Hi all, Following up on this issue...
On Fri, Jun 9, 2023 at 12:41 PM Emilia Torino <[email protected]> wrote: > Hi all, > > On 9/6/23 06:20, Cristovao Cordeiro wrote: > > Sounds good to me. @Emilia Torino > > <mailto:[email protected]> do you need those repos to exist > in > > Docker Hub before you can onboard these? > > We don't. Since we don't scan the upstream based ROCKs (we only need > this for the deb based ones). > > > > > On Fri, Jun 9, 2023 at 10:42 AM Luca Bello <[email protected] > > <mailto:[email protected]>> wrote: > > > > Hello everyone, > > > > as mentioned before, the ROCKs we have are all based on upstream > > projects; the list is the following, as required: > > > > * Alertmanager (https://github.com/prometheus/alertmanager > > <https://github.com/prometheus/alertmanager>) > > * Grafana Agent (https://github.com/grafana/agent > > <https://github.com/grafana/agent>) > > * Grafana (https://github.com/grafana/grafana > > <https://github.com/grafana/grafana>) > > * Loki (https://github.com/grafana/loki > > <https://github.com/grafana/loki>) > > * Mimir (https://github.com/grafana/mimir > > <https://github.com/grafana/mimir>) > > * SeaweedFS (https://github.com/seaweedfs/seaweedfs > > <https://github.com/seaweedfs/seaweedfs>) > > * Traefik (https://github.com/traefik/traefik > > <https://github.com/traefik/traefik>) > > > > Please let me know if any of these qualifies! > > I am not sure how urgent is this, but if you help me identify the Ubuntu > source packages associated we can make this faster. Otherwise we can > work on this next week. > Did you have a chance to check this? > > > > > > > Cheers, > > > > Luca > > > > On 31/05/2023 18:29, Cristovao Cordeiro wrote: > >> > >> So the only change from our side will be to add > >> prometheus to the email notification subject (or I guess we > >> can just > >> simple replace it with "CVEs potentially affecting upstream > based > >> ROCKs"). Are the email recipients the same ones for the other > >> ones? > >> > >> > >> I think that would be fine for now. I'm reluctant to use the > >> mailing list as a catch-all, but I think we can re-design this > >> once there is an event bus at Canonical, so we rely less on emails. > >> > >> As for the other 10 ROCKs, @Luca Bello > >> <mailto:[email protected]> let's first do the right due > >> diligence on those, cause if a ROCK is not meant to be under the > >> "ubuntu" namespace, then this security monitoring doesn't need to > >> apply. > >> > >> On Wed, May 31, 2023 at 3:58 PM Emilia Torino > >> <[email protected] <mailto:[email protected]>> > >> wrote: > >> > >> > >> Hi all, > >> > >> On 31/5/23 04:03, Luca Bello wrote: > >> > Hi everyone, > >> > > >> > as said in the thread already, the prometheus image is > >> indeed a ROCK > >> > based on the *prometheus/prometheus* repository. > >> > >> That's very convenient. But just to be clear again, we are not > >> "inspecting" the upstream based rocks the same way we do for > >> the deb > >> based ones. We are only monitoring new CVEs created for > >> prometheus, > >> protobuf and consul. So the only change from our side will be > >> to add > >> prometheus to the email notification subject (or I guess we > >> can just > >> simple replace it with "CVEs potentially affecting upstream > based > >> ROCKs"). Are the email recipients the same ones for the other > >> ones? > >> > >> > > >> > We're in the process of updating all of our ROCKs in a > >> similar way, > >> > meaning we want to make sure we are complying with any > >> guidelines you > >> > might have on them. > >> > We have about 10 ROCKs at the moment, mostly based on > >> upstream projects > >> > just like this one. Should I share the full list, so you can > >> track them? > >> > >> I am happy to do an analysis of this list to see if we can add > >> more. The > >> short answer would be that if the software is packaged as a > >> deb in main > >> or universe (which is the situation for prometheus, protobuf > >> and consul) > >> then we can simply add them. This is because the service is > >> based on the > >> existing