Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Develop process to validate SDK does not include any vulnerable components #41659

Open
MichaelSimons opened this issue Jun 18, 2024 · 3 comments
Open

Develop process to validate SDK does not include any vulnerable components #41659

MichaelSimons opened this issue Jun 18, 2024 · 3 comments
Labels
Area-Infrastructure untriaged Request triage from a team member
Milestone
Backlog

Comments

@MichaelSimons
Copy link
Member

A validation process is needed to ensure the SDK does not include any vulnerable components. This includes pre-disclosed vulnerabilities. See dotnet/dotnet-docker#5325 and #30659 for the background and how these may be "false positives". This validation should be automated and run as part of CI to ensure the SDK is in a clean state prior to shipping.
@dotnet-issue-labeler dotnet-issue-labeler bot added Area-Infrastructure untriaged Request triage from a team member labels Jun 18, 2024
@marcpopMSFT marcpopMSFT added this to the Backlog milestone Jun 18, 2024
@marcpopMSFT
Copy link
Member

I do not believe this is possible with the tooling we have today. CG doesn't check for false positives in the deps.json file which we want to be clean on and doesn't flag before we release.

If the runtime knows a specific component is getting a security fix, we could potentially check every branch but that doesn't scale.

Potentially we could leverage nuget to tell us when a package is flagged assuming that support is coming @JonDouglas but that would still tell us after that component has shipped rather than before.

@JonDouglas
Copy link

JonDouglas commented Jun 18, 2024
edited
Loading

NuGet doesn't check deps.json, but we can absolutely provide auditing at development time. Perhaps dogfooding the recent .NET 9 Preview 6 functionality for transitives will be an interesting exercise here for at least known vulnerable top-level and transitive packages.

https://github.com/dotnet/release-notes-drafts/pull/62

Do note that we simply report the awareness of what is vulnerable. There may in fact be false positives and future tooling and SBOM work will allow us to reduce these in the future.

/cc @zivkan & @nkolev92

@ericstj
Copy link
Member

ericstj commented Jun 18, 2024
edited
Loading

The way I was checking this was scanning all binaries/deps/packages in the product drop and looking for inconsistencies. Flagging where we are referencing or shipping something older than we are shipping elsewhere. EG we ship package A 3.0.0, but reference 2.0.0 in the product. It's actually pretty straight forward if you have broad enough scope.

This doesn't capture external things that need to update. For that we have CG. For external things that haven't released yet - suppose a package that only ships out of a repo outside of dotnet - we need to feed in the data to such a test. I still think that's possible without too much work. It's just a difference in the algorithm of determining latest. In the first category above, latest is the max(everything we ship). For this case it would be the max(everything we ship, some data source).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-Infrastructure untriaged Request triage from a team member
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@JonDouglas @MichaelSimons @ericstj @marcpopMSFT