ztunnel icon indicating copy to clipboard operation
ztunnel copied to clipboard

Published 20 hours ago verified publisher icon istio

Setup cargo audit (or similar) to report dependency CVEs and validate license

Open howardjohn opened this issue 3 years ago • 9 comments

howardjohn avatar Oct 19 '22 21:10 howardjohn

I'm happy to add this once there's CI. Is the plan to use GitHub Actions or something else?

thesurlydev avatar Nov 09 '22 19:11 thesurlydev

We use Prow. The job config is in https://github.com/istio/test-infra/blob/master/prow/config/jobs/ztunnel.yaml; its already running on the repo. So quick presubmits can be added to make presubmit; if we want to add more jobs in parallel theycan be added to that YAML.

For CVEs we probably dont want block PRs so can make that a nightly job. License checking could be a presubmit (assuming its fast?)

howardjohn avatar Nov 09 '22 20:11 howardjohn

We can use cargo audit (or similar) to automatically notify us of CVEs in our dependencies.

The process of handing reports and eventually patching will be shared with the rest of Istio.

Rust/library specific CVEs will be included in Istio’s security bulletins.

stevenctl avatar Nov 09 '22 20:11 stevenctl

@hypernovasunnix is taking care of this, but I can't assign her since she's not a member of the Istio org yet

keithmattix avatar Dec 01 '22 21:12 keithmattix

OOO - paused

stevenctl avatar Dec 05 '22 19:12 stevenctl

@keithmattix any update? And we should add @hypernovasunnix via istio/community after she submits 1 pr

stevenctl avatar Dec 12 '22 19:12 stevenctl

PR incoming, no longer paused.

stevenctl avatar Dec 12 '22 19:12 stevenctl

PR out for review

SkyfireFrancisZ avatar Dec 15 '22 19:12 SkyfireFrancisZ

Logic is merge, getting it into prow is in https://github.com/istio/tools/pull/2330

howardjohn avatar Jan 19 '23 23:01 howardjohn