From 83494cc4843e2a4854823b2dba312897f83ead43 Mon Sep 17 00:00:00 2001
From: Adrian Cole <adrian@tetrate.io>
Date: Sat, 13 Apr 2024 19:54:28 -1000
Subject: [PATCH 1/4] Adds SECURITY.md and scanning workflow

This adds SECURITY.md and a scanning workflow, using Trivy. In
particular, this clarifies what we use to scan for vulnerabilities
(Trivy, not anything else), and the only channel likely to be responded
to on a significant issue (zipkin-admin email, not advisories as people
ignored them).

I won't merge this until I get at least 2 approves. After that, I'll
help apply this to the other java repos.

Signed-off-by: Adrian Cole <adrian@tetrate.io>
---
 .github/workflows/security.yml | 52 ++++++++++++++++++++++++++++++++++
 RELEASE.md                     |  6 ++++
 SECURITY.md                    | 13 +++++++++
 3 files changed, 71 insertions(+)
 create mode 100644 .github/workflows/security.yml
 create mode 100644 SECURITY.md

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 00000000..7f697f9c
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,52 @@
+---
+name: security
+
+# We don't scan documentation-only commits.
+on:  # yamllint disable-line rule:truthy
+  push:  # non-tagged pushes to master
+    branches:
+      - master
+    tags-ignore:
+      - '*'
+    paths-ignore:
+      - '**/*.md'
+      - './build-bin/*lint'
+      - ./build-bin/mlc_config.json
+  pull_request:  # pull requests targeted at the master branch.
+    branches:
+      - master
+    paths-ignore:
+      - '**/*.md'
+      - './build-bin/*lint'
+      - ./build-bin/mlc_config.json
+
+jobs:
+  security:
+    name: Security
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    # skip commits made by the release plugin
+    if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+      - uses: actions/cache@v4
+        name: Cache Trivy Database
+        with:
+          path: .trivy
+          key: ${{ runner.os }}-trivy
+          restore-keys: ${{ runner.os }}-trivy
+      - name: Run Trivy vulnerability and secret scanner
+        uses: aquasecurity/trivy-action@master
+        id: trivy
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'  # scan the entire repository
+          scanners: vuln,secret
+          exit-code: '1'
+          severity: HIGH,CRITICAL
+          output: trivy-report.md
+          cache-dir: .trivy
+      - name: Set Summary
+        shell: bash
+        if: ${{ failure() && steps.trivy.conclusion == 'failure' }}
+        run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY
diff --git a/RELEASE.md b/RELEASE.md
index 2cbf8974..4fcb24ea 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -2,6 +2,12 @@
 
 This repo uses semantic versions. Please keep this in mind when choosing version numbers.
 
+1. **Verify all dependencies are up-to-date**
+
+   Before you start a release, make sure all dependencies are up-to-date, or are documented why not.
+   Pay special attention to the [security workflow](.github/workflows/security.yml), which should
+   run clean.
+
 1. **Alert others you are releasing**
 
    There should be no commits made to master while the release is in progress (about 10 minutes). Before you start
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..bba9ddbd
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,13 @@
+# OpenZipkin Security Process
+
+This document outlines the process for handling security concerns in OpenZipkin projects.
+
+Any vulnerability or misconfiguration detected in our [security workflow](.github/workflows/security.yml)
+should be addressed as a normal pull request.
+
+OpenZipkin is a volunteer community and does not have a dedicated security team. There may be
+periods where no volunteer is able to address a security concern. There is no SLA or warranty
+offered by volunteers. If you are a security researcher, please consider this before escalating.
+
+For security concerns that are sensitive or otherwise outside the scope of public issues, please
+contact zipkin-admin@googlegroups.com.

From d9e542b893e6bee53e9784cf5d0f5ac947095f5b Mon Sep 17 00:00:00 2001
From: Adrian Cole <adrian@tetrate.io>
Date: Sat, 13 Apr 2024 20:02:01 -1000
Subject: [PATCH 2/4] polish

Signed-off-by: Adrian Cole <adrian@tetrate.io>
---
 .github/workflows/lint.yml     | 2 +-
 .github/workflows/security.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 6004746f..fe58404d 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -23,7 +23,7 @@ on:  # yamllint disable-line rule:truthy
 
 jobs:
   lint:
-    name: Lint
+    name: lint
     runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     # skip commits made by the release plugin
     if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 7f697f9c..09d9c574 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -22,7 +22,7 @@ on:  # yamllint disable-line rule:truthy
 
 jobs:
   security:
-    name: Security
+    name: security
     runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     # skip commits made by the release plugin
     if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"

From d9f103cf7bbe55b30666cc37277ff49f6c81db4b Mon Sep 17 00:00:00 2001
From: Adrian Cole <adrian@tetrate.io>
Date: Mon, 15 Apr 2024 06:21:33 -1000
Subject: [PATCH 3/4] note

Signed-off-by: Adrian Cole <adrian@tetrate.io>
---
 .github/workflows/security.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 09d9c574..977c22ed 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -49,4 +49,9 @@ jobs:
       - name: Set Summary
         shell: bash
         if: ${{ failure() && steps.trivy.conclusion == 'failure' }}
+        # Add the Trivy report to the summary
+        #
+        # Note: This will cause a workflow error if trivy-report.md > 1MiB.
+        # If this happened due to too many CVEs, consider fixing them ;)
+        # See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#step-isolation-and-limits
         run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY

From f5f9378bfcce49ba96e9ebd8bcb59ce9cdf7fc77 Mon Sep 17 00:00:00 2001
From: Adrian Cole <adrian@tetrate.io>
Date: Mon, 15 Apr 2024 06:24:03 -1000
Subject: [PATCH 4/4] lint

Signed-off-by: Adrian Cole <adrian@tetrate.io>
---
 .github/workflows/security.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 977c22ed..a7847fc8 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -51,7 +51,6 @@ jobs:
         if: ${{ failure() && steps.trivy.conclusion == 'failure' }}
         # Add the Trivy report to the summary
         #
-        # Note: This will cause a workflow error if trivy-report.md > 1MiB.
-        # If this happened due to too many CVEs, consider fixing them ;)
-        # See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#step-isolation-and-limits
+        # Note: This will cause a workflow error if trivy-report.md > the step
+        # limit 1MiB. If this was due to too many CVEs, consider fixing them ;)
         run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY