opa
opa copied to clipboard
open-policy-agent
Security Disclosure document is out of date
Short description
The SECURITY.md document is not up to date with google removing RSS and with DWF dissolving. For PCI compliance I am looking to have automated notifications when my dependencies have security vulnerabilities. The ability to accomplish that seems to have been lost since the document was last updated.
At this point I did not find the ability to track either:
- A programmatically searchable feed
- A specific product or vender in CVE listings
Examples:
- You can no longer construct a google groups RSS feed via the help thread suggestions.
- My attempt to access the old RSS url no longer works. screenshot
- The only other option I know of is to do HTML scraping and that is very brittle to be used for a security notification process
- I tried searching for the OPA project in CVE vendors or products. And only found the following Cornelis Networks vendors/products:
- https://www.cvedetails.com/vendor/16567/Opa-fm-Project.html
- https://www.cvedetails.com/vendor/16567/Opa-ff-Project.html
Expected behavior
Some documentation of vulnerability disclosure which includes where to programmatically discover new disclosures when they are publicly announced.
comments
With a reserved identity in CVE system the onus could be on the rest of us to set up tracking for CVEs under that identity. Without that known identity I would have to rely on keyword matching the entire CVE content; making the process pull in numerous false-positives and being unable to validate the system in any way since there are no CVEs yet.
I would be content with an email list, but I imagine that would be a hassle for the project to maintain. My own request to join the announcement google group to receive notifications is still in limbo.
Offer to assist
I would be willing to devote time to figuring out a solution, but I am unaware of the project security team's process and what would be considered viable.
Thanks for filing this. Can you elaborate a bit more about the process of obtaining a reserved identity in CVE system. I do not think other graduated projects have obtained one either but it would be helpful to know what the process entails.
The documentation mentioned that part of the disclosure process was creating a CVE, so I thought that knowledge was already present.
Its all new to me as well, but I can take a look at how CVEs are created, what's needed, etc. And report back.
Thanks from looking into this. Afaik, first there is a disclosure of the vulnerability and then a CVE ID is assigned to it.
One option would to be use GitHub's Security Advisory feature. This allows us to draft and collaborate on the security advisory itself and then request a CVE. @adoliver any thoughts to that?
cc @srenatus
+1, GitHub's feature also allows collaborating on the code fix itself in a responsible way.
@tsandall We don't directly have this github repo as a dependency in any of our projects. We download and deploy the official docker container in our pipeline. I didn't notice any way to get notified of an advisory without having a github project with a dependency on this repo.
Our situation is we use gitlab and deploy a docker container. I'll have to look and see if there is a way to maybe have a dummy fork of this repo just to get the advisories.
@adoliver we can setup a team in the OPA organization and invite select people to it--however, the main purpose of using the feature is that it lets us request CVEs easily. For example, we ran into a relatively obscure issue last month and we tested out the process here:
https://github.com/open-policy-agent/opa/security/advisories/GHSA-hcw3-j74m-qc58
What came out of that is a CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-23628
I'm assuming that you would be able to just get notified about the CVE through existing channels. Is that true?
@tsandall Apologies for the slow responses, navigating some hard deadlines and long hours at work.
I am probably ignorant of the "existing channels." This is my first deep dive into the CVE mechanisms. From what I can tell, because we deploy the official docker container pretty much directly(we have a local copy on our network and a sync process) there aren't any systems like NPM or a Go package manager which would inform us when a new opa CVE is released.
Would there be a situation where a CVE has not been created, but there would be mitigation steps that users should take during the investigation? The current SECURITY.md has a shorter timeline for disclosure in a public channel than the timeline for creating a CVE. That suggested to me that there might be situations where mitigations would need to be disclosed before the CVE was generated.
How would you plan to communicate various mitigation steps besides a version upgrade, in the CVE description? e.g. log4shell had mitigations which could be implemented until dependencies could be updated
Possible existing channels I can pursue:
- Searching the entire CVE database directly against the string "opa".
- seems problematic for false positives and on the off-chance the description would fail to contain "opa".
- Is there a CVE record attribute which would be guaranteed to exist and uniquely identify open-policy-agent in it when your team creates the CVE? I'm thinking of some small confusion I previously had with cornelis networks--though not related to CVE issues.
- Creating a fork of the open-policy-agent repo for the sake of being notified with github advisories
- I will spend more time looking and see if there is something similar to npm vulnerabilities for your docker source image.
When I get a respite from my current work schedule I will investigate the above which seem to be my best current options. The previously available google groups RSS seemed like a really simple way to get information "from the horse's mouth", but I respect wanting a streamlined process without extra steps if possible. When two information flows exist, one could always get forgotten by accident.
If you have any suggestions for something I'm missing I'm all ears.
@tsandall update regarding searching the CVE database directly being somewhat unreliable.
This is just to demonstrate how searching can pretty easily go wrong without a concrete target.
I just noticed CVE-2017-11133 is not found by a simple CVE database word search. If you use the mitre's own website you will not find this CVE by searching for "CryptoJS" which appears in the description, but does not provide CVE-2017-11133. mitre must only search whole words, not substrings. Happened to run across this working on a different project; In this case I was curious about possible CVEs for a javascript cryptography library I am working with, but with this kind of behavior a negative result doesn't provide much confidence.
Heya!
This is just to demonstrate how searching can pretty easily go wrong without a concrete target.
Your point certainly is valid for some software products. With OPA, I believe the overlap with other projects to be limited. Furthermore, do you know the Common Platform Enumeration (CPE)? It should have identifiers that allow you to track a certain software product directly, without any false positives or mixups.
Looking at our current only CVE, https://www.cvedetails.com/cve/CVE-2022-23628/, it already features a CPE id for OPA: cpe:2.3:a:openpolicyagent:open_policy_agent:*:*:*:*:*:*:*:*.
OpenCVE lets you search for vulnerabilities by CPE product; and it seems like you can even subscribe to that once you've registered an account there.
I would think that there must be something useful in the NVD area (https://nvd.nist.gov/vuln/data-feeds), too, but I haven't found it yet.
