[CDRIVER-5535] Add a vulnerability report artifact to the release archive #1649
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
eramongodb
requested changes
Jun 21, 2024
Co-authored-by: Ezra Chung <[email protected]>
|
Note: These changes are paused pending resolution of some ambiguity in the third-party vuln reporting requirements. |
Part of vulnerability reporting requirements is that we continually monitor past in-support releases for the discovery of new vulnerabilities within bundled dependencies. Add a release step to create a Snyk target for monitoring a snapshot of the vulnerabilities in the repository at the time of the release.
|
One of the checklist items for conformance is:
I have added additional process and automation to address this goal. This is separate (but related) to the requirement for the vulnerability report itself. |
- Details on using Snyk to snapshot and monitor release versions. - Details on updating the new etc/third_party_vulnerabilities.md file. - Release process steps are introduced for updating vulnerability tracking. - Remove snyk-vulns and vuln-report-md automation
|
I have added and removed content significantly since the initial changeset. The new changes are based on ongoing conversations with team members about the stated goals of vulnerability tracking and what options we actually have available to us. |
eramongodb
approved these changes
Jun 24, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
At long last, this final changeset should complete the work for CDRIVER-5535. It builds upon the previous PRs that introduced additional processes, scripts, and documentation, and defines the final 3rd party vulnerabilities report that is included as a release artifact.
Summary
The process defined here expands upon the approaches from those taken in libmongocrypt and the C++ driver. It more explicitly defines the content of
third_party_vulnerabilities.mdand what and when items should be added or removed.Considerations
Why not use Snyk
monitorand rely on the augmented SBOM?snyk monitortakes a snapshot of the working directory and posts it to Snyk, where Snyk effectively runssnyk testrepeatedly on a schedule, with the test results posted to the Snyk target/project that corresponds to the snapshot. This allows for notifications when new vulnerabilities are issued on past snapshots of the repository.The overall intended design was that Snyk would detect vulnerabilities, Silk would collect them together, and then Silk would filter the dependencies based on the content of the SBOM lite (i.e. to remove false-positives). The resulting filtered vulnerabilities from Snyk would be inserted into the augmented SBOM. The augmented SBOM would then be the primary release artifact for vulnerability reporting.
For creation of the vulnerability report, the following points were considered when deciding not to rely on the augmented SBOM:
snyk monitorsnapshot, and must correspond to a branch in the upstream repository. The association between a Snyk monitor and an asset group requires that snapshots be specifically tied to branches rather than release versions. We want to snapshot a release at the exact point it was taken, and not rely on the Snyk target reference name coinciding with an asset group branch name. We want to monitor past releases, and not just the tip of the release branch.Does this make the SBOM pointless?
No. The SBOM still gives us structured data to represent our dependencies, including those that are not known to Snyk.
Does this make the augmented SBOM pointless?
Maybe?
If
snyk monitoris not executed to create a snapshot for the repository, then Silk will never accrue vulnerabilities to be added to the augmented SBOM.IMO, we can do better with a semi-manual process that is enhanced by Snyk's automation.
What about false-positives from Snyk?
When Snyk reports vulnerabilities and/or dependencies in the repository that are/would not actually be present in the release, it is plainly visible that something is amiss. We only have one (true positive) vulnerability at the moment, so this appears to be a non-issue. The problem can be revisited in the future if false positives become a common occurrence.
What about false-negatives from Snyk?
If there are actual dependencies and/or vulnerabilities that are missed by Snyk, then they would never have appeared in the augmented SBOM anyway. Currently,
jsonsl,uthash, andutf8procare not detected by Snyk, despite being present in the repository. It appears that these libraries are not tracked by Snyk in their package database, so adding them is beyond the reach of just fiddling with thesnykCLI.The correction of false-negatives has been ruled out as out-of-scope for the overall project.
What about the MUST/SHOULD requirements from the linked ticket?
The following emphasized clause conflicts with these changes:
Over the past few weeks, issues have arisen as the implementation of Silk+Snyk was explored within the C driver that would make the process overly cumbersome and error-prone. Following discussion with various teams that are deploying these tools, the processes that are outlined in this changeset are intended to meet the intent of the above requirements without necessarily matching the wording. Manually removing false-positives has been determined to be trivial for this repository.
What About Automatic Jira Reporting via Silk?
One of the stated goals of using Silk is to support the automatic creation of Jira issues corresponding to vulnerabilities that appear in monitored dependencies. This integration is not currently working, and our dependency set is currently so small that we can get away with doing it all "by hand" for now.