Sounds good to me. @Emilia Torino <[email protected]> do you need those repos to exist in Docker Hub before you can onboard these?
On Fri, Jun 9, 2023 at 10:42 AM Luca Bello <[email protected]> wrote: > Hello everyone, > > as mentioned before, the ROCKs we have are all based on upstream projects; > the list is the following, as required: > > * Alertmanager (https://github.com/prometheus/alertmanager) > * Grafana Agent (https://github.com/grafana/agent) > * Grafana (https://github.com/grafana/grafana) > * Loki (https://github.com/grafana/loki) > * Mimir (https://github.com/grafana/mimir) > * SeaweedFS (https://github.com/seaweedfs/seaweedfs) > * Traefik (https://github.com/traefik/traefik) > > Please let me know if any of these qualifies! > > > Cheers, > > Luca > On 31/05/2023 18:29, Cristovao Cordeiro wrote: > > So the only change from our side will be to add >> prometheus to the email notification subject (or I guess we can just >> simple replace it with "CVEs potentially affecting upstream based >> ROCKs"). Are the email recipients the same ones for the other ones? > > > I think that would be fine for now. I'm reluctant to use the mailing list > as a catch-all, but I think we can re-design this once there is an event > bus at Canonical, so we rely less on emails. > > As for the other 10 ROCKs, @Luca Bello <[email protected]> let's > first do the right due diligence on those, cause if a ROCK is not meant to > be under the "ubuntu" namespace, then this security monitoring doesn't need > to apply. > > On Wed, May 31, 2023 at 3:58 PM Emilia Torino <[email protected]> > wrote: > >> >> Hi all, >> >> On 31/5/23 04:03, Luca Bello wrote: >> > Hi everyone, >> > >> > as said in the thread already, the prometheus image is indeed a ROCK >> > based on the *prometheus/prometheus* repository. >> >> That's very convenient. But just to be clear again, we are not >> "inspecting" the upstream based rocks the same way we do for the deb >> based ones. We are only monitoring new CVEs created for prometheus, >> protobuf and consul. So the only change from our side will be to add >> prometheus to the email notification subject (or I guess we can just >> simple replace it with "CVEs potentially affecting upstream based >> ROCKs"). Are the email recipients the same ones for the other ones? >> >> > >> > We're in the process of updating all of our ROCKs in a similar way, >> > meaning we want to make sure we are complying with any guidelines you >> > might have on them. >> > We have about 10 ROCKs at the moment, mostly based on upstream projects >> > just like this one. Should I share the full list, so you can track them? >> >> I am happy to do an analysis of this list to see if we can add more. The >> short answer would be that if the software is packaged as a deb in main >> or universe (which is the situation for prometheus, protobuf and consul) >> then we can simply add them. This is because the service is based on the >> existing CVE triage work the security team does, which is mainly for >> debs (although now is being extended to other ecosystems because of SOSS >> but it is still limited and mainly supporting NVIDIA software). >> >> A simple improvement though could be to map the projects to the rocks so >> you dont get a general notification, but one per ROCK as the USNs/debs >> based service does. We can work on adding this for the next cycle. >> >> > >> > >> > Cheers, >> > >> > Luca >> > >> > >> > On 31/05/2023 08:12, Cristovao Cordeiro wrote: >> >> Thank you for the swift action, Emilia! >> >> >> >> > Does this >> >> > relate to a question being asked some hours ago in >> >> > ~Security >> >> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo? >> >> >> >> Yes, precisely. @Luca Bello <mailto:[email protected]> is in >> >> the process of updating that image and we're re-doing our due >> diligence. >> >> Luca can confirm, but this seems to be a ROCK based precisely on that >> >> upstream Prometheus repository that you are already monitoring >> >> ( >> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 >> ). >> >> >> >> Can we then add this image to your list of tracked ROCKs? >> >> >> >> >> >> On Tue, May 30, 2023 at 9:45 PM Emilia Torino >> >> <[email protected]> wrote: >> >> >> >> Hey all, >> >> >> >> On 30/5/23 13:14, Emilia Torino wrote: >> >> > Hi Cristovao, >> >> > >> >> > On 30/5/23 09:41, Cristovao Cordeiro wrote: >> >> >> Hi Emilia, >> >> >> >> >> >> could you please confirm the `prometheus` container image is >> being >> >> >> monitored? >> >> > >> >> > I don't see prometheus being monitored by our services (not as a >> >> rock >> >> > based on upstream source code nor as a rock based on debs). Does >> >> this >> >> > relate to a question being asked some hours ago in >> >> > ~Security >> >> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo >> ? >> >> > >> >> > >> >> > These emails' subject only mentions cortex and telegraf, but >> >> >> I can see "https://github.com/prometheus/prometheus >> >> >> <https://github.com/prometheus/prometheus>" in the body of the >> >> email. >> >> > >> >> > Apologize for the confusion, this sounds like a bug in the email >> >> content >> >> > generator code. I will take a look at it later. >> >> >> >> I investigated this bug and it should be solved already. There was >> an >> >> issue in the past, but we fixed it already. I thought it could be >> >> related but I see this notification you are asking is from March. >> >> If you >> >> check the last notification sent on Thu, May 4, 2:03 AM is >> correctly >> >> reporting about a single package (cortex only). >> >> >> >> Let me know if you have any further question. >> >> >> >> In this case, only a new >> >> > CVE affecting consul has been created in our tracker >> >> > >> >> >> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845. >> >> > >> >> > Still, this does not mean cortex and telegraf are affected, >> >> since this >> >> > needs triage (i.e. understand if the code/version present in the >> >> rocks >> >> > are indeed vulnerable). >> >> > >> >> > FYI the reason why https://github.com/prometheus/prometheus (and >> >> also >> >> > https://github.com/gogo/protobuf) are listed in this email, is >> >> because >> >> > these 3 are the *only* upstream projects we are monitoring >> >> (because of >> >> > the bug the 3 are incorrectly listed in the email, only consul >> >> should >> >> > be). In other words, we are not scanning every upstream source >> >> project >> >> > which is used to build cortex and telegraf. >> >> > >> >> > There are reasons why this service is very limited, and I hope >> this >> >> > is/was clear. Let me know if you need more information. >> >> > >> >> > Emilia >> >> > >> >> > >> >> >> >> >> >> ---------- Forwarded message --------- >> >> >> From: <[email protected] >> >> >> <mailto:[email protected]>> >> >> >> Date: Sat, Mar 11, 2023 at 6:03 AM >> >> >> Subject: [Ubuntu-docker-images] CVEs potentially affecting >> >> cortex and >> >> >> telegraf >> >> >> To: <[email protected] >> >> >> <mailto:[email protected]>>, >> >> >> <[email protected] >> >> <mailto:[email protected]>>, >> >> >> <[email protected] >> >> <mailto:[email protected]>>, >> >> >> <[email protected] <mailto:[email protected]>>, >> >> >> <[email protected] >> >> <mailto:[email protected]>>, >> >> >> <[email protected] >> >> >> <mailto:[email protected]>> >> >> >> >> >> >> >> >> >> New CVEs affecting packages used to build upstream based rocks >> >> have been >> >> >> created in the Ubuntu CVE tracker: >> >> >> >> >> >> * https://github.com/gogo/protobuf >> >> <https://github.com/gogo/protobuf>: >> >> >> * https://github.com/hashicorp/consul >> >> >> <https://github.com/hashicorp/consul>: CVE-2023-0845 >> >> >> * https://github.com/prometheus/prometheus >> >> >> <https://github.com/prometheus/prometheus>: >> >> >> >> >> >> Please review your rock to understand if it is affected by >> >> these CVEs. >> >> >> >> >> >> Thank you for your rock and for attending to this matter. >> >> >> >> >> >> References: >> >> >> >> >> >> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 >> >> >> >> >> < >> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> Mailing list: https://launchpad.net/~ubuntu-docker-images >> >> >> <https://launchpad.net/~ubuntu-docker-images> >> >> >> Post to : [email protected] >> >> >> <mailto:[email protected]> >> >> >> Unsubscribe : https://launchpad.net/~ubuntu-docker-images >> >> >> <https://launchpad.net/~ubuntu-docker-images> >> >> >> More help : https://help.launchpad.net/ListHelp >> >> >> <https://help.launchpad.net/ListHelp> >> >> >> >> >> >> >> >> >> -- >> >> >> Cris >> >> >> >> >> >> >> >> -- >> >> Cris >> > > > -- > Cris > > -- Cris
-- Mailing list: https://launchpad.net/~observability Post to : [email protected] Unsubscribe : https://launchpad.net/~observability More help : https://help.launchpad.net/ListHelp
