapped releases is a necessary, not sufficient condition, and a smell if missing. A more complete list of criteria for what constitutes a dependency we're willing to take would make sense. Other things I'd like to see:
Some of this might be hard to apply to smaller dependencies, but it's a sign of project maturity for the larger ones. |
|
Wondering what is the vetting process for new dependencies. Is there a gating procedure (apart from code reviews) that is currently in play?
|
|
@twghu I think these are all good points, I will put together a strawman policy document taking this and other points above into consideration. |
|
I made the dependency spreadsheet public at https://docs.google.com/spreadsheets/d/1OYS9nU55ibLr4Z-io1esgKPO4FIoWsuOzKG60RxePO8/edit#gid=0 |
|
Note that bazel has some upcoming license aggregation features that might help normalize some of this bazelbuild/bazel#10687 |
htuch
added a commit
to htuch/envoy
that referenced
this issue
Aug 13, 2020
This patch introduces a set of automatically generated tables (based on repository_locations.bzl) that enumerate the external dependencies that feature on Envoy's data/control planes, test, build, etc. Version and CPE information is currently included. In the future, we will also have last updated, distinguish core vs. extensions and populate with external dependency process maturity information. Part of envoyproxy#10471 Signed-off-by: Harvey Tuch <htuch@google.com>
This was referenced Aug 13, 2020
|
Fun fact, we now have over 60 dependencies total and over 30 on the data plane (if you include Thrift/Kafka/Wasm/LuaJIT etc.). We (Google) will be doing some work in the next few months in this area and want to help drive the policy forward. The first step is to understand what we have today, which is what #12639 is aimed at. |
htuch
added a commit
that referenced
this issue
Aug 18, 2020
This patch introduces a set of automatically generated tables (based on repository_locations.bzl) that enumerate the external dependencies that feature on Envoy's data/control planes, test, build, etc. Version and CPE information is currently included. In the future, we will also have last updated, distinguish core vs. extensions and populate with external dependency process maturity information. Part of #10471. This is essentially providing a programmatic variant of #10471 (comment). Future enhancements are tracked at #12673. Signed-off-by: Harvey Tuch <htuch@google.com>
|
While reading https://www.linuxfoundation.org/wp-content/uploads/2020/02/oss_supply_chain_security.pdf, one thing came up that should feed into our maturity definition. While Envoy repository requires GitHub 2FA/MFA for all developers, it's unclear if this also applies to our dependencies. It seems reasonable to ask for this basic security practice in repositories we rely on given the history of developer account compromises discussed in the paper. I don't know if GH provides a mechanism to determine this programatically. |
stedsome
pushed a commit
to stedsome/envoy
that referenced
this issue
Aug 22, 2020
Signed-off-by: Yifan Yang <needyyang@google.com> the introduction of post processing script Signed-off-by: Yifan Yang <needyyang@google.com> add the macos dependency installation Signed-off-by: Yifan Yang <needyyang@google.com> install macos dependency Signed-off-by: Yifan Yang <needyyang@google.com> comment out the slack functionality Signed-off-by: Yifan Yang <needyyang@google.com> introduce flaky tests Signed-off-by: Yifan Yang <needyyang@google.com> formatting the flaky tests Signed-off-by: Yifan Yang <needyyang@google.com> commentout the format checks for debugging Signed-off-by: Yifan Yang <needyyang@google.com> configuration Signed-off-by: Yifan Yang <needyyang@google.com> configuration Signed-off-by: Yifan Yang <needyyang@google.com> configuration Signed-off-by: Yifan Yang <needyyang@google.com> configuration Signed-off-by: Yifan Yang <needyyang@google.com> more configuration Signed-off-by: Yifan Yang <needyyang@google.com> debugging Signed-off-by: Yifan Yang <needyyang@google.com> install slack package for real Signed-off-by: Yifan Yang <needyyang@google.com> add_condition Signed-off-by: Yifan Yang <needyyang@google.com> try to install slack Signed-off-by: Yifan Yang <needyyang@google.com> changed find path Signed-off-by: Yifan Yang <needyyang@google.com> trying to locate the test result folders Signed-off-by: Yifan Yang <needyyang@google.com> trying