Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dependencies: CVE scanner for repository_locations.bzl metadata. #13552

Merged
merged 3 commits into from
Oct 15, 2020
Merged

dependencies: CVE scanner for repository_locations.bzl metadata. #13552

merged 3 commits into from
Oct 15, 2020

Conversation

htuch
Copy link
Member

@htuch htuch commented Oct 13, 2020

This is a custom CVE scanner that consumes the NIST CVE database and
heuristically matches against the CPEs, versions and last update stamps
in repository_locations.bzl.

Future PRs will create a CI job that runs this on a periodic basis
(every few hours) to provide a CVE early warning system.

Example output:

Based on heuristic matching with the NIST CVE database, Envoy may be vulnerable to:

CVE ID: CVE-2019-19391
CVSS v3 score: 9.1
Severity: CRITICAL
Published date: 2019-11-29
Last modified date: 2019-12-19
Dependencies: com_github_luajit_luajit
Description: ** DISPUTED ** In LuaJIT through 2.0.5, as used in Moonjit before
2.1.2 and other products, debug.getinfo has a type confusion issue
that leads to arbitrary memory write or read operations, because
certain cases involving valid stack levels and > options are
mishandled. NOTE: The LuaJIT project owner states that the debug
libary is unsafe by definition and that this is not a vulnerability.
When LuaJIT was originally developed, the expectation was that the
entire debug library had no security guarantees and thus it made no
sense to assign CVEs. However, not all users of later LuaJIT
derivatives share this perspective.
Affected CPEs:

  • cpe:2.3:a:moonjit_project:moonjit:*
  • cpe:2.3:a:luajit:luajit:*

Risk level: Low
Testing: cve_scan_test.py unit tests, manual.

Signed-off-by: Harvey Tuch [email protected]

@htuch
dependencies: CVE scanner for repository_locations.bzl metadata.
3b08765 
This is a custom CVE scanner that consumes the NIST CVE database and
heuristically matches against the CPEs, versions and last update stamps
in repository_locations.bzl.

Future PRs will create a CI job that runs this on a periodic basis
(every few hours) to provide a CVE early warning system.

Example output:

Based on heuristic matching with the NIST CVE database, Envoy may be vulnerable to:

  CVE ID: CVE-2019-19391
  CVSS v3 score: 9.1
  Severity: CRITICAL
  Published date: 2019-11-29
  Last modified date: 2019-12-19
  Dependencies: com_github_luajit_luajit
  Description: ** DISPUTED ** In LuaJIT through 2.0.5, as used in Moonjit before
  2.1.2 and other products, debug.getinfo has a type confusion issue
  that leads to arbitrary memory write or read operations, because
  certain cases involving valid stack levels and > options are
  mishandled. NOTE: The LuaJIT project owner states that the debug
  libary is unsafe by definition and that this is not a vulnerability.
  When LuaJIT was originally developed, the expectation was that the
  entire debug library had no security guarantees and thus it made no
  sense to assign CVEs. However, not all users of later LuaJIT
  derivatives share this perspective.
  Affected CPEs:
  - cpe:2.3:a:moonjit_project:moonjit:*
  - cpe:2.3:a:luajit:luajit:*

Risk level: Low
Testing: cve_scan_test.py unit tests, manual.

Signed-off-by: Harvey Tuch <[email protected]>
@repokitteh-read-only
Copy link

CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt).

🐱

Caused by: #13552 was opened by htuch.

see: more, trace.

@repokitteh-read-only repokitteh-read-only bot added the deps Approval required for changes to Envoy's external dependencies label Oct 13, 2020
@htuch htuch requested a review from lizan October 13, 2020 23:13
@htuch htuch requested a review from moderation October 13, 2020 23:13
htuch added 2 commits October 13, 2020 20:26
@htuch
Spelling.
04bd001 
Signed-off-by: Harvey Tuch <[email protected]>
@htuch
Fix docs build.
033686b 
Signed-off-by: Harvey Tuch <[email protected]>
moderation
moderation reviewed Oct 14, 2020
View reviewed changes
ci/do_ci.sh
@@ -412,6 +412,8 @@ elif [[ "$CI_TARGET" == "docs" ]]; then
# Validate dependency relationships between core/extensions and external deps.
tools/dependency/validate_test.py
tools/dependency/validate.py
# Validate the CVE scanner works. TODO(htuch): create a dedicated tools CI target.
python3.8 tools/dependency/cve_scan_test.py
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need the python3.8 ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, the datetime methods we use are more recent.

@moderation
Copy link
Contributor

Looks great and will need the last_updated to release_date when ready.

@htuch
Copy link
Member Author

htuch commented Oct 15, 2020

@lizan friendly ping on review.

@htuch htuch merged commit 7d50518 into envoyproxy:master Oct 15, 2020
@htuch htuch deleted the cve-cpe-scan branch October 15, 2020 23:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moderation moderation moderation left review comments

@lizan lizan lizan approved these changes

Assignees

@lizan lizan

Labels
deps Approval required for changes to Envoy's external dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@htuch @moderation @lizan