Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable Snyk and White-source scanning on knative repos #3135

Open
steven0711dong opened this issue Mar 4, 2022 · 8 comments
Open

Enable Snyk and White-source scanning on knative repos #3135

steven0711dong opened this issue Mar 4, 2022 · 8 comments
Labels
kind/security Issues or PRs related to security or CVEs. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. triage/accepted Issues which should be fixed (post-triage)

Comments

@steven0711dong
Copy link

Problem
We see some dependencies that are considered as vulnerable by both Snyk and White-source scanning. I found out about this because our organization does the scanning after we clone the repo. Keda does both snyk and white-source scanning so I would like to propose that we enabled these 2 scans on this repo as well so that any vulnerable libraries could be caught on PR and people no longer open git issues on vulnerable libraries and users that have dependency on this repo do not have to patch the vulnerable libraries themselves. Any new vulnerable libraries introduced by contributors should be caught immediately after PR creation and commits. Existing libraries that are considered to have vulnerabilities should be caught by nightly scan.

@krsna-m
Copy link
Contributor

krsna-m commented Mar 5, 2022

/kind security

@knative-prow-robot knative-prow-robot added the kind/security Issues or PRs related to security or CVEs. label Mar 5, 2022
@krsna-m krsna-m moved this to Needs Design in Infra (Productivity) Mar 5, 2022
@steven0711dong
Copy link
Author

steven0711dong commented Mar 9, 2022

White-source and Snyk scanning

Current status:

Currently there is no scanning tool in knative workspace that discovers vulnerable libraries. Cloned knative repos(downstream repos) in other organizations ends up having to deal with each individual vulnerability on their own. This creates two issues:

  1. By replacing the vulnerable libraries in, downstream repos end up with a knative project with different dependencies. And this is a less than optimal situation because the new dependencies were introduced after the continuous development process, which happens before PR merge in upstream repo.

  2. Some projects such as k8s.io/utils, knative/eventing are frequently referenced in other projects and the projects became inter-connected. So it is common to end up with a scenario that after replacing the direct dependent vulnerable libraries, the vulnerability still shows up in the scan because indirect dependency on the vulnerable library still exists, and we end up having to patch another repo.

Potential action items:

  • Obtain license and setup WhiteSource Bolt/Snyk scan tool on knative repos.
  • Update Security Policy

We should try our best effort to enable white-source and snyk scan generic enough to run on across all knative repos in our workspace. Since knative heavily depends on k8s repos, I'm also working to try convince k8s community to adopt white-source and snyk scan.

@krsna-m
Copy link
Contributor

krsna-m commented Mar 9, 2022

@carlisia is also working on security scanning. Would be nice to hear her thoughts as well.

@steven0711dong
Copy link
Author

@carlisia Hi, I'm working on enabling white-source scan and snyk scan on this repo, could you take a look at the proposal I wrote above and see whether you have anything to add?

@carlisia
Copy link
Member

carlisia commented Apr 1, 2022

Hey @steven0711dong, apologies for not responding earlier. Initially I am very much onboard with this. Some time ago I had installed a Snyk extension for my editor and it worked well. Maybe too well, I turned it off because there were too many warnings (forgot which project).

Thank you so much for bringing this up.

I haven't had a chance to look into the license issue. Do you know what is required for us to be able to run each on our CI systems, is there a cost?

Have you set these up before? I'm wondering how much time/effort this will be, and if it's a straight up config or if there could be some trial/error/tweak time to be accounted for.

I am thinking that probably would be wise to set aside resources (human time) to address the bulk of the warnings we currently will get in each of our repos. Does this thinking make sense? Maybe we can phase in an implementation where we slowly turn on separate categories of scanning to get this done in a sustainable pace. But I don't actually know if their scanning have settings for categories of vulnerabilities that could be turned off. I can look into this, unless you know already.

Lastly, we should aim to not make the contributor experience worse. In this case, we would avoid going in that direction if we could have the same check available for Knative developers to run locally, regardless of what IDE/editor they use. Ideally, a script (maybe the same that CI runs). This way they/we wouldn't be surprised with warnings only after running PR checks. Also something I haven't looked at, please let us know if you have ideas here.

Let us know about the questions above.

@kvmware:

  • if we go ahead with this I'd suggest we pick a repo to try it on first. I'd be glad to try it on one of the net-* repos unless you have another candidate. What do you think?
  • is this something we would want to add as a periodic job to testgrid, do you know?

@chizhg chizhg moved this from Needs Design to In Design/Discussion in Infra (Productivity) Apr 7, 2022
@upodroid upodroid added the priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. label Jun 7, 2022
@github-actions
Copy link

github-actions bot commented Sep 6, 2022

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 6, 2022
@github-actions github-actions bot closed this as completed Oct 7, 2022
@cardil
Copy link
Contributor

cardil commented Oct 7, 2022

/remove-lifecycle stale
/reopen
/triage accepted

@knative-prow knative-prow bot added the triage/accepted Issues which should be fixed (post-triage) label Oct 7, 2022
@knative-prow
Copy link

knative-prow bot commented Oct 7, 2022

@cardil: Reopened this issue.

In response to this:

/remove-lifecycle stale
/reopen
/triage accepted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@knative-prow knative-prow bot reopened this Oct 7, 2022
@knative-prow knative-prow bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/security Issues or PRs related to security or CVEs. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. triage/accepted Issues which should be fixed (post-triage)
Projects
None yet
Development

No branches or pull requests

6 participants