Alright, thanks. So not much. I'll leave it up to you @Emilia Torino <[email protected]> whether you think partial monitoring of these images is worth it. I'd say, only if it is a no-op for you.
On Thu, Aug 17, 2023 at 4:02 PM Luca Bello <[email protected]> wrote: > Well yes, in pretty much all of our rocks we add the `ca-certificates` > package for TLS operations: > > https://packages.ubuntu.com/search?keywords=ca-certificates > > We technically use things like `npm`, `nodejs` and `go` for builds, but I > think that's not particularly relevant. > > > Cheers, > > Luca > On 17/08/2023 15:28, Cristovao Cordeiro wrote: > > Well, I'd need to inspect every one of those images before making such a > statement, *but, *I'd risk saying that these images, although > snap-/source- based, might also have additional debs, on top of the base > `ubuntu` image, that deserve monitoring. @Luca Bello > <[email protected]> can you please confirm that? I.e. if any of > your snap-/source-based ROCKs also has additional debs installed, then it's > probably worth monitoring them nonetheless. > > On Thu, Aug 17, 2023 at 2:58 PM Emilia Torino <[email protected]> > wrote: > >> Hi! >> >> On Thu, Aug 17, 2023 at 9:53 AM Luca Bello <[email protected]> >> wrote: >> >>> Hi everyone, >>> >>> that's correct, SeaweedFS is postponed :) >>> On 17/08/2023 14:50, Cristovao Cordeiro wrote: >>> >>> Hi everyone, >>> >>> here's a ping just to revive this thread. >>> >>> @Emilia Torino <[email protected]> you might have received >>> some GH notifications from me, which are related to @Luca Bello >>> <[email protected]> 's images which are now being prepared to be >>> published. >>> >>> >> Yes, I got them and I was also going to ping you all since from our last >> discussion I said: >> >> "I did a search over the provided sources and only found one case where >> we have the project as a deb in the archive, which is alertmanager: >> https://launchpad.net/ubuntu/+source/prometheus-alertmanager. >> So unless you can confirm there are other debs in the archive matching >> the remaining upstream projects, alertmanager is the only one we can add to >> our CVEs monitoring service. I can add it right now." >> >> >>> I'm updating the list from above with the Docker Hub repos that should >>> be monitored: >>> >>> * Alertmanager (https://github.com/prometheus/alertmanager) -> >>> https://hub.docker.com/r/ubuntu/alertmanager (new) >>> * Grafana Agent (https://github.com/grafana/agent) -> >>> https://hub.docker.com/r/ubuntu/grafana-agent (new) >>> * Grafana (https://github.com/grafana/grafana) -> >>> https://hub.docker.com/r/ubuntu/grafana >>> * Loki (https://github.com/grafana/loki) -> >>> https://hub.docker.com/r/ubuntu/loki >>> * Mimir (https://github.com/grafana/mimir) -> >>> https://hub.docker.com/r/ubuntu/mimir (new) >>> * SeaweedFS (https://github.com/seaweedfs/seaweedfs) [1] >>> * Traefik (https://github.com/traefik/traefik) -> >>> https://hub.docker.com/r/ubuntu/traefik (new) >>> >>> So unfortunately, all others can't be monitored with the existing >> solution. >> >> >>> [1] @Luca Bello <[email protected]> is this one postponed? >>> >>> On Mon, Jul 3, 2023 at 9:37 AM Luca Bello <[email protected]> >>> wrote: >>> >>>> Hi Emilia, >>>> >>>> that's great; thanks for following through! >>>> >>>> >>>> Cheers, >>>> >>>> Luca >>>> On 28/06/2023 22:18, Emilia Torino wrote: >>>> >>>> Hi Luca, >>>> >>>> On Tue, Jun 27, 2023 at 5:11 AM Luca Bello <[email protected]> >>>> wrote: >>>> >>>>> Hi Emilia, >>>>> >>>>> I did not look into it as our short-term priorities changed a little >>>>> bit; if you need anything else from my side please let me know! >>>>> >>>> >>>> I did a search over the provided sources and only found one case where >>>> we have the project as a deb in the archive, which is alertmanager: >>>> https://launchpad.net/ubuntu/+source/prometheus-alertmanager >>>> >>>> So unless you can confirm there are other debs in the archive matching >>>> the remaining upstream projects, alertmanager is the only one we can add to >>>> our CVEs monitoring service. I can add it right now. >>>> >>>> Let me know if you have any questions. >>>> >>>> Emilia >>>> >>>>> >>>>> Cheers, >>>>> >>>>> Luca >>>>> On 22/06/2023 17:37, Emilia Torino wrote: >>>>> >>>>> Hi all, >>>>> >>>>> Following up on this issue... >>>>> >>>>> On Fri, Jun 9, 2023 at 12:41 PM Emilia Torino < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> On 9/6/23 06:20, Cristovao Cordeiro wrote: >>>>>> > Sounds good to me. @Emilia Torino >>>>>> > <mailto:[email protected]> do you need those repos to >>>>>> exist in >>>>>> > Docker Hub before you can onboard these? >>>>>> >>>>>> We don't. Since we don't scan the upstream based ROCKs (we only need >>>>>> this for the deb based ones). >>>>>> >>>>>> > >>>>>> > On Fri, Jun 9, 2023 at 10:42 AM Luca Bello < >>>>>> [email protected] >>>>>> > <mailto:[email protected]>> wrote: >>>>>> > >>>>>> > Hello everyone, >>>>>> > >>>>>> > as mentioned before, the ROCKs we have are all based on upstream >>>>>> > projects; the list is the following, as required: >>>>>> > >>>>>> > * Alertmanager (https://github.com/prometheus/alertmanager >>>>>> > <https://github.com/prometheus/alertmanager>) >>>>>> > * Grafana Agent (https://github.com/grafana/agent >>>>>> > <https://github.com/grafana/agent>) >>>>>> > * Grafana (https://github.com/grafana/grafana >>>>>> > <https://github.com/grafana/grafana>) >>>>>> > * Loki (https://github.com/grafana/loki >>>>>> > <https://github.com/grafana/loki>) >>>>>> > * Mimir (https://github.com/grafana/mimir >>>>>> > <https://github.com/grafana/mimir>) >>>>>> > * SeaweedFS (https://github.com/seaweedfs/seaweedfs >>>>>> > <https://github.com/seaweedfs/seaweedfs>) >>>>>> > * Traefik (https://github.com/traefik/traefik >>>>>> > <https://github.com/traefik/traefik>) >>>>>> > >>>>>> > Please let me know if any of these qualifies! >>>>>> >>>>>> I am not sure how urgent is this, but if you help me identify the >>>>>> Ubuntu >>>>>> source packages associated we can make this faster. Otherwise we can >>>>>> work on this next week. >>>>>> >>>>> >>>>> Did you have a chance to check this? >>>>> >>>>> >>>>>> >>>>>> > >>>>>> > >>>>>> > Cheers, >>>>>> > >>>>>> > Luca >>>>>> > >>>>>> > On 31/05/2023 18:29, Cristovao Cordeiro wrote: >>>>>> >> >>>>>> >> So the only change from our side will be to add >>>>>> >> prometheus to the email notification subject (or I guess we >>>>>> >> can just >>>>>> >> simple replace it with "CVEs potentially affecting >>>>>> upstream based >>>>>> >> ROCKs"). Are the email recipients the same ones for the >>>>>> other >>>>>> >> ones? >>>>>> >> >>>>>> >> >>>>>> >> I think that would be fine for now. I'm reluctant to use the >>>>>> >> mailing list as a catch-all, but I think we can re-design this >>>>>> >> once there is an event bus at Canonical, so we rely less on >>>>>> emails. >>>>>> >> >>>>>> >> As for the other 10 ROCKs, @Luca Bello >>>>>> >> <mailto:[email protected]> let's first do the right due >>>>>> >> diligence on those, cause if a ROCK is not meant to be under >>>>>> the >>>>>> >> "ubuntu" namespace, then this security monitoring doesn't need >>>>>> to >>>>>> >> apply. >>>>>> >> >>>>>> >> On Wed, May 31, 2023 at 3:58 PM Emilia Torino >>>>>> >> <[email protected] <mailto: >>>>>> [email protected]>> >>>>>> >> wrote: >>>>>> >> >>>>>> >> >>>>>> >> Hi all, >>>>>> >> >>>>>> >> On 31/5/23 04:03, Luca Bello wrote: >>>>>> >> > Hi everyone, >>>>>> >> > >>>>>> >> > as said in the thread already, the prometheus image is >>>>>> >> indeed a ROCK >>>>>> >> > based on the *prometheus/prometheus* repository. >>>>>> >> >>>>>> >> That's very convenient. But just to be clear again, we are >>>>>> not >>>>>> >> "inspecting" the upstream based rocks the same way we do >>>>>> for >>>>>> >> the deb >>>>>> >> based ones. We are only monitoring new CVEs created for >>>>>> >> prometheus, >>>>>> >> protobuf and consul. So the only change from our side will >>>>>> be >>>>>> >> to add >>>>>> >> prometheus to the email notification subject (or I guess we >>>>>> >> can just >>>>>> >> simple replace it with "CVEs potentially affecting >>>>>> upstream based >>>>>> >> ROCKs"). Are the email recipients the same ones for the >>>>>> other >>>>>> >> ones? >>>>>> >> >>>>>> >> > >>>>>> >> > We're in the process of updating all of our ROCKs in a >>>>>> >> similar way, >>>>>> >> > meaning we want to make sure we are complying with any >>>>>> >> guidelines you >>>>>> >> > might have on them. >>>>>> >> > We have about 10 ROCKs at the moment, mostly based on >>>>>> >> upstream projects >>>>>> >> > just like this one. Should I share the full list, so you >>>>>> can >>>>>> >> track them? >>>>>> >> >>>>>> >> I am happy to do an analysis of this list to see if we can >>>>>> add >>>>>> >> more. The >>>>>> >> short answer would be that if the software is packaged as a >>>>>> >> deb in main >>>>>> >> or universe (which is the situation for prometheus, >>>>>> protobuf >>>>>> >> and consul) >>>>>> >> then we can simply add them. This is because the service is >>>>>> >> based on the >>>>>> >> existing CVE triage work the security team does, which is >>>>>> >> mainly for >>>>>> >> debs (although now is being extended to other ecosystems >>>>>> >> because of SOSS >>>>>> >> but it is still limited and mainly supporting NVIDIA >>>>>> software). >>>>>> >> >>>>>> >> A simple improvement though could be to map the projects to >>>>>> >> the rocks so >>>>>> >> you dont get a general notification, but one per ROCK as >>>>>> the >>>>>> >> USNs/debs >>>>>> >> based service does. We can work on adding this for the >>>>>> next cycle. >>>>>> >> >>>>>> >> > >>>>>> >> > >>>>>> >> > Cheers, >>>>>> >> > >>>>>> >> > Luca >>>>>> >> > >>>>>> >> > >>>>>> >> > On 31/05/2023 08:12, Cristovao Cordeiro wrote: >>>>>> >> >> Thank you for the swift action, Emilia! >>>>>> >> >> >>>>>> >> >> > Does this >>>>>> >> >> > relate to a question being asked some hours ago in >>>>>> >> >> > ~Security >>>>>> >> >> >>>>>> >> >>>>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo < >>>>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>? >>>>>> >> >> >>>>>> >> >> Yes, precisely. @Luca Bello >>>>>> >> <mailto:[email protected] >>>>>> >> <mailto:[email protected]>> is in >>>>>> >> >> the process of updating that image and we're re-doing >>>>>> our >>>>>> >> due diligence. >>>>>> >> >> Luca can confirm, but this seems to be a ROCK based >>>>>> >> precisely on that >>>>>> >> >> upstream Prometheus repository that you are already >>>>>> monitoring >>>>>> >> >> >>>>>> >> ( >>>>>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 >>>>>> < >>>>>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 >>>>>> >). >>>>>> >> >> >>>>>> >> >> Can we then add this image to your list of tracked >>>>>> ROCKs? >>>>>> >> >> >>>>>> >> >> >>>>>> >> >> On Tue, May 30, 2023 at 9:45 PM Emilia Torino >>>>>> >> >> <[email protected] >>>>>> >> <mailto:[email protected]>> wrote: >>>>>> >> >> >>>>>> >> >> Hey all, >>>>>> >> >> >>>>>> >> >> On 30/5/23 13:14, Emilia Torino wrote: >>>>>> >> >> > Hi Cristovao, >>>>>> >> >> > >>>>>> >> >> > On 30/5/23 09:41, Cristovao Cordeiro wrote: >>>>>> >> >> >> Hi Emilia, >>>>>> >> >> >> >>>>>> >> >> >> could you please confirm the `prometheus` >>>>>> container >>>>>> >> image is being >>>>>> >> >> >> monitored? >>>>>> >> >> > >>>>>> >> >> > I don't see prometheus being monitored by our >>>>>> >> services (not as a >>>>>> >> >> rock >>>>>> >> >> > based on upstream source code nor as a rock based >>>>>> on >>>>>> >> debs). Does >>>>>> >> >> this >>>>>> >> >> > relate to a question being asked some hours ago in >>>>>> >> >> > ~Security >>>>>> >> >> >>>>>> >> >>>>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo < >>>>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>? >>>>>> >> >> > >>>>>> >> >> > >>>>>> >> >> > These emails' subject only mentions cortex and >>>>>> >> telegraf, but >>>>>> >> >> >> I can see " >>>>>> https://github.com/prometheus/prometheus >>>>>> >> <https://github.com/prometheus/prometheus> >>>>>> >> >> >> <https://github.com/prometheus/prometheus >>>>>> >> <https://github.com/prometheus/prometheus>>" in the body >>>>>> of the >>>>>> >> >> email. >>>>>> >> >> > >>>>>> >> >> > Apologize for the confusion, this sounds like a >>>>>> bug >>>>>> >> in the email >>>>>> >> >> content >>>>>> >> >> > generator code. I will take a look at it later. >>>>>> >> >> >>>>>> >> >> I investigated this bug and it should be solved >>>>>> >> already. There was an >>>>>> >> >> issue in the past, but we fixed it already. I >>>>>> thought >>>>>> >> it could be >>>>>> >> >> related but I see this notification you are asking >>>>>> is >>>>>> >> from March. >>>>>> >> >> If you >>>>>> >> >> check the last notification sent on Thu, May 4, >>>>>> 2:03 AM >>>>>> >> is correctly >>>>>> >> >> reporting about a single package (cortex only). >>>>>> >> >> >>>>>> >> >> Let me know if you have any further question. >>>>>> >> >> >>>>>> >> >> In this case, only a new >>>>>> >> >> > CVE affecting consul has been created in our >>>>>> tracker >>>>>> >> >> > >>>>>> >> >> >>>>>> >> >>>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>>>> < >>>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>>>> >. >>>>>> >> >> > >>>>>> >> >> > Still, this does not mean cortex and telegraf are >>>>>> >> affected, >>>>>> >> >> since this >>>>>> >> >> > needs triage (i.e. understand if the code/version >>>>>> >> present in the >>>>>> >> >> rocks >>>>>> >> >> > are indeed vulnerable). >>>>>> >> >> > >>>>>> >> >> > FYI the reason why >>>>>> >> https://github.com/prometheus/prometheus >>>>>> >> <https://github.com/prometheus/prometheus> (and >>>>>> >> >> also >>>>>> >> >> > https://github.com/gogo/protobuf >>>>>> >> <https://github.com/gogo/protobuf>) are listed in this >>>>>> email, is >>>>>> >> >> because >>>>>> >> >> > these 3 are the *only* upstream projects we are >>>>>> >> monitoring >>>>>> >> >> (because of >>>>>> >> >> > the bug the 3 are incorrectly listed in the email, >>>>>> >> only consul >>>>>> >> >> should >>>>>> >> >> > be). In other words, we are not scanning every >>>>>> >> upstream source >>>>>> >> >> project >>>>>> >> >> > which is used to build cortex and telegraf. >>>>>> >> >> > >>>>>> >> >> > There are reasons why this service is very >>>>>> limited, >>>>>> >> and I hope this >>>>>> >> >> > is/was clear. Let me know if you need more >>>>>> information. >>>>>> >> >> > >>>>>> >> >> > Emilia >>>>>> >> >> > >>>>>> >> >> > >>>>>> >> >> >> >>>>>> >> >> >> ---------- Forwarded message --------- >>>>>> >> >> >> From: <[email protected] >>>>>> >> <mailto:[email protected]> >>>>>> >> >> >> <mailto:[email protected] >>>>>> >> <mailto:[email protected]>>> >>>>>> >> >> >> Date: Sat, Mar 11, 2023 at 6:03 AM >>>>>> >> >> >> Subject: [Ubuntu-docker-images] CVEs potentially >>>>>> >> affecting >>>>>> >> >> cortex and >>>>>> >> >> >> telegraf >>>>>> >> >> >> To: <[email protected] >>>>>> >> <mailto:[email protected]> >>>>>> >> >> >> <mailto:[email protected] >>>>>> >> <mailto:[email protected]>>>, >>>>>> >> >> >> <[email protected] >>>>>> >> <mailto:[email protected]> >>>>>> >> >> <mailto:[email protected] >>>>>> >> <mailto:[email protected]>>>, >>>>>> >> >> >> <[email protected] >>>>>> >> <mailto:[email protected]> >>>>>> >> >> <mailto:[email protected] >>>>>> >> <mailto:[email protected]>>>, >>>>>> >> >> >> <[email protected] >>>>>> >> <mailto:[email protected]> >>>>>> >> <mailto:[email protected] >>>>>> >> <mailto:[email protected]>>>, >>>>>> >> >> >> <[email protected] >>>>>> >> <mailto:[email protected]> >>>>>> >> >> <mailto:[email protected] >>>>>> >> <mailto:[email protected]>>>, >>>>>> >> >> >> <[email protected] >>>>>> >> <mailto:[email protected]> >>>>>> >> >> >> <mailto:[email protected] >>>>>> >> <mailto:[email protected]>>> >>>>>> >> >> >> >>>>>> >> >> >> >>>>>> >> >> >> New CVEs affecting packages used to build >>>>>> upstream >>>>>> >> based rocks >>>>>> >> >> have been >>>>>> >> >> >> created in the Ubuntu CVE tracker: >>>>>> >> >> >> >>>>>> >> >> >> * https://github.com/gogo/protobuf >>>>>> >> <https://github.com/gogo/protobuf> >>>>>> >> >> <https://github.com/gogo/protobuf >>>>>> >> <https://github.com/gogo/protobuf>>: >>>>>> >> >> >> * https://github.com/hashicorp/consul >>>>>> >> <https://github.com/hashicorp/consul> >>>>>> >> >> >> <https://github.com/hashicorp/consul >>>>>> >> <https://github.com/hashicorp/consul>>: CVE-2023-0845 >>>>>> >> >> >> * https://github.com/prometheus/prometheus >>>>>> >> <https://github.com/prometheus/prometheus> >>>>>> >> >> >> <https://github.com/prometheus/prometheus >>>>>> >> <https://github.com/prometheus/prometheus>>: >>>>>> >> >> >> >>>>>> >> >> >> Please review your rock to understand if it is >>>>>> >> affected by >>>>>> >> >> these CVEs. >>>>>> >> >> >> >>>>>> >> >> >> Thank you for your rock and for attending to this >>>>>> >> matter. >>>>>> >> >> >> >>>>>> >> >> >> References: >>>>>> >> >> >> >>>>>> >> >> >>>>>> >> >>>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>>>> < >>>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>>>> > >>>>>> >> >> >> >>>>>> >> >> >>>>>> >> < >>>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>>>> < >>>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >>>>>> >> >>>>>> >> >> >> >>>>>> >> >> >> >>>>>> >> >> >> >>>>>> >> >> >> -- >>>>>> >> >> >> Mailing list: >>>>>> >> https://launchpad.net/~ubuntu-docker-images >>>>>> >> <https://launchpad.net/~ubuntu-docker-images> >>>>>> >> >> >> <https://launchpad.net/~ubuntu-docker-images >>>>>> >> <https://launchpad.net/~ubuntu-docker-images>> >>>>>> >> >> >> Post to : >>>>>> >> [email protected] >>>>>> >> <mailto:[email protected]> >>>>>> >> >> >> <mailto:[email protected] >>>>>> >> <mailto:[email protected]>> >>>>>> >> >> >> Unsubscribe : >>>>>> >> https://launchpad.net/~ubuntu-docker-images >>>>>> >> <https://launchpad.net/~ubuntu-docker-images> >>>>>> >> >> >> <https://launchpad.net/~ubuntu-docker-images >>>>>> >> <https://launchpad.net/~ubuntu-docker-images>> >>>>>> >> >> >> More help : >>>>>> https://help.launchpad.net/ListHelp >>>>>> >> <https://help.launchpad.net/ListHelp> >>>>>> >> >> >> <https://help.launchpad.net/ListHelp >>>>>> >> <https://help.launchpad.net/ListHelp>> >>>>>> >> >> >> >>>>>> >> >> >> >>>>>> >> >> >> -- >>>>>> >> >> >> Cris >>>>>> >> >> >>>>>> >> >> >>>>>> >> >> >>>>>> >> >> -- >>>>>> >> >> Cris >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> -- >>>>>> >> Cris >>>>>> > ____ >>>>>> > >>>>>> > >>>>>> > >>>>>> > -- >>>>>> > Cris >>>>>> >>>>> >>> >>> -- >>> Cris >>> >>> > > -- > Cris > > -- Cris
-- Mailing list: https://launchpad.net/~observability Post to : [email protected] Unsubscribe : https://launchpad.net/~observability More help : https://help.launchpad.net/ListHelp