CVE triage work the security team does, which is > >> mainly for > >> debs (although now is being extended to other ecosystems > >> because of SOSS > >> but it is still limited and mainly supporting NVIDIA software). > >> > >> A simple improvement though could be to map the projects to > >> the rocks so > >> you dont get a general notification, but one per ROCK as the > >> USNs/debs > >> based service does. We can work on adding this for the next > cycle. > >> > >> > > >> > > >> > Cheers, > >> > > >> > Luca > >> > > >> > > >> > On 31/05/2023 08:12, Cristovao Cordeiro wrote: > >> >> Thank you for the swift action, Emilia! > >> >> > >> >> > Does this > >> >> > relate to a question being asked some hours ago in > >> >> > ~Security > >> >> > >> > https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo < > https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>? > >> >> > >> >> Yes, precisely. @Luca Bello > >> <mailto:[email protected] > >> <mailto:[email protected]>> is in > >> >> the process of updating that image and we're re-doing our > >> due diligence. > >> >> Luca can confirm, but this seems to be a ROCK based > >> precisely on that > >> >> upstream Prometheus repository that you are already > monitoring > >> >> > >> ( > https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 > <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 > >). > >> >> > >> >> Can we then add this image to your list of tracked ROCKs? > >> >> > >> >> > >> >> On Tue, May 30, 2023 at 9:45 PM Emilia Torino > >> >> <[email protected] > >> <mailto:[email protected]>> wrote: > >> >> > >> >> Hey all, > >> >> > >> >> On 30/5/23 13:14, Emilia Torino wrote: > >> >> > Hi Cristovao, > >> >> > > >> >> > On 30/5/23 09:41, Cristovao Cordeiro wrote: > >> >> >> Hi Emilia, > >> >> >> > >> >> >> could you please confirm the `prometheus` container > >> image is being > >> >> >> monitored? > >> >> > > >> >> > I don't see prometheus being monitored by our > >> services (not as a > >> >> rock > >> >> > based on upstream source code nor as a rock based on > >> debs). Does > >> >> this > >> >> > relate to a question being asked some hours ago in > >> >> > ~Security > >> >> > >> > https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo < > https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>? > >> >> > > >> >> > > >> >> > These emails' subject only mentions cortex and > >> telegraf, but > >> >> >> I can see "https://github.com/prometheus/prometheus > >> <https://github.com/prometheus/prometheus> > >> >> >> <https://github.com/prometheus/prometheus > >> <https://github.com/prometheus/prometheus>>" in the body of the > >> >> email. > >> >> > > >> >> > Apologize for the confusion, this sounds like a bug > >> in the email > >> >> content > >> >> > generator code. I will take a look at it later. > >> >> > >> >> I investigated this bug and it should be solved > >> already. There was an > >> >> issue in the past, but we fixed it already. I thought > >> it could be > >> >> related but I see this notification you are asking is > >> from March. > >> >> If you > >> >> check the last notification sent on Thu, May 4, 2:03 AM > >> is correctly > >> >> reporting about a single package (cortex only). > >> >> > >> >> Let me know if you have any further question. > >> >> > >> >> In this case, only a new > >> >> > CVE affecting consul has been created in our tracker > >> >> > > >> >> > >> > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 < > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>. > >> >> > > >> >> > Still, this does not mean cortex and telegraf are > >> affected, > >> >> since this > >> >> > needs triage (i.e. understand if the code/version > >> present in the > >> >> rocks > >> >> > are indeed vulnerable). > >> >> > > >> >> > FYI the reason why > >> https://github.com/prometheus/prometheus > >> <https://github.com/prometheus/prometheus> (and > >> >> also > >> >> > https://github.com/gogo/protobuf > >> <https://github.com/gogo/protobuf>) are listed in this email, > is > >> >> because > >> >> > these 3 are the *only* upstream projects we are > >> monitoring > >> >> (because of > >> >> > the bug the 3 are incorrectly listed in the email, > >> only consul > >> >> should > >> >> > be). In other words, we are not scanning every > >> upstream source > >> >> project > >> >> > which is used to build cortex and telegraf. > >> >> > > >> >> > There are reasons why this service is very limited, > >> and I hope this > >> >> > is/was clear. Let me know if you need more information. > >> >> > > >> >> > Emilia > >> >> > > >> >> > > >> >> >> > >> >> >> ---------- Forwarded message --------- > >> >> >> From: <[email protected] > >> <mailto:[email protected]> > >> >> >> <mailto:[email protected] > >> <mailto:[email protected]>>> > >> >> >> Date: Sat, Mar 11, 2023 at 6:03 AM > >> >> >> Subject: [Ubuntu-docker-images] CVEs potentially > >> affecting > >> >> cortex and > >> >> >> telegraf > >> >> >> To: <[email protected] > >> <mailto:[email protected]> > >> >> >> <mailto:[email protected] > >> <mailto:[email protected]>>>, > >> >> >> <[email protected] > >> <mailto:[email protected]> > >> >> <mailto:[email protected] > >> <mailto:[email protected]>>>, > >> >> >> <[email protected] > >> <mailto:[email protected]> > >> >> <mailto:[email protected] > >> <mailto:[email protected]>>>, > >> >> >> <[email protected] > >> <mailto:[email protected]> > >> <mailto:[email protected] > >> <mailto:[email protected]>>>, > >> >> >> <[email protected] > >> <mailto:[email protected]> > >> >> <mailto:[email protected] > >> <mailto:[email protected]>>>, > >> >> >> <[email protected] > >> <mailto:[email protected]> > >> >> >> <mailto:[email protected] > >> <mailto:[email protected]>>> > >> >> >> > >> >> >> > >> >> >> New CVEs affecting packages used to build upstream > >> based rocks > >> >> have been > >> >> >> created in the Ubuntu CVE tracker: > >> >> >> > >> >> >> * https://github.com/gogo/protobuf > >> <https://github.com/gogo/protobuf> > >> >> <https://github.com/gogo/protobuf > >> <https://github.com/gogo/protobuf>>: > >> >> >> * https://github.com/hashicorp/consul > >> <https://github.com/hashicorp/consul> > >> >> >> <https://github.com/hashicorp/consul > >> <https://github.com/hashicorp/consul>>: CVE-2023-0845 > >> >> >> * https://github.com/prometheus/prometheus > >> <https://github.com/prometheus/prometheus> > >> >> >> <https://github.com/prometheus/prometheus > >> <https://github.com/prometheus/prometheus>>: > >> >> >> > >> >> >> Please review your rock to understand if it is > >> affected by > >> >> these CVEs. > >> >> >> > >> >> >> Thank you for your rock and for attending to this > >> matter. > >> >> >> > >> >> >> References: > >> >> >> > >> >> > >> > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 < > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> > >> >> >> > >> >> > >> < > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 < > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>> > >> >> >> > >> >> >> > >> >> >> > >> >> >> -- > >> >> >> Mailing list: > >> https://launchpad.net/~ubuntu-docker-images > >> <https://launchpad.net/~ubuntu-docker-images> > >> >> >> <https://launchpad.net/~ubuntu-docker-images > >> <https://launchpad.net/~ubuntu-docker-images>> > >> >> >> Post to : > >> [email protected] > >> <mailto:[email protected]> > >> >> >> <mailto:[email protected] > >> <mailto:[email protected]>> > >> >> >> Unsubscribe : > >> https://launchpad.net/~ubuntu-docker-images > >> <https://launchpad.net/~ubuntu-docker-images> > >> >> >> <https://launchpad.net/~ubuntu-docker-images > >> <https://launchpad.net/~ubuntu-docker-images>> > >> >> >> More help : https://help.launchpad.net/ListHelp > >> <https://help.launchpad.net/ListHelp> > >> >> >> <https://help.launchpad.net/ListHelp > >> <https://help.launchpad.net/ListHelp>> > >> >> >> > >> >> >> > >> >> >> -- > >> >> >> Cris > >> >> > >> >> > >> >> > >> >> -- > >> >> Cris > >> > >> > >> > >> -- > >> Cris > > ____ > > > > > > > > -- > > Cris >
-- Mailing list: https://launchpad.net/~observability Post to : [email protected] Unsubscribe : https://launchpad.net/~observability More help : https://help.launchpad.net/ListHelp