to find the test folders Signed-off-by: Yifan Yang <needyyang@google.com> trying to find the test folders Signed-off-by: Yifan Yang <needyyang@google.com> trying to find the test folders Signed-off-by: Yifan Yang <needyyang@google.com> trying to find the test folders Signed-off-by: Yifan Yang <needyyang@google.com> trying to find the test folders Signed-off-by: Yifan Yang <needyyang@google.com> finding test files Signed-off-by: Yifan Yang <needyyang@google.com> finding test files Signed-off-by: Yifan Yang <needyyang@google.com> finding test files Signed-off-by: Yifan Yang <needyyang@google.com> finding test files Signed-off-by: Yifan Yang <needyyang@google.com> finding test files Signed-off-by: Yifan Yang <needyyang@google.com> finding test files Signed-off-by: Yifan Yang <needyyang@google.com> find the test files Signed-off-by: Yifan Yang <needyyang@google.com> find the test files Signed-off-by: Yifan Yang <needyyang@google.com> find the test files Signed-off-by: Yifan Yang <needyyang@google.com> find the test files Signed-off-by: Yifan Yang <needyyang@google.com> find the test files Signed-off-by: Yifan Yang <needyyang@google.com> find the test files Signed-off-by: Yifan Yang <needyyang@google.com> find the test files Signed-off-by: Yifan Yang <needyyang@google.com> find the test files Signed-off-by: Yifan Yang <needyyang@google.com> find the test files Signed-off-by: Yifan Yang <needyyang@google.com> find the test files Signed-off-by: Yifan Yang <needyyang@google.com> find the test files Signed-off-by: Yifan Yang <needyyang@google.com> python dependencies Signed-off-by: Yifan Yang <needyyang@google.com> python dependencies Signed-off-by: Yifan Yang <needyyang@google.com> python dependencies Signed-off-by: Yifan Yang <needyyang@google.com> python dependencies Signed-off-by: Yifan Yang <needyyang@google.com> python dependencies Signed-off-by: Yifan Yang <needyyang@google.com> python dependencies Signed-off-by: Yifan Yang <needyyang@google.com> python dependencies Signed-off-by: Yifan Yang <needyyang@google.com> testing coverage builds Signed-off-by: Yifan Yang <needyyang@google.com> testing coverage builds Signed-off-by: Yifan Yang <needyyang@google.com> try to figure out coverage builds Signed-off-by: Yifan Yang <needyyang@google.com> comment out slack Signed-off-by: Yifan Yang <needyyang@google.com> testing coverage build Signed-off-by: Yifan Yang <needyyang@google.com> testing coverage build Signed-off-by: Yifan Yang <needyyang@google.com> trying slack features Signed-off-by: Yifan Yang <needyyang@google.com> more formatting Signed-off-by: Yifan Yang <needyyang@google.com> slack Signed-off-by: Yifan Yang <needyyang@google.com> adding CI_Target to output msg Signed-off-by: Yifan Yang <needyyang@google.com> force a run Signed-off-by: Yifan Yang <needyyang@google.com> fuzz: added fuzz test for listener filter tls_inspector (envoyproxy#12617) Created tls_inspector_corpus and populated with testcases (valid and invalid client hellos) Risk Level: Low Testing: increased function coverage of tls_inspector.cc to 100.0% and line coverage to 87.3% after running fuzzer (covers all parse states except errors related to socket read failure). Docs Changes: N/A Release Notes: N/A Signed-off-by: Arthur Yan <arthuryan@google.com> scoped_rds_integration_test migrate from api v2 to api v3. (envoyproxy#12633) Migrate the integration test of scoped rds from api v2 to api v3. Fix a bug in scoped_rds.cc: ScopedRdsConfigSubscription should use the resource version of srds, not the resource version of rds. Risk Level: Low Signed-off-by: chaoqinli <chaoqinli@google.com> add 'explicit' restriction. (envoyproxy#12643) Commit Message: The intent, when providing Stats::Utility::counterFromElements, is that dynamic segments should be easy to construct, but still searchable. We should be trying to avoid dynamic segments whenever possible, so having them implicitly created from string data is not idea. Additional Description: Risk Level: none for the repo, but possibly will require trivial edits outside the repo Testing: //test/... Docs Changes: n/a Release Notes: n/a Signed-off-by: Joshua Marantz <jmarantz@google.com> [fuzz]added an input check in writefilter fuzzer and added test cases (envoyproxy#12628) Added a handle for nullptr in HeaderPercentageProvider::percentage to avoid crash in mongo_proxy. Added many unit test cases into corpus so that the coverage can be improved. All those filters' coverage was increased by 20%-40%. Signed-off-by: jianwen <jianwendong@google.com> test: fix http_timeout_integration_test flake (envoyproxy#12654) Fixes envoyproxy#12653 Signed-off-by: Matt Klein <mklein@lyft.com> logger: support log control in admin interface and command line option for Fancy Logger (envoyproxy#12369) Add log control (list and modify log level) in admin interface for Fancy Logger, a new fine-grained logger for Envoy, and provide command line option --enable-fine-grain-logging for developers. Additional Description: A doc of overview is provided here: source/docs/fancy_logger.md. Risk Level: Medium Testing: Unit tests. Docs Changes: Added a new option --enable-fine-grain-logging and doc it. Release Notes: Added to current.rst. Signed-off-by: Jinhui Song <jinhuisong@google.com> Decreased the flakiness of Watchdog tests running real time system. (envoyproxy#12659) Signed-off-by: Kevin Baichoo <kbaichoo@google.com> test: fix ext auth flake (envoyproxy#12660) Fixes envoyproxy#12657 Signed-off-by: Matt Klein <mklein@lyft.com> test: deflake timer test, not completely (envoyproxy#12642) Signed-off-by: Lizan Zhou <lizan@tetrate.io> test: fix ProtocolIntegrationTest.LargeRequestMethod flake (envoyproxy#12661) Fixes envoyproxy#12484 Signed-off-by: Matt Klein <mklein@lyft.com> Fix proto_sync.py (envoyproxy#12434) Fix path in proto_sync.py generated comments and regenerate. Signed-off-by: wzshiming <wzshiming@foxmail.com> udp: Add some log when session is deleted (envoyproxy#12669) It is very helpful for debugging. Signed-off-by: DongRyeol Cha <dr83.cha@samsung.com> DNS filter: set default resolver timeout (envoyproxy#12293) Fix an ASAN failure in certain env. Risk Level: low Testing: n/a Docs Changes: n/a Release Notes: n/a Signed-off-by: Yuchen Dai <silentdai@gmail.com> http: remove deprecated envoy.reloadable_features.connection_header_sanitization runtime guard (envoyproxy#12500) http: Remove deprecated envoy.reloadable_features.connection_header_sanitization runtime guard Signed-off-by: Alvin Baptiste alvinsb@gmail.com Commit Message: http: remove deprecated runtime guard for connection header sanitization Risk Level: Low Testing: bazel test //test/... Release Notes: Added Fixes envoyproxy#11933 Removed: envoy.reloadable_features.connection_header_sanitization Signed-off-by: Alvin Baptiste <alvinsb@gmail.com> Fix broken codeb lock style (envoyproxy#12667) Fix broken code block style in docs Signed-off-by: Takao Shibata <chise.alter.pasta@gmail.com> lua: Manage imported public keys in stream handle (envoyproxy#12664) This patch manages the imported public keys in the stream-handle object instead of "exposing" it as pointer through lua_pushlightuserdata while preserving the current Lua APIs. Signed-off-by: Dhi Aurrahman <dio@tetrate.io> lua API: add base64Escape function to stream handle (envoyproxy#12552) This makes it easy for Lua filters to base64 escape strings without needing to provide their own base64 helper. Signed-off-by: Michael Puncel <mpuncel@squareup.com> [Windows] Fixes Udp listener tests (envoyproxy#12635) Fixes UDP listener tests on Windows by modernizing iovecToWSABUF and msghdrToWSAMSG from pointer arithmetic to c++ and makes message.msg_controllen the proper length. Signed-off-by: Sotiris Nanopoulos <sonanopo@microsoft.com> api: deprecate the node.listening_addresses field (envoyproxy#12691) This was added for gRPC server support, but we've decided to use resource names instead to explicitly request the listeners we want by name. This is more in-line with the new naming scheme described in the "xDS Transport Next Steps" design. Signed-off-by: Mark D. Roth <roth@google.com> Fix broken reST style (envoyproxy#12668) Signed-off-by: Takao Shibata <chise.alter.pasta@gmail.com> Windows: Fix filesystem subscription impl tests (envoyproxy#12597) Windows: Fix filesystem subscription impl tests Replace dispatcher and watcher with mocks and orchestrate the test harness to capture filesystem subscription impl file event callback and invoke it directly. Test no longer relies on watching real filesystem events and avoids timing discrepancies causing flakiness. Additional Description: N/A Risk Level: Low Testing: Modifies unit tests, tested locally on Windows Docs Changes: N/A Release Notes: N/A Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com> Co-authored-by: William A Rowe Jr <wrowe@vmware.com> Fixes stack overflow in