From 83494cc4843e2a4854823b2dba312897f83ead43 Mon Sep 17 00:00:00 2001 From: Adrian Cole Date: Sat, 13 Apr 2024 19:54:28 -1000 Subject: [PATCH 1/4] Adds SECURITY.md and scanning workflow This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). I won't merge this until I get at least 2 approves. After that, I'll help apply this to the other java repos. Signed-off-by: Adrian Cole --- .github/workflows/security.yml | 52 ++++++++++++++++++++++++++++++++++ RELEASE.md | 6 ++++ SECURITY.md | 13 +++++++++ 3 files changed, 71 insertions(+) create mode 100644 .github/workflows/security.yml create mode 100644 SECURITY.md diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 00000000..7f697f9c --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,52 @@ +--- +name: security + +# We don't scan documentation-only commits. +on: # yamllint disable-line rule:truthy + push: # non-tagged pushes to master + branches: + - master + tags-ignore: + - '*' + paths-ignore: + - '**/*.md' + - './build-bin/*lint' + - ./build-bin/mlc_config.json + pull_request: # pull requests targeted at the master branch. + branches: + - master + paths-ignore: + - '**/*.md' + - './build-bin/*lint' + - ./build-bin/mlc_config.json + +jobs: + security: + name: Security + runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish + # skip commits made by the release plugin + if: "!contains(github.event.head_commit.message, 'maven-release-plugin')" + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + - uses: actions/cache@v4 + name: Cache Trivy Database + with: + path: .trivy + key: ${{ runner.os }}-trivy + restore-keys: ${{ runner.os }}-trivy + - name: Run Trivy vulnerability and secret scanner + uses: aquasecurity/trivy-action@master + id: trivy + with: + scan-type: 'fs' + scan-ref: '.' # scan the entire repository + scanners: vuln,secret + exit-code: '1' + severity: HIGH,CRITICAL + output: trivy-report.md + cache-dir: .trivy + - name: Set Summary + shell: bash + if: ${{ failure() && steps.trivy.conclusion == 'failure' }} + run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY diff --git a/RELEASE.md b/RELEASE.md index 2cbf8974..4fcb24ea 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -2,6 +2,12 @@ This repo uses semantic versions. Please keep this in mind when choosing version numbers. +1. **Verify all dependencies are up-to-date** + + Before you start a release, make sure all dependencies are up-to-date, or are documented why not. + Pay special attention to the [security workflow](.github/workflows/security.yml), which should + run clean. + 1. **Alert others you are releasing** There should be no commits made to master while the release is in progress (about 10 minutes). Before you start diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..bba9ddbd --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,13 @@ +# OpenZipkin Security Process + +This document outlines the process for handling security concerns in OpenZipkin projects. + +Any vulnerability or misconfiguration detected in our [security workflow](.github/workflows/security.yml) +should be addressed as a normal pull request. + +OpenZipkin is a volunteer community and does not have a dedicated security team. There may be +periods where no volunteer is able to address a security concern. There is no SLA or warranty +offered by volunteers. If you are a security researcher, please consider this before escalating. + +For security concerns that are sensitive or otherwise outside the scope of public issues, please +contact zipkin-admin@googlegroups.com. From d9e542b893e6bee53e9784cf5d0f5ac947095f5b Mon Sep 17 00:00:00 2001 From: Adrian Cole Date: Sat, 13 Apr 2024 20:02:01 -1000 Subject: [PATCH 2/4] polish Signed-off-by: Adrian Cole --- .github/workflows/lint.yml | 2 +- .github/workflows/security.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 6004746f..fe58404d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -23,7 +23,7 @@ on: # yamllint disable-line rule:truthy jobs: lint: - name: Lint + name: lint runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish # skip commits made by the release plugin if: "!contains(github.event.head_commit.message, 'maven-release-plugin')" diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 7f697f9c..09d9c574 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -22,7 +22,7 @@ on: # yamllint disable-line rule:truthy jobs: security: - name: Security + name: security runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish # skip commits made by the release plugin if: "!contains(github.event.head_commit.message, 'maven-release-plugin')" From d9f103cf7bbe55b30666cc37277ff49f6c81db4b Mon Sep 17 00:00:00 2001 From: Adrian Cole Date: Mon, 15 Apr 2024 06:21:33 -1000 Subject: [PATCH 3/4] note Signed-off-by: Adrian Cole --- .github/workflows/security.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 09d9c574..977c22ed 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -49,4 +49,9 @@ jobs: - name: Set Summary shell: bash if: ${{ failure() && steps.trivy.conclusion == 'failure' }} + # Add the Trivy report to the summary + # + # Note: This will cause a workflow error if trivy-report.md > 1MiB. + # If this happened due to too many CVEs, consider fixing them ;) + # See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#step-isolation-and-limits run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY From f5f9378bfcce49ba96e9ebd8bcb59ce9cdf7fc77 Mon Sep 17 00:00:00 2001 From: Adrian Cole Date: Mon, 15 Apr 2024 06:24:03 -1000 Subject: [PATCH 4/4] lint Signed-off-by: Adrian Cole --- .github/workflows/security.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 977c22ed..a7847fc8 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -51,7 +51,6 @@ jobs: if: ${{ failure() && steps.trivy.conclusion == 'failure' }} # Add the Trivy report to the summary # - # Note: This will cause a workflow error if trivy-report.md > 1MiB. - # If this happened due to too many CVEs, consider fixing them ;) - # See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#step-isolation-and-limits + # Note: This will cause a workflow error if trivy-report.md > the step + # limit 1MiB. If this was due to too many CVEs, consider fixing them ;) run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY