Skip to content

New security advisory tools#254

Closed
jmacd wants to merge 10 commits into
open-telemetry:mainfrom
jmacd:jmacd/advisory_tools
Closed

New security advisory tools#254
jmacd wants to merge 10 commits into
open-telemetry:mainfrom
jmacd:jmacd/advisory_tools

Conversation

@jmacd

@jmacd jmacd commented Apr 24, 2026

Copy link
Copy Markdown

There was an uptick in security advisories, with a bunch arriving for the opentelemetry-collector-contrib repo. Since that repo has a CODEOWNERS file, a tool was helpful to assign the individual owners who are not repository-level maintainers with access to the advisories. Secondly, for many of the new advisories, they are conditioned on allowing unauthorized access to a receiver port. Generally, these are not recommended configurations, and use of untrusted input with many components will lead to poor outcomes. I think the responsible thing to do in these cases is to downgrade the report to an issue, let the matter be resolved in the open and not file a CVE.

  1. Tool to assign CODOEWNERS from the repository
  2. Tool to downgrade a security advisory to an issue in the same repo, after scrubbing details about the reporter.

jmacd and others added 10 commits April 22, 2026 16:34
Rewrite advisory-triage/assign-advisories.sh as a pure Python script
in tools/. The original was a bash wrapper around an embedded Python
heredoc; this version uses argparse, proper functions, and matches
the conventions of existing tools in the directory.

Key improvements:
- Pure Python with argparse (no bash wrapper)
- Auto-detects checkout dir based on --repo name, not hardcoded
- get_component_dir() uses the repo name from --repo for package prefix
- Cleaner structure with testable functions

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Fetch the repo's .github/CODEOWNERS file via the GitHub API instead of
requiring a local checkout. This eliminates the --checkout flag and makes
the tool work anywhere with just gh CLI auth.

The CODEOWNERS file is auto-generated from metadata.yaml by the repos
themselves, so it has the same ownership data we were reading manually.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Show whether anyone besides the reporter has engaged with each
advisory. Uses fields available from the REST API: collaborating
users/teams, credited users, CVE assignment, and whether the
advisory has been updated since creation.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
New script that fetches a security advisory by GHSA ID, scrubs
reporter identity (username, @mentions, attribution lines like
'Reported by' / 'Assisted-by'), and creates a public issue with
the technical description preserved.

Intended for cases where the maintainer determines the report does
not warrant a CVE and wants to publish it as a regular bug report.

Usage:
  python3 tools/downgrade-advisory.py GHSA-xxxx-xxxx-xxxx          # preview
  python3 tools/downgrade-advisory.py GHSA-xxxx-xxxx-xxxx --apply  # create issue

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ls.md

Move documentation from tools/ to docs/, cover both scripts briefly,
and remove the lengthy triage workflow guide.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jmacd
jmacd requested a review from a team as a code owner April 24, 2026 00:13
@reyang

reyang commented Apr 24, 2026

Copy link
Copy Markdown
Member

There was an uptick in security advisories, with a bunch arriving for the opentelemetry-collector-contrib repo. Since that repo has a CODEOWNERS file, a tool was helpful to assign the individual owners who are not repository-level maintainers with access to the advisories.

Maintainer as a role has been defined here https://github.com/open-telemetry/community/blob/main/guides/contributor/membership.md#maintainer. CODEOWNERS can have OpenTelemetry community members who are not necessarily approvers or maintainers. Also, there are repositories which use https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/main/.github.qkg1.topponent_owners.yml instead of CODEOWNERS file.

Do we want to hold maintainers accountable (the maintainers can decide how they want to delegate and hold others accountable) or we want to hold a new set of folks accountable for security advisories?
If the answer is the latter (we want to hold a new set of folks accountable for security advisories), there are two things we need to socialize and get alignment:

  1. Would the maintainers be okay with us putting folks accountable based on what CODEOWNERS file say? And what if they don't show accountability?
  2. Do we need to define the role in the community doc (in addition to the roles we already have here https://github.com/open-telemetry/community/blob/main/guides/contributor/membership.md)?

@mx-psi mx-psi left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make sure when adding CODEOWNERS we add context in a comment as to what the security reporting process is, and, specially, that no public discussion of the issue should be had?

A couple more things that would be helpful (not necessary to do on this PR, I can move this to an issue):

  1. It would also be helpful (not necessary to do on this PR) to automate creating a private fork of the PR. Not all maintainers have the ability to do that today (I don't at least!)
  2. It would be helpful to have some sort of Slack notification on private channels with maintainers when a new security advisory is published. The Slack notification may not contain any private details but it can contain a link to the report (I think that should be safe).

@jmacd

jmacd commented Apr 24, 2026

Copy link
Copy Markdown
Author

I meant to create helpful tools, not to settle policy questions of the nature posed above. I think we want to leave the maintainers responsible for advisories, with TC oversight as we have it today. The tool is meant to help maintainers easily assign the codeowners after reviewing the issue(s). As stated above, we need to set expectations for reviewers more clearly, especially about the need for secrecy.

Because of my TC rotation and being approver for collector-contrib, I took up the maintainer role this week and used the experience to develop these tools. I can say that one future-CVE leaked out as a result of my action, it confirms the need to be more careful when adding maintainers. I intend to use the downgrade-advisory script here on about 5 current advisories that are still pending in that repository.

I think we should add this sort of guidance to the recommendations.md document, after #156 merges.

@jmacd

jmacd commented Apr 29, 2026

Copy link
Copy Markdown
Author

As a followup, I will work to document our expectations around maintainers assigning/inviting code owners to address vulnerabilities in contrib repositories. The TC has discussed that with the amount of work this implies, maintainers need tools, just not the ones we have here. We discussed a potential automation to create a private slack channel for each advisory, for maintainers, with a button to invite the codeowners using an automatically created private fork in github, for example. First, we will need a Slack registry for maintainers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants