Hi everyone, here's a ping just to revive this thread.
@Emilia Torino <[email protected]> you might have received some GH notifications from me, which are related to @Luca Bello <[email protected]> 's images which are now being prepared to be published. I'm updating the list from above with the Docker Hub repos that should be monitored: * Alertmanager (https://github.com/prometheus/alertmanager) -> https://hub.docker.com/r/ubuntu/alertmanager (new) * Grafana Agent (https://github.com/grafana/agent) -> https://hub.docker.com/r/ubuntu/grafana-agent (new) * Grafana (https://github.com/grafana/grafana) -> https://hub.docker.com/r/ubuntu/grafana * Loki (https://github.com/grafana/loki) -> https://hub.docker.com/r/ubuntu/loki * Mimir (https://github.com/grafana/mimir) -> https://hub.docker.com/r/ubuntu/mimir (new) * SeaweedFS (https://github.com/seaweedfs/seaweedfs) [1] * Traefik (https://github.com/traefik/traefik) -> https://hub.docker.com/r/ubuntu/traefik (new) [1] @Luca Bello <[email protected]> is this one postponed? On Mon, Jul 3, 2023 at 9:37 AM Luca Bello <[email protected]> wrote: > Hi Emilia, > > that's great; thanks for following through! > > > Cheers, > > Luca > On 28/06/2023 22:18, Emilia Torino wrote: > > Hi Luca, > > On Tue, Jun 27, 2023 at 5:11 AM Luca Bello <[email protected]> > wrote: > >> Hi Emilia, >> >> I did not look into it as our short-term priorities changed a little bit; >> if you need anything else from my side please let me know! >> > > I did a search over the provided sources and only found one case where we > have the project as a deb in the archive, which is alertmanager: > https://launchpad.net/ubuntu/+source/prometheus-alertmanager > > So unless you can confirm there are other debs in the archive matching the > remaining upstream projects, alertmanager is the only one we can add to our > CVEs monitoring service. I can add it right now. > > Let me know if you have any questions. > > Emilia > >> >> Cheers, >> >> Luca >> On 22/06/2023 17:37, Emilia Torino wrote: >> >> Hi all, >> >> Following up on this issue... >> >> On Fri, Jun 9, 2023 at 12:41 PM Emilia Torino < >> [email protected]> wrote: >> >>> Hi all, >>> >>> On 9/6/23 06:20, Cristovao Cordeiro wrote: >>> > Sounds good to me. @Emilia Torino >>> > <mailto:[email protected]> do you need those repos to exist >>> in >>> > Docker Hub before you can onboard these? >>> >>> We don't. Since we don't scan the upstream based ROCKs (we only need >>> this for the deb based ones). >>> >>> > >>> > On Fri, Jun 9, 2023 at 10:42 AM Luca Bello <[email protected] >>> > <mailto:[email protected]>> wrote: >>> > >>> > Hello everyone, >>> > >>> > as mentioned before, the ROCKs we have are all based on upstream >>> > projects; the list is the following, as required: >>> > >>> > * Alertmanager (https://github.com/prometheus/alertmanager >>> > <https://github.com/prometheus/alertmanager>) >>> > * Grafana Agent (https://github.com/grafana/agent >>> > <https://github.com/grafana/agent>) >>> > * Grafana (https://github.com/grafana/grafana >>> > <https://github.com/grafana/grafana>) >>> > * Loki (https://github.com/grafana/loki >>> > <https://github.com/grafana/loki>) >>> > * Mimir (https://github.com/grafana/mimir >>> > <https://github.com/grafana/mimir>) >>> > * SeaweedFS (https://github.com/seaweedfs/seaweedfs >>> > <https://github.com/seaweedfs/seaweedfs>) >>> > * Traefik (https://github.com/traefik/traefik >>> > <https://github.com/traefik/traefik>) >>> > >>> > Please let me know if any of these qualifies! >>> >>> I am not sure how urgent is this, but if you help me identify the Ubuntu >>> source packages associated we can make this faster. Otherwise we can >>> work on this next week. >>> >> >> Did you have a chance to check this? >> >> >>> >>> > >>> > >>> > Cheers, >>> > >>> > Luca >>> > >>> > On 31/05/2023 18:29, Cristovao Cordeiro wrote: >>> >> >>> >> So the only change from our side will be to add >>> >> prometheus to the email notification subject (or I guess we >>> >> can just >>> >> simple replace it with "CVEs potentially affecting upstream >>> based >>> >> ROCKs"). Are the email recipients the same ones for the other >>> >> ones? >>> >> >>> >> >>> >> I think that would be fine for now. I'm reluctant to use the >>> >> mailing list as a catch-all, but I think we can re-design this >>> >> once there is an event bus at Canonical, so we rely less on >>> emails. >>> >> >>> >> As for the other 10 ROCKs, @Luca Bello >>> >> <mailto:[email protected]> let's first do the right due >>> >> diligence on those, cause if a ROCK is not meant to be under the >>> >> "ubuntu" namespace, then this security monitoring doesn't need to >>> >> apply. >>> >> >>> >> On Wed, May 31, 2023 at 3:58 PM Emilia Torino >>> >> <[email protected] <mailto:[email protected] >>> >> >>> >> wrote: >>> >> >>> >> >>> >> Hi all, >>> >> >>> >> On 31/5/23 04:03, Luca Bello wrote: >>> >> > Hi everyone, >>> >> > >>> >> > as said in the thread already, the prometheus image is >>> >> indeed a ROCK >>> >> > based on the *prometheus/prometheus* repository. >>> >> >>> >> That's very convenient. But just to be clear again, we are not >>> >> "inspecting" the upstream based rocks the same way we do for >>> >> the deb >>> >> based ones. We are only monitoring new CVEs created for >>> >> prometheus, >>> >> protobuf and consul. So the only change from our side will be >>> >> to add >>> >> prometheus to the email notification subject (or I guess we >>> >> can just >>> >> simple replace it with "CVEs potentially affecting upstream >>> based >>> >> ROCKs"). Are the email recipients the same ones for the other >>> >> ones? >>> >> >>> >> > >>> >> > We're in the process of updating all of our ROCKs in a >>> >> similar way, >>> >> > meaning we want to make sure we are complying with any >>> >> guidelines you >>> >> > might have on them. >>> >> > We have about 10 ROCKs at the moment, mostly based on >>> >> upstream projects >>> >> > just like this one. Should I share the full list, so you can >>> >> track them? >>> >> >>> >> I am happy to do an analysis of this list to see if we can add >>> >> more. The >>> >> short answer would be that if the software is packaged as a >>> >> deb in main >>> >> or universe (which is the situation for prometheus, protobuf >>> >> and consul) >>> >> then we can simply add them. This is because the service is >>> >> based on the >>> >> existing CVE triage work the security team does, which is >>> >> mainly for >>> >> debs (although now is being extended to other ecosystems >>> >> because of SOSS >>> >> but it is still limited and mainly supporting NVIDIA >>> software). >>> >> >>> >> A simple improvement though could be to map the projects to >>> >> the rocks so >>> >> you dont get a general notification, but one per ROCK as the >>> >> USNs/debs >>> >> based service does. We can work on adding this for the next >>> cycle. >>> >> >>> >> > >>> >> > >>> >> > Cheers, >>> >> > >>> >> > Luca >>> >> > >>> >> > >>> >> > On 31/05/2023 08:12, Cristovao Cordeiro wrote: >>> >> >> Thank you for the swift action, Emilia! >>> >> >> >>> >> >> > Does this >>> >> >> > relate to a question being asked some hours ago in >>> >> >> > ~Security >>> >> >> >>> >> >>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo < >>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>? >>> >> >> >>> >> >> Yes, precisely. @Luca Bello >>> >> <mailto:[email protected] >>> >> <mailto:[email protected]>> is in >>> >> >> the process of updating that image and we're re-doing our >>> >> due diligence. >>> >> >> Luca can confirm, but this seems to be a ROCK based >>> >> precisely on that >>> >> >> upstream Prometheus repository that you are already >>> monitoring >>> >> >> >>> >> ( >>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 >>> < >>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 >>> >). >>> >> >> >>> >> >> Can we then add this image to your list of tracked ROCKs? >>> >> >> >>> >> >> >>> >> >> On Tue, May 30, 2023 at 9:45 PM Emilia Torino >>> >> >> <[email protected] >>> >> <mailto:[email protected]>> wrote: >>> >> >> >>> >> >> Hey all, >>> >> >> >>> >> >> On 30/5/23 13:14, Emilia Torino wrote: >>> >> >> > Hi Cristovao, >>> >> >> > >>> >> >> > On 30/5/23 09:41, Cristovao Cordeiro wrote: >>> >> >> >> Hi Emilia, >>> >> >> >> >>> >> >> >> could you please confirm the `prometheus` container >>> >> image is being >>> >> >> >> monitored? >>> >> >> > >>> >> >> > I don't see prometheus being monitored by our >>> >> services (not as a >>> >> >> rock >>> >> >> > based on upstream source code nor as a rock based on >>> >> debs). Does >>> >> >> this >>> >> >> > relate to a question being asked some hours ago in >>> >> >> > ~Security >>> >> >> >>> >> >>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo < >>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>? >>> >> >> > >>> >> >> > >>> >> >> > These emails' subject only mentions cortex and >>> >> telegraf, but >>> >> >> >> I can see "https://github.com/prometheus/prometheus >>> >> <https://github.com/prometheus/prometheus> >>> >> >> >> <https://github.com/prometheus/prometheus >>> >> <https://github.com/prometheus/prometheus>>" in the body of >>> the >>> >> >> email. >>> >> >> > >>> >> >> > Apologize for the confusion, this sounds like a bug >>> >> in the email >>> >> >> content >>> >> >> > generator code. I will take a look at it later. >>> >> >> >>> >> >> I investigated this bug and it should be solved >>> >> already. There was an >>> >> >> issue in the past, but we fixed it already. I thought >>> >> it could be >>> >> >> related but I see this notification you are asking is >>> >> from March. >>> >> >> If you >>> >> >> check the last notification sent on Thu, May 4, 2:03 AM >>> >> is correctly >>> >> >> reporting about a single package (cortex only). >>> >> >> >>> >> >> Let me know if you have any further question. >>> >> >> >>> >> >> In this case, only a new >>> >> >> > CVE affecting consul has been created in our tracker >>> >> >> > >>> >> >> >>> >> >>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 < >>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>. >>> >> >> > >>> >> >> > Still, this does not mean cortex and telegraf are >>> >> affected, >>> >> >> since this >>> >> >> > needs triage (i.e. understand if the code/version >>> >> present in the >>> >> >> rocks >>> >> >> > are indeed vulnerable). >>> >> >> > >>> >> >> > FYI the reason why >>> >> https://github.com/prometheus/prometheus >>> >> <https://github.com/prometheus/prometheus> (and >>> >> >> also >>> >> >> > https://github.com/gogo/protobuf >>> >> <https://github.com/gogo/protobuf>) are listed in this >>> email, is >>> >> >> because >>> >> >> > these 3 are the *only* upstream projects we are >>> >> monitoring >>> >> >> (because of >>> >> >> > the bug the 3 are incorrectly listed in the email, >>> >> only consul >>> >> >> should >>> >> >> > be). In other words, we are not scanning every >>> >> upstream source >>> >> >> project >>> >> >> > which is used to build cortex and telegraf. >>> >> >> > >>> >> >> > There are reasons why this service is very limited, >>> >> and I hope this >>> >> >> > is/was clear. Let me know if you need more >>> information. >>> >> >> > >>> >> >> > Emilia >>> >> >> > >>> >> >> > >>> >> >> >> >>> >> >> >> ---------- Forwarded message --------- >>> >> >> >> From: <[email protected] >>> >> <mailto:[email protected]> >>> >> >> >> <mailto:[email protected] >>> >> <mailto:[email protected]>>> >>> >> >> >> Date: Sat, Mar 11, 2023 at 6:03 AM >>> >> >> >> Subject: [Ubuntu-docker-images] CVEs potentially >>> >> affecting >>> >> >> cortex and >>> >> >> >> telegraf >>> >> >> >> To: <[email protected] >>> >> <mailto:[email protected]> >>> >> >> >> <mailto:[email protected] >>> >> <mailto:[email protected]>>>, >>> >> >> >> <[email protected] >>> >> <mailto:[email protected]> >>> >> >> <mailto:[email protected] >>> >> <mailto:[email protected]>>>, >>> >> >> >> <[email protected] >>> >> <mailto:[email protected]> >>> >> >> <mailto:[email protected] >>> >> <mailto:[email protected]>>>, >>> >> >> >> <[email protected] >>> >> <mailto:[email protected]> >>> >> <mailto:[email protected] >>> >> <mailto:[email protected]>>>, >>> >> >> >> <[email protected] >>> >> <mailto:[email protected]> >>> >> >> <mailto:[email protected] >>> >> <mailto:[email protected]>>>, >>> >> >> >> <[email protected] >>> >> <mailto:[email protected]> >>> >> >> >> <mailto:[email protected] >>> >> <mailto:[email protected]>>> >>> >> >> >> >>> >> >> >> >>> >> >> >> New CVEs affecting packages used to build upstream >>> >> based rocks >>> >> >> have been >>> >> >> >> created in the Ubuntu CVE tracker: >>> >> >> >> >>> >> >> >> * https://github.com/gogo/protobuf >>> >> <https://github.com/gogo/protobuf> >>> >> >> <https://github.com/gogo/protobuf >>> >> <https://github.com/gogo/protobuf>>: >>> >> >> >> * https://github.com/hashicorp/consul >>> >> <https://github.com/hashicorp/consul> >>> >> >> >> <https://github.com/hashicorp/consul >>> >> <https://github.com/hashicorp/consul>>: CVE-2023-0845 >>> >> >> >> * https://github.com/prometheus/prometheus >>> >> <https://github.com/prometheus/prometheus> >>> >> >> >> <https://github.com/prometheus/prometheus >>> >> <https://github.com/prometheus/prometheus>>: >>> >> >> >> >>> >> >> >> Please review your rock to understand if it is >>> >> affected by >>> >> >> these CVEs. >>> >> >> >> >>> >> >> >> Thank you for your rock and for attending to this >>> >> matter. >>> >> >> >> >>> >> >> >> References: >>> >> >> >> >>> >> >> >>> >> >>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 < >>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> >>> >> >> >> >>> >> >> >>> >> < >>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 < >>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> -- >>> >> >> >> Mailing list: >>> >> https://launchpad.net/~ubuntu-docker-images >>> >> <https://launchpad.net/~ubuntu-docker-images> >>> >> >> >> <https://launchpad.net/~ubuntu-docker-images >>> >> <https://launchpad.net/~ubuntu-docker-images>> >>> >> >> >> Post to : >>> >> [email protected] >>> >> <mailto:[email protected]> >>> >> >> >> <mailto:[email protected] >>> >> <mailto:[email protected]>> >>> >> >> >> Unsubscribe : >>> >> https://launchpad.net/~ubuntu-docker-images >>> >> <https://launchpad.net/~ubuntu-docker-images> >>> >> >> >> <https://launchpad.net/~ubuntu-docker-images >>> >> <https://launchpad.net/~ubuntu-docker-images>> >>> >> >> >> More help : https://help.launchpad.net/ListHelp >>> >> <https://help.launchpad.net/ListHelp> >>> >> >> >> <https://help.launchpad.net/ListHelp >>> >> <https://help.launchpad.net/ListHelp>> >>> >> >> >> >>> >> >> >> >>> >> >> >> -- >>> >> >> >> Cris >>> >> >> >>> >> >> >>> >> >> >>> >> >> -- >>> >> >> Cris >>> >> >>> >> >>> >> >>> >> -- >>> >> Cris >>> > ____ >>> > >>> > >>> > >>> > -- >>> > Cris >>> >> -- Cris
-- Mailing list: https://launchpad.net/~observability Post to : [email protected] Unsubscribe : https://launchpad.net/~observability More help : https://help.launchpad.net/ListHelp
