New security advisory tools#254
Conversation
Rewrite advisory-triage/assign-advisories.sh as a pure Python script in tools/. The original was a bash wrapper around an embedded Python heredoc; this version uses argparse, proper functions, and matches the conventions of existing tools in the directory. Key improvements: - Pure Python with argparse (no bash wrapper) - Auto-detects checkout dir based on --repo name, not hardcoded - get_component_dir() uses the repo name from --repo for package prefix - Cleaner structure with testable functions Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Fetch the repo's .github/CODEOWNERS file via the GitHub API instead of requiring a local checkout. This eliminates the --checkout flag and makes the tool work anywhere with just gh CLI auth. The CODEOWNERS file is auto-generated from metadata.yaml by the repos themselves, so it has the same ownership data we were reading manually. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Show whether anyone besides the reporter has engaged with each advisory. Uses fields available from the REST API: collaborating users/teams, credited users, CVE assignment, and whether the advisory has been updated since creation. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
New script that fetches a security advisory by GHSA ID, scrubs reporter identity (username, @mentions, attribution lines like 'Reported by' / 'Assisted-by'), and creates a public issue with the technical description preserved. Intended for cases where the maintainer determines the report does not warrant a CVE and wants to publish it as a regular bug report. Usage: python3 tools/downgrade-advisory.py GHSA-xxxx-xxxx-xxxx # preview python3 tools/downgrade-advisory.py GHSA-xxxx-xxxx-xxxx --apply # create issue Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ls.md Move documentation from tools/ to docs/, cover both scripts briefly, and remove the lengthy triage workflow guide. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Maintainer as a role has been defined here https://github.com/open-telemetry/community/blob/main/guides/contributor/membership.md#maintainer. CODEOWNERS can have OpenTelemetry community members who are not necessarily approvers or maintainers. Also, there are repositories which use https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/main/.github.qkg1.topponent_owners.yml instead of CODEOWNERS file. Do we want to hold maintainers accountable (the maintainers can decide how they want to delegate and hold others accountable) or we want to hold a new set of folks accountable for security advisories?
|
mx-psi
left a comment
There was a problem hiding this comment.
Can we make sure when adding CODEOWNERS we add context in a comment as to what the security reporting process is, and, specially, that no public discussion of the issue should be had?
A couple more things that would be helpful (not necessary to do on this PR, I can move this to an issue):
- It would also be helpful (not necessary to do on this PR) to automate creating a private fork of the PR. Not all maintainers have the ability to do that today (I don't at least!)
- It would be helpful to have some sort of Slack notification on private channels with maintainers when a new security advisory is published. The Slack notification may not contain any private details but it can contain a link to the report (I think that should be safe).
|
I meant to create helpful tools, not to settle policy questions of the nature posed above. I think we want to leave the maintainers responsible for advisories, with TC oversight as we have it today. The tool is meant to help maintainers easily assign the codeowners after reviewing the issue(s). As stated above, we need to set expectations for reviewers more clearly, especially about the need for secrecy. Because of my TC rotation and being approver for collector-contrib, I took up the maintainer role this week and used the experience to develop these tools. I can say that one future-CVE leaked out as a result of my action, it confirms the need to be more careful when adding maintainers. I intend to use the I think we should add this sort of guidance to the |
|
As a followup, I will work to document our expectations around maintainers assigning/inviting code owners to address vulnerabilities in contrib repositories. The TC has discussed that with the amount of work this implies, maintainers need tools, just not the ones we have here. We discussed a potential automation to create a private slack channel for each advisory, for maintainers, with a button to invite the codeowners using an automatically created private fork in github, for example. First, we will need a Slack registry for maintainers. |
There was an uptick in security advisories, with a bunch arriving for the
opentelemetry-collector-contribrepo. Since that repo has a CODEOWNERS file, a tool was helpful to assign the individual owners who are not repository-level maintainers with access to the advisories. Secondly, for many of the new advisories, they are conditioned on allowing unauthorized access to a receiver port. Generally, these are not recommended configurations, and use of untrusted input with many components will lead to poor outcomes. I think the responsible thing to do in these cases is to downgrade the report to an issue, let the matter be resolved in the open and not file a CVE.