> > So the only change from our side will be to add > prometheus to the email notification subject (or I guess we can just > simple replace it with "CVEs potentially affecting upstream based > ROCKs"). Are the email recipients the same ones for the other ones?
I think that would be fine for now. I'm reluctant to use the mailing list as a catch-all, but I think we can re-design this once there is an event bus at Canonical, so we rely less on emails. As for the other 10 ROCKs, @Luca Bello <[email protected]> let's first do the right due diligence on those, cause if a ROCK is not meant to be under the "ubuntu" namespace, then this security monitoring doesn't need to apply. On Wed, May 31, 2023 at 3:58 PM Emilia Torino <[email protected]> wrote: > > Hi all, > > On 31/5/23 04:03, Luca Bello wrote: > > Hi everyone, > > > > as said in the thread already, the prometheus image is indeed a ROCK > > based on the *prometheus/prometheus* repository. > > That's very convenient. But just to be clear again, we are not > "inspecting" the upstream based rocks the same way we do for the deb > based ones. We are only monitoring new CVEs created for prometheus, > protobuf and consul. So the only change from our side will be to add > prometheus to the email notification subject (or I guess we can just > simple replace it with "CVEs potentially affecting upstream based > ROCKs"). Are the email recipients the same ones for the other ones? > > > > > We're in the process of updating all of our ROCKs in a similar way, > > meaning we want to make sure we are complying with any guidelines you > > might have on them. > > We have about 10 ROCKs at the moment, mostly based on upstream projects > > just like this one. Should I share the full list, so you can track them? > > I am happy to do an analysis of this list to see if we can add more. The > short answer would be that if the software is packaged as a deb in main > or universe (which is the situation for prometheus, protobuf and consul) > then we can simply add them. This is because the service is based on the > existing CVE triage work the security team does, which is mainly for > debs (although now is being extended to other ecosystems because of SOSS > but it is still limited and mainly supporting NVIDIA software). > > A simple improvement though could be to map the projects to the rocks so > you dont get a general notification, but one per ROCK as the USNs/debs > based service does. We can work on adding this for the next cycle. > > > > > > > Cheers, > > > > Luca > > > > > > On 31/05/2023 08:12, Cristovao Cordeiro wrote: > >> Thank you for the swift action, Emilia! > >> > >> > Does this > >> > relate to a question being asked some hours ago in > >> > ~Security > >> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo? > >> > >> Yes, precisely. @Luca Bello <mailto:[email protected]> is in > >> the process of updating that image and we're re-doing our due diligence. > >> Luca can confirm, but this seems to be a ROCK based precisely on that > >> upstream Prometheus repository that you are already monitoring > >> ( > https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 > ). > >> > >> Can we then add this image to your list of tracked ROCKs? > >> > >> > >> On Tue, May 30, 2023 at 9:45 PM Emilia Torino > >> <[email protected]> wrote: > >> > >> Hey all, > >> > >> On 30/5/23 13:14, Emilia Torino wrote: > >> > Hi Cristovao, > >> > > >> > On 30/5/23 09:41, Cristovao Cordeiro wrote: > >> >> Hi Emilia, > >> >> > >> >> could you please confirm the `prometheus` container image is > being > >> >> monitored? > >> > > >> > I don't see prometheus being monitored by our services (not as a > >> rock > >> > based on upstream source code nor as a rock based on debs). Does > >> this > >> > relate to a question being asked some hours ago in > >> > ~Security > >> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo? > >> > > >> > > >> > These emails' subject only mentions cortex and telegraf, but > >> >> I can see "https://github.com/prometheus/prometheus > >> >> <https://github.com/prometheus/prometheus>" in the body of the > >> email. > >> > > >> > Apologize for the confusion, this sounds like a bug in the email > >> content > >> > generator code. I will take a look at it later. > >> > >> I investigated this bug and it should be solved already. There was > an > >> issue in the past, but we fixed it already. I thought it could be > >> related but I see this notification you are asking is from March. > >> If you > >> check the last notification sent on Thu, May 4, 2:03 AM is correctly > >> reporting about a single package (cortex only). > >> > >> Let me know if you have any further question. > >> > >> In this case, only a new > >> > CVE affecting consul has been created in our tracker > >> > > >> > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845. > >> > > >> > Still, this does not mean cortex and telegraf are affected, > >> since this > >> > needs triage (i.e. understand if the code/version present in the > >> rocks > >> > are indeed vulnerable). > >> > > >> > FYI the reason why https://github.com/prometheus/prometheus (and > >> also > >> > https://github.com/gogo/protobuf) are listed in this email, is > >> because > >> > these 3 are the *only* upstream projects we are monitoring > >> (because of > >> > the bug the 3 are incorrectly listed in the email, only consul > >> should > >> > be). In other words, we are not scanning every upstream source > >> project > >> > which is used to build cortex and telegraf. > >> > > >> > There are reasons why this service is very limited, and I hope > this > >> > is/was clear. Let me know if you need more information. > >> > > >> > Emilia > >> > > >> > > >> >> > >> >> ---------- Forwarded message --------- > >> >> From: <[email protected] > >> >> <mailto:[email protected]>> > >> >> Date: Sat, Mar 11, 2023 at 6:03 AM > >> >> Subject: [Ubuntu-docker-images] CVEs potentially affecting > >> cortex and > >> >> telegraf > >> >> To: <[email protected] > >> >> <mailto:[email protected]>>, > >> >> <[email protected] > >> <mailto:[email protected]>>, > >> >> <[email protected] > >> <mailto:[email protected]>>, > >> >> <[email protected] <mailto:[email protected]>>, > >> >> <[email protected] > >> <mailto:[email protected]>>, > >> >> <[email protected] > >> >> <mailto:[email protected]>> > >> >> > >> >> > >> >> New CVEs affecting packages used to build upstream based rocks > >> have been > >> >> created in the Ubuntu CVE tracker: > >> >> > >> >> * https://github.com/gogo/protobuf > >> <https://github.com/gogo/protobuf>: > >> >> * https://github.com/hashicorp/consul > >> >> <https://github.com/hashicorp/consul>: CVE-2023-0845 > >> >> * https://github.com/prometheus/prometheus > >> >> <https://github.com/prometheus/prometheus>: > >> >> > >> >> Please review your rock to understand if it is affected by > >> these CVEs. > >> >> > >> >> Thank you for your rock and for attending to this matter. > >> >> > >> >> References: > >> >> > >> > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 > >> >> > >> < > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> > >> >> > >> >> > >> >> > >> >> -- > >> >> Mailing list: https://launchpad.net/~ubuntu-docker-images > >> >> <https://launchpad.net/~ubuntu-docker-images> > >> >> Post to : [email protected] > >> >> <mailto:[email protected]> > >> >> Unsubscribe : https://launchpad.net/~ubuntu-docker-images > >> >> <https://launchpad.net/~ubuntu-docker-images> > >> >> More help : https://help.launchpad.net/ListHelp > >> >> <https://help.launchpad.net/ListHelp> > >> >> > >> >> > >> >> -- > >> >> Cris > >> > >> > >> > >> -- > >> Cris > -- Cris
-- Mailing list: https://launchpad.net/~observability Post to : [email protected] Unsubscribe : https://launchpad.net/~observability More help : https://help.launchpad.net/ListHelp
