Well, I'd need to inspect every one of those images before making such a statement, *but, *I'd risk saying that these images, although snap-/source- based, might also have additional debs, on top of the base `ubuntu` image, that deserve monitoring. @Luca Bello <[email protected]> can you please confirm that? I.e. if any of your snap-/source-based ROCKs also has additional debs installed, then it's probably worth monitoring them nonetheless.
On Thu, Aug 17, 2023 at 2:58 PM Emilia Torino <[email protected]> wrote: > Hi! > > On Thu, Aug 17, 2023 at 9:53 AM Luca Bello <[email protected]> > wrote: > >> Hi everyone, >> >> that's correct, SeaweedFS is postponed :) >> On 17/08/2023 14:50, Cristovao Cordeiro wrote: >> >> Hi everyone, >> >> here's a ping just to revive this thread. >> >> @Emilia Torino <[email protected]> you might have received >> some GH notifications from me, which are related to @Luca Bello >> <[email protected]> 's images which are now being prepared to be >> published. >> >> > Yes, I got them and I was also going to ping you all since from our last > discussion I said: > > "I did a search over the provided sources and only found one case where we > have the project as a deb in the archive, which is alertmanager: > https://launchpad.net/ubuntu/+source/prometheus-alertmanager. > So unless you can confirm there are other debs in the archive matching the > remaining upstream projects, alertmanager is the only one we can add to our > CVEs monitoring service. I can add it right now." > > >> I'm updating the list from above with the Docker Hub repos that should be >> monitored: >> >> * Alertmanager (https://github.com/prometheus/alertmanager) -> >> https://hub.docker.com/r/ubuntu/alertmanager (new) >> * Grafana Agent (https://github.com/grafana/agent) -> >> https://hub.docker.com/r/ubuntu/grafana-agent (new) >> * Grafana (https://github.com/grafana/grafana) -> >> https://hub.docker.com/r/ubuntu/grafana >> * Loki (https://github.com/grafana/loki) -> >> https://hub.docker.com/r/ubuntu/loki >> * Mimir (https://github.com/grafana/mimir) -> >> https://hub.docker.com/r/ubuntu/mimir (new) >> * SeaweedFS (https://github.com/seaweedfs/seaweedfs) [1] >> * Traefik (https://github.com/traefik/traefik) -> >> https://hub.docker.com/r/ubuntu/traefik (new) >> >> So unfortunately, all others can't be monitored with the existing > solution. > > >> [1] @Luca Bello <[email protected]> is this one postponed? >> >> On Mon, Jul 3, 2023 at 9:37 AM Luca Bello <[email protected]> >> wrote: >> >>> Hi Emilia, >>> >>> that's great; thanks for following through! >>> >>> >>> Cheers, >>> >>> Luca >>> On 28/06/2023 22:18, Emilia Torino wrote: >>> >>> Hi Luca, >>> >>> On Tue, Jun 27, 2023 at 5:11 AM Luca Bello <[email protected]> >>> wrote: >>> >>>> Hi Emilia, >>>> >>>> I did not look into it as our short-term priorities changed a little >>>> bit; if you need anything else from my side please let me know! >>>> >>> >>> I did a search over the provided sources and only found one case where >>> we have the project as a deb in the archive, which is alertmanager: >>> https://launchpad.net/ubuntu/+source/prometheus-alertmanager >>> >>> So unless you can confirm there are other debs in the archive matching >>> the remaining upstream projects, alertmanager is the only one we can add to >>> our CVEs monitoring service. I can add it right now. >>> >>> Let me know if you have any questions. >>> >>> Emilia >>> >>>> >>>> Cheers, >>>> >>>> Luca >>>> On 22/06/2023 17:37, Emilia Torino wrote: >>>> >>>> Hi all, >>>> >>>> Following up on this issue... >>>> >>>> On Fri, Jun 9, 2023 at 12:41 PM Emilia Torino < >>>> [email protected]> wrote: >>>> >>>>> Hi all, >>>>> >>>>> On 9/6/23 06:20, Cristovao Cordeiro wrote: >>>>> > Sounds good to me. @Emilia Torino >>>>> > <mailto:[email protected]> do you need those repos to >>>>> exist in >>>>> > Docker Hub before you can onboard these? >>>>> >>>>> We don't. Since we don't scan the upstream based ROCKs (we only need >>>>> this for the deb based ones). >>>>> >>>>> > >>>>> > On Fri, Jun 9, 2023 at 10:42 AM Luca Bello <[email protected] >>>>> > <mailto:[email protected]>> wrote: >>>>> > >>>>> > Hello everyone, >>>>> > >>>>> > as mentioned before, the ROCKs we have are all based on upstream >>>>> > projects; the list is the following, as required: >>>>> > >>>>> > * Alertmanager (https://github.com/prometheus/alertmanager >>>>> > <https://github.com/prometheus/alertmanager>) >>>>> > * Grafana Agent (https://github.com/grafana/agent >>>>> > <https://github.com/grafana/agent>) >>>>> > * Grafana (https://github.com/grafana/grafana >>>>> > <https://github.com/grafana/grafana>) >>>>> > * Loki (https://github.com/grafana/loki >>>>> > <https://github.com/grafana/loki>) >>>>> > * Mimir (https://github.com/grafana/mimir >>>>> > <https://github.com/grafana/mimir>) >>>>> > * SeaweedFS (https://github.com/seaweedfs/seaweedfs >>>>> > <https://github.com/seaweedfs/seaweedfs>) >>>>> > * Traefik (https://github.com/traefik/traefik >>>>> > <https://github.com/traefik/traefik>) >>>>> > >>>>> > Please let me know if any of these qualifies! >>>>> >>>>> I am not sure how urgent is this, but if you help me identify the >>>>> Ubuntu >>>>> source packages associated we can make this faster. Otherwise we can >>>>> work on this next week. >>>>> >>>> >>>> Did you have a chance to check this? >>>> >>>> >>>>> >>>>> > >>>>> > >>>>> > Cheers, >>>>> > >>>>> > Luca >>>>> > >>>>> > On 31/05/2023 18:29, Cristovao Cordeiro wrote: >>>>> >> >>>>> >> So the only change from our side will be to add >>>>> >> prometheus to the email notification subject (or I guess we >>>>> >> can just >>>>> >> simple replace it with "CVEs potentially affecting upstream >>>>> based >>>>> >> ROCKs"). Are the email recipients the same ones for the >>>>> other >>>>> >> ones? >>>>> >> >>>>> >> >>>>> >> I think that would be fine for now. I'm reluctant to use the >>>>> >> mailing list as a catch-all, but I think we can re-design this >>>>> >> once there is an event bus at Canonical, so we rely less on >>>>> emails. >>>>> >> >>>>> >> As for the other 10 ROCKs, @Luca Bello >>>>> >> <mailto:[email protected]> let's first do the right due >>>>> >> diligence on those, cause if a ROCK is not meant to be under the >>>>> >> "ubuntu" namespace, then this security monitoring doesn't need >>>>> to >>>>> >> apply. >>>>> >> >>>>> >> On Wed, May 31, 2023 at 3:58 PM Emilia Torino >>>>> >> <[email protected] <mailto: >>>>> [email protected]>> >>>>> >> wrote: >>>>> >> >>>>> >> >>>>> >> Hi all, >>>>> >> >>>>> >> On 31/5/23 04:03, Luca Bello wrote: >>>>> >> > Hi everyone, >>>>> >> > >>>>> >> > as said in the thread already, the prometheus image is >>>>> >> indeed a ROCK >>>>> >> > based on the *prometheus/prometheus* repository. >>>>> >> >>>>> >> That's very convenient. But just to be clear again, we are >>>>> not >>>>> >> "inspecting" the upstream based rocks the same way we do for >>>>> >> the deb >>>>> >> based ones. We are only monitoring new CVEs created for >>>>> >> prometheus, >>>>> >> protobuf and consul. So the only change from our side will >>>>> be >>>>> >> to add >>>>> >> prometheus to the email notification subject (or I guess we >>>>> >> can just >>>>> >> simple replace it with "CVEs potentially affecting upstream >>>>> based >>>>> >> ROCKs"). Are the email recipients the same ones for the >>>>> other >>>>> >> ones? >>>>> >> >>>>> >> > >>>>> >> > We're in the process of updating all of our ROCKs in a >>>>> >> similar way, >>>>> >> > meaning we want to make sure we are complying with any >>>>> >> guidelines you >>>>> >> > might have on them. >>>>> >> > We have about 10 ROCKs at the moment, mostly based on >>>>> >> upstream projects >>>>> >> > just like this one. Should I share the full list, so you >>>>> can >>>>> >> track them? >>>>> >> >>>>> >> I am happy to do an analysis of this list to see if we can >>>>> add >>>>> >> more. The >>>>> >> short answer would be that if the software is packaged as a >>>>> >> deb in main >>>>> >> or universe (which is the situation for prometheus, protobuf >>>>> >> and consul) >>>>> >> then we can simply add them. This is because the service is >>>>> >> based on the >>>>> >> existing CVE triage work the security team does, which is >>>>> >> mainly for >>>>> >> debs (although now is being extended to other ecosystems >>>>> >> because of SOSS >>>>> >> but it is still limited and mainly supporting NVIDIA >>>>> software). >>>>> >> >>>>> >> A simple improvement though could be to map the projects to >>>>> >> the rocks so >>>>> >> you dont get a general notification, but one per ROCK as the >>>>> >> USNs/debs >>>>> >> based service does. We can work on adding this for the next >>>>> cycle. >>>>> >> >>>>> >> > >>>>> >> > >>>>> >> > Cheers, >>>>> >> > >>>>> >> > Luca >>>>> >> > >>>>> >> > >>>>> >> > On 31/05/2023 08:12, Cristovao Cordeiro wrote: >>>>> >> >> Thank you for the swift action, Emilia! >>>>> >> >> >>>>> >> >> > Does this >>>>> >> >> > relate to a question being asked some hours ago in >>>>> >> >> > ~Security >>>>> >> >> >>>>> >> >>>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo < >>>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>? >>>>> >> >> >>>>> >> >> Yes, precisely. @Luca Bello >>>>> >> <mailto:[email protected] >>>>> >> <mailto:[email protected]>> is in >>>>> >> >> the process of updating that image and we're re-doing our >>>>> >> due diligence. >>>>> >> >> Luca can confirm, but this seems to be a ROCK based >>>>> >> precisely on that >>>>> >> >> upstream Prometheus repository that you are already >>>>> monitoring >>>>> >> >> >>>>> >> ( >>>>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 >>>>> < >>>>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 >>>>> >). >>>>> >> >> >>>>> >> >> Can we then add this image to your list of tracked ROCKs? >>>>> >> >> >>>>> >> >> >>>>> >> >> On Tue, May 30, 2023 at 9:45 PM Emilia Torino >>>>> >> >> <[email protected] >>>>> >> <mailto:[email protected]>> wrote: >>>>> >> >> >>>>> >> >> Hey all, >>>>> >> >> >>>>> >> >> On 30/5/23 13:14, Emilia Torino wrote: >>>>> >> >> > Hi Cristovao, >>>>> >> >> > >>>>> >> >> > On 30/5/23 09:41, Cristovao Cordeiro wrote: >>>>> >> >> >> Hi Emilia, >>>>> >> >> >> >>>>> >> >> >> could you please confirm the `prometheus` >>>>> container >>>>> >> image is being >>>>> >> >> >> monitored? >>>>> >> >> > >>>>> >> >> > I don't see prometheus being monitored by our >>>>> >> services (not as a >>>>> >> >> rock >>>>> >> >> > based on upstream source code nor as a rock based >>>>> on >>>>> >> debs). Does >>>>> >> >> this >>>>> >> >> > relate to a question being asked some hours ago in >>>>> >> >> > ~Security >>>>> >> >> >>>>> >> >>>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo < >>>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>? >>>>> >> >> > >>>>> >> >> > >>>>> >> >> > These emails' subject only mentions cortex and >>>>> >> telegraf, but >>>>> >> >> >> I can see " >>>>> https://github.com/prometheus/prometheus >>>>> >> <https://github.com/prometheus/prometheus> >>>>> >> >> >> <https://github.com/prometheus/prometheus >>>>> >> <https://github.com/prometheus/prometheus>>" in the body >>>>> of the >>>>> >> >> email. >>>>> >> >> > >>>>> >> >> > Apologize for the confusion, this sounds like a bug >>>>> >> in the email >>>>> >> >> content >>>>> >> >> > generator code. I will take a look at it later. >>>>> >> >> >>>>> >> >> I investigated this bug and it should be solved >>>>> >> already. There was an >>>>> >> >> issue in the past, but we fixed it already. I thought >>>>> >> it could be >>>>> >> >> related but I see this notification you are asking is >>>>> >> from March. >>>>> >> >> If you >>>>> >> >> check the last notification sent on Thu, May 4, >>>>> 2:03 AM >>>>> >> is correctly >>>>> >> >> reporting about a single package (cortex only). >>>>> >> >> >>>>> >> >> Let me know if you have any further question. >>>>> >> >> >>>>> >> >> In this case, only a new >>>>> >> >> > CVE affecting consul has been created in our >>>>> tracker >>>>> >> >> > >>>>> >> >> >>>>> >> >>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>>> < >>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>>> >. >>>>> >> >> > >>>>> >> >> > Still, this does not mean cortex and telegraf are >>>>> >> affected, >>>>> >> >> since this >>>>> >> >> > needs triage (i.e. understand if the code/version >>>>> >> present in the >>>>> >> >> rocks >>>>> >> >> > are indeed vulnerable). >>>>> >> >> > >>>>> >> >> > FYI the reason why >>>>> >> https://github.com/prometheus/prometheus >>>>> >> <https://github.com/prometheus/prometheus> (and >>>>> >> >> also >>>>> >> >> > https://github.com/gogo/protobuf >>>>> >> <https://github.com/gogo/protobuf>) are listed in this >>>>> email, is >>>>> >> >> because >>>>> >> >> > these 3 are the *only* upstream projects we are >>>>> >> monitoring >>>>> >> >> (because of >>>>> >> >> > the bug the 3 are incorrectly listed in the email, >>>>> >> only consul >>>>> >> >> should >>>>> >> >> > be). In other words, we are not scanning every >>>>> >> upstream source >>>>> >> >> project >>>>> >> >> > which is used to build cortex and telegraf. >>>>> >> >> > >>>>> >> >> > There are reasons why this service is very limited, >>>>> >> and I hope this >>>>> >> >> > is/was clear. Let me know if you need more >>>>> information. >>>>> >> >> > >>>>> >> >> > Emilia >>>>> >> >> > >>>>> >> >> > >>>>> >> >> >> >>>>> >> >> >> ---------- Forwarded message --------- >>>>> >> >> >> From: <[email protected] >>>>> >> <mailto:[email protected]> >>>>> >> >> >> <mailto:[email protected] >>>>> >> <mailto:[email protected]>>> >>>>> >> >> >> Date: Sat, Mar 11, 2023 at 6:03 AM >>>>> >> >> >> Subject: [Ubuntu-docker-images] CVEs potentially >>>>> >> affecting >>>>> >> >> cortex and >>>>> >> >> >> telegraf >>>>> >> >> >> To: <[email protected] >>>>> >> <mailto:[email protected]> >>>>> >> >> >> <mailto:[email protected] >>>>> >> <mailto:[email protected]>>>, >>>>> >> >> >> <[email protected] >>>>> >> <mailto:[email protected]> >>>>> >> >> <mailto:[email protected] >>>>> >> <mailto:[email protected]>>>, >>>>> >> >> >> <[email protected] >>>>> >> <mailto:[email protected]> >>>>> >> >> <mailto:[email protected] >>>>> >> <mailto:[email protected]>>>, >>>>> >> >> >> <[email protected] >>>>> >> <mailto:[email protected]> >>>>> >> <mailto:[email protected] >>>>> >> <mailto:[email protected]>>>, >>>>> >> >> >> <[email protected] >>>>> >> <mailto:[email protected]> >>>>> >> >> <mailto:[email protected] >>>>> >> <mailto:[email protected]>>>, >>>>> >> >> >> <[email protected] >>>>> >> <mailto:[email protected]> >>>>> >> >> >> <mailto:[email protected] >>>>> >> <mailto:[email protected]>>> >>>>> >> >> >> >>>>> >> >> >> >>>>> >> >> >> New CVEs affecting packages used to build upstream >>>>> >> based rocks >>>>> >> >> have been >>>>> >> >> >> created in the Ubuntu CVE tracker: >>>>> >> >> >> >>>>> >> >> >> * https://github.com/gogo/protobuf >>>>> >> <https://github.com/gogo/protobuf> >>>>> >> >> <https://github.com/gogo/protobuf >>>>> >> <https://github.com/gogo/protobuf>>: >>>>> >> >> >> * https://github.com/hashicorp/consul >>>>> >> <https://github.com/hashicorp/consul> >>>>> >> >> >> <https://github.com/hashicorp/consul >>>>> >> <https://github.com/hashicorp/consul>>: CVE-2023-0845 >>>>> >> >> >> * https://github.com/prometheus/prometheus >>>>> >> <https://github.com/prometheus/prometheus> >>>>> >> >> >> <https://github.com/prometheus/prometheus >>>>> >> <https://github.com/prometheus/prometheus>>: >>>>> >> >> >> >>>>> >> >> >> Please review your rock to understand if it is >>>>> >> affected by >>>>> >> >> these CVEs. >>>>> >> >> >> >>>>> >> >> >> Thank you for your rock and for attending to this >>>>> >> matter. >>>>> >> >> >> >>>>> >> >> >> References: >>>>> >> >> >> >>>>> >> >> >>>>> >> >>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>>> < >>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>>> > >>>>> >> >> >> >>>>> >> >> >>>>> >> < >>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>>> < >>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>>> >> >>>>> >> >> >> >>>>> >> >> >> >>>>> >> >> >> >>>>> >> >> >> -- >>>>> >> >> >> Mailing list: >>>>> >> https://launchpad.net/~ubuntu-docker-images >>>>> >> <https://launchpad.net/~ubuntu-docker-images> >>>>> >> >> >> <https://launchpad.net/~ubuntu-docker-images >>>>> >> <https://launchpad.net/~ubuntu-docker-images>> >>>>> >> >> >> Post to : >>>>> >> [email protected] >>>>> >> <mailto:[email protected]> >>>>> >> >> >> <mailto:[email protected] >>>>> >> <mailto:[email protected]>> >>>>> >> >> >> Unsubscribe : >>>>> >> https://launchpad.net/~ubuntu-docker-images >>>>> >> <https://launchpad.net/~ubuntu-docker-images> >>>>> >> >> >> <https://launchpad.net/~ubuntu-docker-images >>>>> >> <https://launchpad.net/~ubuntu-docker-images>> >>>>> >> >> >> More help : https://help.launchpad.net/ListHelp >>>>> >> <https://help.launchpad.net/ListHelp> >>>>> >> >> >> <https://help.launchpad.net/ListHelp >>>>> >> <https://help.launchpad.net/ListHelp>> >>>>> >> >> >> >>>>> >> >> >> >>>>> >> >> >> -- >>>>> >> >> >> Cris >>>>> >> >> >>>>> >> >> >>>>> >> >> >>>>> >> >> -- >>>>> >> >> Cris >>>>> >> >>>>> >> >>>>> >> >>>>> >> -- >>>>> >> Cris >>>>> > ____ >>>>> > >>>>> > >>>>> > >>>>> > -- >>>>> > Cris >>>>> >>>> >> >> -- >> Cris >> >> -- Cris
-- Mailing list: https://launchpad.net/~observability Post to : [email protected] Unsubscribe : https://launchpad.net/~observability More help : https://help.launchpad.net/ListHelp
