tag-security icon indicating copy to clipboard operation
tag-security copied to clipboard

Published 20 hours ago verified publisher icon cncf

Create guidance on triaging build time dependency vulnerabilities

Open PushkarJ opened this issue 3 years ago • 8 comments

Description: Vulnerability scanners detect CVEs in build time dependencies. But, Best practices to triage these vulnerabilities are unclear

Impact: Adding docs based on experiences and anecdotes, that many projects can follow would be useful

Scope: Write best practices with examples like:

  • Focus on highest severity CVEs first
  • Document if not exploitable as a security advisory or github issue
  • Patch when exploitable and fixed by upstream dependency
  • Define roles and responsibilities

Meeting minutes where this was discussed: https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/edit#heading=h.bssmkroi6sff and youtube recording: https://www.youtube.com/watch?v=MBHdvYW6YjI

cc @anvega @lumjjb @fkautz @ionut-arm

PushkarJ avatar Feb 02 '22 18:02 PushkarJ

Also make sure the time of the attestation is present. New information may change outcomes of the process.

fkautz avatar Feb 02 '22 20:02 fkautz

I'll try to write-up my notes and thoughts on this, I'm currently digging a bit deeper in the Rust ecosystem for this.

ionut-arm avatar Feb 03 '22 12:02 ionut-arm

This could become a document to put under https://github.com/cncf/tag-security/tree/main/project-resources!

lumjjb avatar Feb 07 '22 15:02 lumjjb

Would love to see what you come up with. As the ecosystem evolves, I’ll add guidance on SBOM integration with CVEs and VEX.

On Mon, Feb 7, 2022 at 7:21 AM Brandon Lum @.***> wrote:

This could become a document to put under https://github.com/cncf/tag-security/tree/main/project-resources!

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/855#issuecomment-1031585540, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABBEGSA76UMYMNZ5LKG3RTUZ7PPRANCNFSM5NM4AXAQ . You are receiving this because you were mentioned.Message ID: @.***>

--

Frederick F. Kautz IV

fkautz avatar Feb 07 '22 15:02 fkautz

Hi all, apologies for the long delay. I've made a markdown version with some guidance on build-time dependency vulnerabilities available here. Feel free to comment/modify as you please. It's fairly short, I wasn't sure just how much to go into detail and where.

ionut-arm avatar Feb 21 '22 15:02 ionut-arm

This is awesome @ionut-arm! Would you like to create a PR for this to the repo? This is definitely something the community at large can benefit from! Would be easier to get comments too!

lumjjb avatar Feb 21 '22 21:02 lumjjb

Alright, I have finally opened that PR, many apologies for the delay

ionut-arm avatar Apr 06 '22 10:04 ionut-arm

This issue has been automatically marked as inactive because it has not had recent activity.

stale[bot] avatar Jun 18 '22 20:06 stale[bot]

https://github.com/cncf/tag-security/pull/887 merged

anvega avatar Jun 21 '23 01:06 anvega