Hi! On Thu, Aug 17, 2023 at 9:53 AM Luca Bello <[email protected]> wrote:
> Hi everyone, > > that's correct, SeaweedFS is postponed :) > On 17/08/2023 14:50, Cristovao Cordeiro wrote: > > Hi everyone, > > here's a ping just to revive this thread. > > @Emilia Torino <[email protected]> you might have received some > GH notifications from me, which are related to @Luca Bello > <[email protected]> 's images which are now being prepared to be > published. > > Yes, I got them and I was also going to ping you all since from our last discussion I said: "I did a search over the provided sources and only found one case where we have the project as a deb in the archive, which is alertmanager: https://launchpad.net/ubuntu/+source/prometheus-alertmanager. So unless you can confirm there are other debs in the archive matching the remaining upstream projects, alertmanager is the only one we can add to our CVEs monitoring service. I can add it right now." > I'm updating the list from above with the Docker Hub repos that should be > monitored: > > * Alertmanager (https://github.com/prometheus/alertmanager) -> > https://hub.docker.com/r/ubuntu/alertmanager (new) > * Grafana Agent (https://github.com/grafana/agent) -> > https://hub.docker.com/r/ubuntu/grafana-agent (new) > * Grafana (https://github.com/grafana/grafana) -> > https://hub.docker.com/r/ubuntu/grafana > * Loki (https://github.com/grafana/loki) -> > https://hub.docker.com/r/ubuntu/loki > * Mimir (https://github.com/grafana/mimir) -> > https://hub.docker.com/r/ubuntu/mimir (new) > * SeaweedFS (https://github.com/seaweedfs/seaweedfs) [1] > * Traefik (https://github.com/traefik/traefik) -> > https://hub.docker.com/r/ubuntu/traefik (new) > > So unfortunately, all others can't be monitored with the existing solution. > [1] @Luca Bello <[email protected]> is this one postponed? > > On Mon, Jul 3, 2023 at 9:37 AM Luca Bello <[email protected]> > wrote: > >> Hi Emilia, >> >> that's great; thanks for following through! >> >> >> Cheers, >> >> Luca >> On 28/06/2023 22:18, Emilia Torino wrote: >> >> Hi Luca, >> >> On Tue, Jun 27, 2023 at 5:11 AM Luca Bello <[email protected]> >> wrote: >> >>> Hi Emilia, >>> >>> I did not look into it as our short-term priorities changed a little >>> bit; if you need anything else from my side please let me know! >>> >> >> I did a search over the provided sources and only found one case where we >> have the project as a deb in the archive, which is alertmanager: >> https://launchpad.net/ubuntu/+source/prometheus-alertmanager >> >> So unless you can confirm there are other debs in the archive matching >> the remaining upstream projects, alertmanager is the only one we can add to >> our CVEs monitoring service. I can add it right now. >> >> Let me know if you have any questions. >> >> Emilia >> >>> >>> Cheers, >>> >>> Luca >>> On 22/06/2023 17:37, Emilia Torino wrote: >>> >>> Hi all, >>> >>> Following up on this issue... >>> >>> On Fri, Jun 9, 2023 at 12:41 PM Emilia Torino < >>> [email protected]> wrote: >>> >>>> Hi all, >>>> >>>> On 9/6/23 06:20, Cristovao Cordeiro wrote: >>>> > Sounds good to me. @Emilia Torino >>>> > <mailto:[email protected]> do you need those repos to >>>> exist in >>>> > Docker Hub before you can onboard these? >>>> >>>> We don't. Since we don't scan the upstream based ROCKs (we only need >>>> this for the deb based ones). >>>> >>>> > >>>> > On Fri, Jun 9, 2023 at 10:42 AM Luca Bello <[email protected] >>>> > <mailto:[email protected]>> wrote: >>>> > >>>> > Hello everyone, >>>> > >>>> > as mentioned before, the ROCKs we have are all based on upstream >>>> > projects; the list is the following, as required: >>>> > >>>> > * Alertmanager (https://github.com/prometheus/alertmanager >>>> > <https://github.com/prometheus/alertmanager>) >>>> > * Grafana Agent (https://github.com/grafana/agent >>>> > <https://github.com/grafana/agent>) >>>> > * Grafana (https://github.com/grafana/grafana >>>> > <https://github.com/grafana/grafana>) >>>> > * Loki (https://github.com/grafana/loki >>>> > <https://github.com/grafana/loki>) >>>> > * Mimir (https://github.com/grafana/mimir >>>> > <https://github.com/grafana/mimir>) >>>> > * SeaweedFS (https://github.com/seaweedfs/seaweedfs >>>> > <https://github.com/seaweedfs/seaweedfs>) >>>> > * Traefik (https://github.com/traefik/traefik >>>> > <https://github.com/traefik/traefik>) >>>> > >>>> > Please let me know if any of these qualifies! >>>> >>>> I am not sure how urgent is this, but if you help me identify the >>>> Ubuntu >>>> source packages associated we can make this faster. Otherwise we can >>>> work on this next week. >>>> >>> >>> Did you have a chance to check this? >>> >>> >>>> >>>> > >>>> > >>>> > Cheers, >>>> > >>>> > Luca >>>> > >>>> > On 31/05/2023 18:29, Cristovao Cordeiro wrote: >>>> >> >>>> >> So the only change from our side will be to add >>>> >> prometheus to the email notification subject (or I guess we >>>> >> can just >>>> >> simple replace it with "CVEs potentially affecting upstream >>>> based >>>> >> ROCKs"). Are the email recipients the same ones for the other >>>> >> ones? >>>> >> >>>> >> >>>> >> I think that would be fine for now. I'm reluctant to use the >>>> >> mailing list as a catch-all, but I think we can re-design this >>>> >> once there is an event bus at Canonical, so we rely less on >>>> emails. >>>> >> >>>> >> As for the other 10 ROCKs, @Luca Bello >>>> >> <mailto:[email protected]> let's first do the right due >>>> >> diligence on those, cause if a ROCK is not meant to be under the >>>> >> "ubuntu" namespace, then this security monitoring doesn't need to >>>> >> apply. >>>> >> >>>> >> On Wed, May 31, 2023 at 3:58 PM Emilia Torino >>>> >> <[email protected] <mailto:[email protected] >>>> >> >>>> >> wrote: >>>> >> >>>> >> >>>> >> Hi all, >>>> >> >>>> >> On 31/5/23 04:03, Luca Bello wrote: >>>> >> > Hi everyone, >>>> >> > >>>> >> > as said in the thread already, the prometheus image is >>>> >> indeed a ROCK >>>> >> > based on the *prometheus/prometheus* repository. >>>> >> >>>> >> That's very convenient. But just to be clear again, we are >>>> not >>>> >> "inspecting" the upstream based rocks the same way we do for >>>> >> the deb >>>> >> based ones. We are only monitoring new CVEs created for >>>> >> prometheus, >>>> >> protobuf and consul. So the only change from our side will be >>>> >> to add >>>> >> prometheus to the email notification subject (or I guess we >>>> >> can just >>>> >> simple replace it with "CVEs potentially affecting upstream >>>> based >>>> >> ROCKs"). Are the email recipients the same ones for the other >>>> >> ones? >>>> >> >>>> >> > >>>> >> > We're in the process of updating all of our ROCKs in a >>>> >> similar way, >>>> >> > meaning we want to make sure we are complying with any >>>> >> guidelines you >>>> >> > might have on them. >>>> >> > We have about 10 ROCKs at the moment, mostly based on >>>> >> upstream projects >>>> >> > just like this one. Should I share the full list, so you >>>> can >>>> >> track them? >>>> >> >>>> >> I am happy to do an analysis of this list to see if we can >>>> add >>>> >> more. The >>>> >> short answer would be that if the software is packaged as a >>>> >> deb in main >>>> >> or universe (which is the situation for prometheus, protobuf >>>> >> and consul) >>>> >> then we can simply add them. This is because the service is >>>> >> based on the >>>> >> existing CVE triage work the security team does, which is >>>> >> mainly for >>>> >> debs (although now is being extended to other ecosystems >>>> >> because of SOSS >>>> >> but it is still limited and mainly supporting NVIDIA >>>> software). >>>> >> >>>> >> A simple improvement though could be to map the projects to >>>> >> the rocks so >>>> >> you dont get a general notification, but one per ROCK as the >>>> >> USNs/debs >>>> >> based service does. We can work on adding this for the next >>>> cycle. >>>> >> >>>> >> > >>>> >> > >>>> >> > Cheers, >>>> >> > >>>> >> > Luca >>>> >> > >>>> >> > >>>> >> > On 31/05/2023 08:12, Cristovao Cordeiro wrote: >>>> >> >> Thank you for the swift action, Emilia! >>>> >> >> >>>> >> >> > Does this >>>> >> >> > relate to a question being asked some hours ago in >>>> >> >> > ~Security >>>> >> >> >>>> >> >>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo < >>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>? >>>> >> >> >>>> >> >> Yes, precisely. @Luca Bello >>>> >> <mailto:[email protected] >>>> >> <mailto:[email protected]>> is in >>>> >> >> the process of updating that image and we're re-doing our >>>> >> due diligence. >>>> >> >> Luca can confirm, but this seems to be a ROCK based >>>> >> precisely on that >>>> >> >> upstream Prometheus repository that you are already >>>> monitoring >>>> >> >> >>>> >> ( >>>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 >>>> < >>>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 >>>> >). >>>> >> >> >>>> >> >> Can we then add this image to your list of tracked ROCKs? >>>> >> >> >>>> >> >> >>>> >> >> On Tue, May 30, 2023 at 9:45 PM Emilia Torino >>>> >> >> <[email protected] >>>> >> <mailto:[email protected]>> wrote: >>>> >> >> >>>> >> >> Hey all, >>>> >> >> >>>> >> >> On 30/5/23 13:14, Emilia Torino wrote: >>>> >> >> > Hi Cristovao, >>>> >> >> > >>>> >> >> > On 30/5/23 09:41, Cristovao Cordeiro wrote: >>>> >> >> >> Hi Emilia, >>>> >> >> >> >>>> >> >> >> could you please confirm the `prometheus` container >>>> >> image is being >>>> >> >> >> monitored? >>>> >> >> > >>>> >> >> > I don't see prometheus being monitored by our >>>> >> services (not as a >>>> >> >> rock >>>> >> >> > based on upstream source code nor as a rock based on >>>> >> debs). Does >>>> >> >> this >>>> >> >> > relate to a question being asked some hours ago in >>>> >> >> > ~Security >>>> >> >> >>>> >> >>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo < >>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>? >>>> >> >> > >>>> >> >> > >>>> >> >> > These emails' subject only mentions cortex and >>>> >> telegraf, but >>>> >> >> >> I can see " >>>> https://github.com/prometheus/prometheus >>>> >> <https://github.com/prometheus/prometheus> >>>> >> >> >> <https://github.com/prometheus/prometheus >>>> >> <https://github.com/prometheus/prometheus>>" in the body of >>>> the >>>> >> >> email. >>>> >> >> > >>>> >> >> > Apologize for the confusion, this sounds like a bug >>>> >> in the email >>>> >> >> content >>>> >> >> > generator code. I will take a look at it later. >>>> >> >> >>>> >> >> I investigated this bug and it should be solved >>>> >> already. There was an >>>> >> >> issue in the past, but we fixed it already. I thought >>>> >> it could be >>>> >> >> related but I see this notification you are asking is >>>> >> from March. >>>> >> >> If you >>>> >> >> check the last notification sent on Thu, May 4, >>>> 2:03 AM >>>> >> is correctly >>>> >> >> reporting about a single package (cortex only). >>>> >> >> >>>> >> >> Let me know if you have any further question. >>>> >> >> >>>> >> >> In this case, only a new >>>> >> >> > CVE affecting consul has been created in our tracker >>>> >> >> > >>>> >> >> >>>> >> >>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>> >. >>>> >> >> > >>>> >> >> > Still, this does not mean cortex and telegraf are >>>> >> affected, >>>> >> >> since this >>>> >> >> > needs triage (i.e. understand if the code/version >>>> >> present in the >>>> >> >> rocks >>>> >> >> > are indeed vulnerable). >>>> >> >> > >>>> >> >> > FYI the reason why >>>> >> https://github.com/prometheus/prometheus >>>> >> <https://github.com/prometheus/prometheus> (and >>>> >> >> also >>>> >> >> > https://github.com/gogo/protobuf >>>> >> <https://github.com/gogo/protobuf>) are listed in this >>>> email, is >>>> >> >> because >>>> >> >> > these 3 are the *only* upstream projects we are >>>> >> monitoring >>>> >> >> (because of >>>> >> >> > the bug the 3 are incorrectly listed in the email, >>>> >> only consul >>>> >> >> should >>>> >> >> > be). In other words, we are not scanning every >>>> >> upstream source >>>> >> >> project >>>> >> >> > which is used to build cortex and telegraf. >>>> >> >> > >>>> >> >> > There are reasons why this service is very limited, >>>> >> and I hope this >>>> >> >> > is/was clear. Let me know if you need more >>>> information. >>>> >> >> > >>>> >> >> > Emilia >>>> >> >> > >>>> >> >> > >>>> >> >> >> >>>> >> >> >> ---------- Forwarded message --------- >>>> >> >> >> From: <[email protected] >>>> >> <mailto:[email protected]> >>>> >> >> >> <mailto:[email protected] >>>> >> <mailto:[email protected]>>> >>>> >> >> >> Date: Sat, Mar 11, 2023 at 6:03 AM >>>> >> >> >> Subject: [Ubuntu-docker-images] CVEs potentially >>>> >> affecting >>>> >> >> cortex and >>>> >> >> >> telegraf >>>> >> >> >> To: <[email protected] >>>> >> <mailto:[email protected]> >>>> >> >> >> <mailto:[email protected] >>>> >> <mailto:[email protected]>>>, >>>> >> >> >> <[email protected] >>>> >> <mailto:[email protected]> >>>> >> >> <mailto:[email protected] >>>> >> <mailto:[email protected]>>>, >>>> >> >> >> <[email protected] >>>> >> <mailto:[email protected]> >>>> >> >> <mailto:[email protected] >>>> >> <mailto:[email protected]>>>, >>>> >> >> >> <[email protected] >>>> >> <mailto:[email protected]> >>>> >> <mailto:[email protected] >>>> >> <mailto:[email protected]>>>, >>>> >> >> >> <[email protected] >>>> >> <mailto:[email protected]> >>>> >> >> <mailto:[email protected] >>>> >> <mailto:[email protected]>>>, >>>> >> >> >> <[email protected] >>>> >> <mailto:[email protected]> >>>> >> >> >> <mailto:[email protected] >>>> >> <mailto:[email protected]>>> >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> New CVEs affecting packages used to build upstream >>>> >> based rocks >>>> >> >> have been >>>> >> >> >> created in the Ubuntu CVE tracker: >>>> >> >> >> >>>> >> >> >> * https://github.com/gogo/protobuf >>>> >> <https://github.com/gogo/protobuf> >>>> >> >> <https://github.com/gogo/protobuf >>>> >> <https://github.com/gogo/protobuf>>: >>>> >> >> >> * https://github.com/hashicorp/consul >>>> >> <https://github.com/hashicorp/consul> >>>> >> >> >> <https://github.com/hashicorp/consul >>>> >> <https://github.com/hashicorp/consul>>: CVE-2023-0845 >>>> >> >> >> * https://github.com/prometheus/prometheus >>>> >> <https://github.com/prometheus/prometheus> >>>> >> >> >> <https://github.com/prometheus/prometheus >>>> >> <https://github.com/prometheus/prometheus>>: >>>> >> >> >> >>>> >> >> >> Please review your rock to understand if it is >>>> >> affected by >>>> >> >> these CVEs. >>>> >> >> >> >>>> >> >> >> Thank you for your rock and for attending to this >>>> >> matter. >>>> >> >> >> >>>> >> >> >> References: >>>> >> >> >> >>>> >> >> >>>> >> >>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>> > >>>> >> >> >> >>>> >> >> >>>> >> < >>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>> >> >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> -- >>>> >> >> >> Mailing list: >>>> >> https://launchpad.net/~ubuntu-docker-images >>>> >> <https://launchpad.net/~ubuntu-docker-images> >>>> >> >> >> <https://launchpad.net/~ubuntu-docker-images >>>> >> <https://launchpad.net/~ubuntu-docker-images>> >>>> >> >> >> Post to : >>>> >> [email protected] >>>> >> <mailto:[email protected]> >>>> >> >> >> <mailto:[email protected] >>>> >> <mailto:[email protected]>> >>>> >> >> >> Unsubscribe : >>>> >> https://launchpad.net/~ubuntu-docker-images >>>> >> <https://launchpad.net/~ubuntu-docker-images> >>>> >> >> >> <https://launchpad.net/~ubuntu-docker-images >>>> >> <https://launchpad.net/~ubuntu-docker-images>> >>>> >> >> >> More help : https://help.launchpad.net/ListHelp >>>> >> <https://help.launchpad.net/ListHelp> >>>> >> >> >> <https://help.launchpad.net/ListHelp >>>> >> <https://help.launchpad.net/ListHelp>> >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> -- >>>> >> >> >> Cris >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> >> -- >>>> >> >> Cris >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> Cris >>>> > ____ >>>> > >>>> > >>>> > >>>> > -- >>>> > Cris >>>> >>> > > -- > Cris > >
-- Mailing list: https://launchpad.net/~observability Post to : [email protected] Unsubscribe : https://launchpad.net/~observability More help : https://help.launchpad.net/ListHelp