http inspector test (envoyproxy#12577) Fixes stack overflow exception in HttpInspectorTest.Http1WithLargeRequestLine and makes the test faster. Additional Description: While I was working on level vs edge based events I observed that the test is causing a stack overflow on Windows/MSVC. The testlist http_inspector_test now passes on Windows but it should not because it relies on Event::FileTriggerType::Edge which are not supported. This is why I did not enable it for the CI. Risk Level: N/A Testing: N/A Docs Changes: N/A Release Notes: N/A Signed-off-by: Sotiris Nanopoulos <sonanopo@microsoft.com> docs: external dependency dashboard. (envoyproxy#12639) This patch introduces a set of automatically generated tables (based on repository_locations.bzl) that enumerate the external dependencies that feature on Envoy's data/control planes, test, build, etc. Version and CPE information is currently included. In the future, we will also have last updated, distinguish core vs. extensions and populate with external dependency process maturity information. Part of envoyproxy#10471. This is essentially providing a programmatic variant of envoyproxy#10471 (comment). Future enhancements are tracked at envoyproxy#12673. Signed-off-by: Harvey Tuch <htuch@google.com> [fuzz]expand readfilter_fuzzer to cover mongo_proxy and mysql_proxy (envoyproxy#12612) Added coverage for mongo_proxy and mysql_proxy Added test cases(corpus) for them. Signed-off-by: jianwen <jianwendong@google.com> xds: allow updating listener back to original state (envoyproxy#12645) since addOrUpdateListenerInternal returns early in the case of a duplicate active/warming listener being added, it means you cannot update a listener back to its original state after updating it to a warming state consider the following sequence of actions: * add listener_0 referencing route_config_0, make it active * update listener_0 referencing route_config_1, keep it warming (Envoy keeps the original listener_0 active until the new warms) * update listener_0 back to route_config_0, which should remove the warming listener and return Envoy to its initial state, so that a future addition of route_config_1 won't cause the listener to change to that state, but right now it doesn't make a small change in listener_manager_impl.cc to allow this to happen update xds_verifier.cc and add a unit test for this case Risk Level: Medium Testing: Passes existing fuzz corpora and a few minutes on libfuzzer, passes ads_integration_test and lds_api_test Docs Changes: N/A Release Notes: N/A Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24888 Signed-off-by: Sam Flattery <samflattery@google.com> ci: refactor docker ci script and enable docker job in presubmit (envoyproxy#12662) Signed-off-by: Lizan Zhou <lizan@tetrate.io> [test] using reserve and commit in watermark_buffer overflow high value test (envoyproxy#12494) Improving the test by avoiding actual copying of bytes, but just reserving and committing slices. Signed-off-by: Adi Suissa-Peleg <adip@google.com> Greenlight and reclassify //test/... with the current progress for Windows (envoyproxy#12695) Co-authored-by: William A Rowe Jr <wrowe@vmware.com> Co-authored-by: Sunjay Bhatia <sunjayb@vmware.com> Signed-off-by: William A Rowe Jr <wrowe@vmware.com> Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com> hds: group endpoint health response by cluster and locality (envoyproxy#12452) Currently, the health discovery service takes a specifier with information about which endpoints to perform health checks on, which already supports information about cluster structure and locality information. However, when when forming a response holding endpoint health information, all notion of cluster or locality is dropped and endpoint information is stored in a flat list. This is problematic when there are several endpoints with the same address or port but with a different locality, cluster, or path. This PR uses the previous proto change in Issue envoyproxy#12153 which added support for grouping endpoint health information by their respective cluster and locality. Risk Level: Low Testing: Added a unit test in test/common/upstream/hds_test, which sends a specifier to HdsDelegate with several clusters, localties, and endpoints. It then verifies that the response holds the same structure. Existing integration tests were also changed to check for the new proto structure, specifically ones that already group several endpoints by differing clusters or localities. Signed-off-by: Drew S. Ortega <drewortega@google.com> network: socket and address build cleanup (envoyproxy#12710) - split socket interface from socket - add default socket interface library - move io handle to default socket interface library from address Signed-off-by: Florin Coras <fcoras@cisco.com> thrift: envoy_cc_test -> envoy_extension_cc_test (envoyproxy#12697) Signed-off-by: Roelof DuToit <roelof.dutoit@broadcom.com> test: Add test socket interface that allows overriding IoHandle behavior (envoyproxy#12528) Add test socket interface that allows overriding IoHandle behavior of accepted sockets. Change flood tests to use exact frame counts needed for flooding. Fix DATA frame flood test. Signed-off-by: Yan Avlasov <yavlasov@google.com> fix main branch merge issue (envoyproxy#12722) Signed-off-by: Florin Coras <fcoras@cisco.com> ci: fix VRP image push (envoyproxy#12715) Signed-off-by: Lizan Zhou <lizan@tetrate.io> cosmetic changes Signed-off-by: Yifan Yang <needyyang@google.com> add a flaky test in macOS build Signed-off-by: Yifan Yang <needyyang@google.com> add a flaky test in macOS build Signed-off-by: Yifan Yang <needyyang@google.com> changed the flaky test Signed-off-by: Yifan Yang <needyyang@google.com> changed the flaky test Signed-off-by: Yifan Yang <needyyang@google.com> have a wrapper script Signed-off-by: Yifan Yang <needyyang@google.com> trying necessary dependencies Signed-off-by: Yifan Yang <needyyang@google.com> trying necessary dependencies Signed-off-by: Yifan Yang <needyyang@google.com> testing python dependencies Signed-off-by: Yifan Yang <needyyang@google.com> add a shell script wrapper and use python_venv Signed-off-by: Yifan Yang <needyyang@google.com> moved functionality into do_ci.sh and added the hyperlink Signed-off-by: Yifan Yang <needyyang@google.com> moved functionality into do_ci.sh and added the hyperlink Signed-off-by: Yifan Yang <needyyang@google.com> put it out of ci_do.sh Signed-off-by: Yifan Yang <needyyang@google.com> put it out of ci_do.sh Signed-off-by: Yifan Yang <needyyang@google.com> put it out of ci_do.sh Signed-off-by: Yifan Yang <needyyang@google.com> ci_do.sh Signed-off-by: Yifan Yang <needyyang@google.com> ci_do.sh Signed-off-by: Yifan Yang <needyyang@google.com> ci_do.sh Signed-off-by: Yifan Yang <needyyang@google.com> more setup Signed-off-by: Yifan Yang <needyyang@google.com> more setup Signed-off-by: Yifan Yang <needyyang@google.com> more setup Signed-off-by: Yifan Yang <needyyang@google.com> more setup Signed-off-by: Yifan Yang <needyyang@google.com> more setup Signed-off-by: Yifan Yang <needyyang@google.com> more setup Signed-off-by: Yifan Yang <needyyang@google.com> more setup Signed-off-by: Yifan Yang <needyyang@google.com> test hyperlink Signed-off-by: Yifan Yang <needyyang@google.com> installing with py3 Signed-off-by: Yifan Yang <needyyang@google.com> making it work Signed-off-by: Yifan Yang <needyyang@google.com> pass the CI-target in Signed-off-by: Yifan Yang <needyyang@google.com> changing the search path Signed-off-by: Yifan Yang <needyyang@google.com> changing the search path Signed-off-by: Yifan Yang <needyyang@google.com> add a set to keep track of seen problem Signed-off-by: Yifan Yang <needyyang@google.com> fix of something stupid Signed-off-by: Yifan Yang <needyyang@google.com> add some comments and retry arm64 Signed-off-by: Yifan Yang <needyyang@google.com> getting it ready for shipping Signed-off-by: Yifan Yang <needyyang@google.com> format Signed-off-by: Yifan Yang <needyyang@google.com> more format Signed-off-by: Yifan Yang <needyyang@google.com> format Signed-off-by: Yifan Yang <needyyang@google.com> try again with arm64 Signed-off-by: Yifan Yang <needyyang@google.com> testing arm build Signed-off-by: Yifan Yang <needyyang@google.com> update requirement for arm Signed-off-by: Yifan Yang <needyyang@google.com> trying out arm dependencies Signed-off-by: Yifan Yang <needyyang@google.com> debugging Signed-off-by: Yifan Yang <needyyang@google.com> opting out of arm arch for now Signed-off-by: Yifan Yang <needyyang@google.com> cleanup Signed-off-by: Yifan Yang <needyyang@google.com> commentout formatting for faster builds Signed-off-by: Yifan Yang <needyyang@google.com> upgrading setuptools Signed-off-by: Yifan Yang <needyyang@google.com> dependency Signed-off-by: Yifan Yang <needyyang@google.com> dependency Signed-off-by: Yifan Yang <needyyang@google.com> dependency Signed-off-by: Yifan Yang <needyyang@google.com> dependency Signed-off-by: Yifan Yang <needyyang@google.com> dependency Signed-off-by: Yifan Yang <needyyang@google.com> dependency Signed-off-by: Yifan Yang <needyyang@google.com> dependency Signed-off-by: Yifan Yang <needyyang@google.com> dependency Signed-off-by: Yifan Yang <needyyang@google.com> sanity check Signed-off-by: Yifan Yang <needyyang@google.com>
htuch
added a commit
that referenced
this issue
Sep 9, 2020
This will apply to all changes to external dependencies in future PRs. Part of #10471 Signed-off-by: Harvey Tuch <htuch@google.com>
|
https://bestpractices.coreinfrastructure.org/en/criteria/0 is a pretty decent list of best practices we could build on. |
|
OSSC also has candidate metrics at https://docs.google.com/spreadsheets/d/119YwYxf5Fy09CjPX6h-yuKZOY4XjCCuDSD_Ryj14s64/edit#gid=0 |
|
The OSSF Scorecards project just released some automatable checks, see https://github.com/ossf/scorecard#checks. This seems like a good baseline to adopt. |
|
I've put together a proposal for discussion at https://docs.google.com/document/d/1HbREo7pv7rgeIIjQn6mNpySzQE5rx2Yv9dXm5NqR2N8/edit#, feedback and further input welcome. |
|
@envoyproxy/dependency-shepherds have reviewed #10471 (comment), it might be also a good idea to get feedback from @envoyproxy/maintainers on this proposal as it has implications for future dependencies as well as existing ones. |
|
I've run OSSF Scorecard criteria that we might adopt against all of the eligible deps, results at https://docs.google.com/spreadsheets/d/1caO4qMmG8o5i2nGoEof1qMpD5_WicfiC5WcxA_5isTY/edit#gid=0. |
htuch
added a commit
that referenced
this issue
Nov 26, 2020
This script runs https://github.com/ossf/scorecard against the runtime Envoy deps. The criteria for use_category and scorecard selection are described at https://docs.google.com/document/d/1HbREo7pv7rgeIIjQn6mNpySzQE5rx2Yv9dXm5NqR2N8/edit#heading=h.xnpvc6pk0h0v. Example output is at https://docs.google.com/spreadsheets/d/1caO4qMmG8o5i2nGoEof1qMpD5_WicfiC5WcxA_5isTY/edit#gid=0. The goal will be to evolve this script to help generate and validate metadata describing dependency conformance. Part of #10471. Signed-off-by: Harvey Tuch <htuch@google.com>
|
Feedback has been incorporated in https://docs.google.com/document/d/1HbREo7pv7rgeIIjQn6mNpySzQE5rx2Yv9dXm5NqR2N8/edit#. I'm wondering if there is anything else left before we can turn this into plan-of-record and start building out metadata/tooling for enforcement? |
htuch
added a commit
to htuch/envoy
that referenced
this issue
Dec 8, 2020
This patch converts https://docs.google.com/document/d/1HbREo7pv7rgeIIjQn6mNpySzQE5rx2Yv9dXm5NqR2N8/edit# to Markdown and provides a PR-based review of the policy, following discussion in the doc and various offline threads. Fixes envoyproxy#10471 Signed-off-by: Harvey Tuch <htuch@google.com>
htuch
added a commit
that referenced
this issue
Dec 11, 2020
This patch converts https://docs.google.com/document/d/1HbREo7pv7rgeIIjQn6mNpySzQE5rx2Yv9dXm5NqR2N8/edit# to Markdown and provides a PR-based review of the policy, following discussion in the doc and various offline threads. Fixes #10471 Signed-off-by: Harvey Tuch <htuch@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have recently been looking at our external dependencies and noticed that a number of external dependencies, e.g. https://github.com/grpc-ecosystem/grpc-httpjson-transcoding, https://github.com/google/jwt_verify_lib/, https://github.com/circonus-labs/libcircllhist, do not provide versioned releases.
I think this is a concern from a security perspective, since it is challenging to systematically monitor for new releases when security issues creep into our external dependencies. You essentially have to watch every commit. There are other problems, for example being unclear when it's safe to take a master snapshot and call it stable.
I would like to propose that we revise our security policy to disallow any new external repositories that might impact the data plane unless they show some release discipline. Basically, they should have some history of cutting releases and providing release notes. We should also downgrade the security posture of extensions relying on external repositories directly that do not have release discipline.
@envoyproxy/security-team
The text was updated successfully, but these errors were encountered: