Security Disclosure document is out of date #4272
Comments
|
Thanks for filing this. Can you elaborate a bit more about the process of obtaining a reserved identity in CVE system. I do not think other graduated projects have obtained one either but it would be helpful to know what the process entails. |
|
The documentation mentioned that part of the disclosure process was creating a CVE, so I thought that knowledge was already present. Its all new to me as well, but I can take a look at how CVEs are created, what's needed, etc. And report back. |
|
Thanks from looking into this. Afaik, first there is a disclosure of the vulnerability and then a CVE ID is assigned to it. |
|
One option would to be use GitHub's Security Advisory feature. This allows us to draft and collaborate on the security advisory itself and then request a CVE. @adoliver any thoughts to that? cc @srenatus |
|
+1, GitHub's feature also allows collaborating on the code fix itself in a responsible way. |
|
@tsandall We don't directly have this github repo as a dependency in any of our projects. We download and deploy the official docker container in our pipeline. I didn't notice any way to get notified of an advisory without having a github project with a dependency on this repo. Our situation is we use gitlab and deploy a docker container. I'll have to look and see if there is a way to maybe have a dummy fork of this repo just to get the advisories. |
|
@adoliver we can setup a team in the OPA organization and invite select people to it--however, the main purpose of using the feature is that it lets us request CVEs easily. For example, we ran into a relatively obscure issue last month and we tested out the process here: What came out of that is a CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-23628 I'm assuming that you would be able to just get notified about the CVE through existing channels. Is that true? |
|
@tsandall Apologies for the slow responses, navigating some hard deadlines and long hours at work. I am probably ignorant of the "existing channels." This is my first deep dive into the CVE mechanisms. From what I can tell, because we deploy the official docker container pretty much directly(we have a local copy on our network and a sync process) there aren't any systems like NPM or a Go package manager which would inform us when a new opa CVE is released. Would there be a situation where a CVE has not been created, but there would be mitigation steps that users should take during the investigation? How would you plan to communicate various mitigation steps besides a version upgrade, in the CVE description? Possible existing channels I can pursue:
When I get a respite from my current work schedule I will investigate the above which seem to be my best current options. The previously available google groups RSS seemed like a really simple way to get information "from the horse's mouth", but I respect wanting a streamlined process without extra steps if possible. When two information flows exist, one could always get forgotten by accident. If you have any suggestions for something I'm missing I'm all ears. |
|
@tsandall update regarding searching the CVE database directly being somewhat unreliable. This is just to demonstrate how searching can pretty easily go wrong without a concrete target. I just noticed CVE-2017-11133 is not found by a simple CVE database word search. If you use the mitre's own website you will not find this CVE by searching for "CryptoJS" which appears in the description, but does not provide CVE-2017-11133. mitre must only search whole words, not substrings. Happened to run across this working on a different project; In this case I was curious about possible CVEs for a javascript cryptography library I am working with, but with this kind of behavior a negative result doesn't provide much confidence. |
|
Heya!
Your point certainly is valid for some software products. With OPA, I believe the overlap with other projects to be limited. Furthermore, do you know the Common Platform Enumeration (CPE)? It should have identifiers that allow you to track a certain software product directly, without any false positives or mixups. Looking at our current only CVE, https://www.cvedetails.com/cve/CVE-2022-23628/, it already features a CPE id for OPA: OpenCVE lets you search for vulnerabilities by CPE product; and it seems like you can even subscribe to that once you've registered an account there. I would think that there must be something useful in the NVD area (https://nvd.nist.gov/vuln/data-feeds), too, but I haven't found it yet. |
|
Is there anything actionable left here, or can we close this issue? |
It's easier to link to, and easier to find that way. Also, it's deliberately not part of the versioned docs: we don't want anyone to find old information when it's important. Fixes open-policy-agent#4272. Note that we won't win any style awards for this, but let's make CSS tweaking a follow-up issue. Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
This commit migrates the security policy to the OPA website. Also, it is deliberately not part of the versioned docs; we don't want anyone to find old information when it's important to get up-to-date information. Fixes #4272. Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
Short description
The SECURITY.md document is not up to date with google removing RSS and with DWF dissolving. For PCI compliance I am looking to have automated notifications when my dependencies have security vulnerabilities. The ability to accomplish that seems to have been lost since the document was last updated.
At this point I did not find the ability to track either:
Examples:
Expected behavior
Some documentation of vulnerability disclosure which includes where to programmatically discover new disclosures when they are publicly announced.
comments
With a reserved identity in CVE system the onus could be on the rest of us to set up tracking for CVEs under that identity. Without that known identity I would have to rely on keyword matching the entire CVE content; making the process pull in numerous false-positives and being unable to validate the system in any way since there are no CVEs yet.
I would be content with an email list, but I imagine that would be a hassle for the project to maintain. My own request to join the announcement google group to receive notifications is still in limbo.
Offer to assist
I would be willing to devote time to figuring out a solution, but I am unaware of the project security team's process and what would be considered viable.
The text was updated successfully, but these errors were encountered: