Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependencies vulnerability scanning #3167

Closed
shahar-h opened this issue Apr 10, 2024 · 1 comment · Fixed by #3261
Closed

Dependencies vulnerability scanning #3167

shahar-h opened this issue Apr 10, 2024 · 1 comment · Fixed by #3261
Assignees
@shahar-h
Labels
triage
Milestone
v1.1.0-rc1

Comments

@shahar-h
Copy link
Contributor

Description:
Currently There is an underlying dependency vulnerability scan as part of OpenSSF Scorecard workflow which is triggered on push to main branch.
OpenSSF is using osv-scanner behind the scenes:
https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#vulnerabilities
https://google.github.io/osv-scanner/
We currently have score 7 since there are several vulnerabilities:
image

It is not clear what is the origin of the vulnerabilities unless we run osv-scanner locally.
Do you think we should add an additional scan as part of separate GH workflow or keep it like it is?
We can use either trivy or osv-scanner. I think osv-scanner should be preferred so we can be aligned with OpenSSF scorecard.

In addition, should this be triggered also on PRs? It has the downside of blocking PRs in case of unfixed vulnerabilities.

Please share your thoughts.
@guydc guydc added this to the v1.1.0-rc1 milestone Apr 10, 2024
@shahar-h
Copy link
Contributor Author

shahar-h commented Apr 19, 2024
edited

When running osv-scanner locally I could see that all identified vulnerabilities are related to non-root go modules:

  • site/go.mod
  • tools/src/buf/go.mod
  • tools/src/controller-gen/go.mod
  • tools/src/protoc-gen-go-grpc/go.mod
  • tools/src/setup-envtest/go.mod
    These vulnerabilities are displayed in ossf scorecard grouped by vulnerability id, except stdlib vulnerabilities which are ignored by ossf-scorecard(which are all related to old go version in site/go.mod).

I have some thoughts/questions regarding the way forward:

  1. Do we care about vulnerabilities in non-root modules?
  2. In case we don't how should we handle them?
    1. Scan only root module? In this case the vulnerabilities will still influence openssf scorecard since it triggers osv-scanner with recursive mode.
    2. Scan recursively and triage all non-root modules vulnerabilities? This means adding a osv-scanner.toml file with triaged vulnerabilities in each relevant module. This also means that we need to remember to clean fixed vulnerabilities once they are updated.
    3. Scan recursively and fix issues in non-root modules by adding temporary replace directives(assuming all dependencies are periodically upgraded by dependabot). Also here we need to remember to clean stale replace directives.
  3. What should be our policy for vulnerabilities which have no fix yet? Should we temporarily add them to ignored list so PRs won't be blocked? Or maybe run the scan only upon merge?

@shahar-h shahar-h mentioned this issue Apr 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shahar-h shahar-h

Labels
triage
Projects
None yet
Milestone
v1.1.0-rc1
Development

Successfully merging a pull request may close this issue.

ci: add osv-scanner workflow shahar-h/gateway
2 participants
@shahar-h @guydc