Cloud Custodian Joint Review markdown #786
Conversation
* Headers capitalized * Some grammar updates Various opinionated changes for readability and consistency.
attack paths
attack paths with source
adding some attack paths and diagram
Consistency and refinement for initial land
sunstonesecure-robert
requested review from
achetal01,
anvega,
ashutosh-narkar,
dshaw,
JustinCappos,
lumjjb,
pragashj,
TheFoxAtWork and
ultrasaurus
as code owners
| | Security Provider | Yes, however many users implement Cloud Custodian for non security purposes, i.e., cost optimization, governance | | ||
| | Languages | Python, YAML | | ||
| | Incubation PR | https://github.com/cncf/toc/pull/480 | | ||
| | SIG-Security Assessment Request | https://github.com/cncf/sig-security/issues/307 | |
There was a problem hiding this comment.
| | SIG-Security Assessment Request | https://github.com/cncf/sig-security/issues/307 | | |
| | TAG-Security Assessment Request | https://github.com/cncf/tag-security/issues/307 | |
TheFoxAtWork
changed the title
adding overview matrix
fix colors
add missing matrix
Markdown linter. Consolidating unordered list styles (i.e. `*` versus `-` to silence linter; trailing period style, etc.). Swapping out instances of "Custodian" and "c7n" with "Cloud Custodian" (where appropriate). Updating TOC via CLI TOC-generator tool.
Adding reviewers/participant section.
[CNCF-STAG-786] WIP Cloud Custodian Joint Review markdown
|
|
||
| ### Case Studies | ||
|
|
||
| TODO: 2-3 scenarios of real-world use cases. |
There was a problem hiding this comment.
This will be resolved before we merge this correct ?
There was a problem hiding this comment.
will ping Jorge and @kapilt
There was a problem hiding this comment.
@sunstonesecure-robert @castrojo This is still outstanding. Please add 2-3 real world use cases before we can merge in, otherwise everything is good to go.
|
I'm not sure how to get past the spelling check issue - these are expected words we want in the content? I have fixed the markdown formatting issues. |
|
@sunstonesecure-robert i've got an outstanding PR to correct some of the larger spelling items (add to the linter). i'm waiting on one of the leadership team to review/approve |
…g-security into pr/sunstonesecure-robert/786
|
|
||
| ### Case Studies | ||
|
|
||
| TODO: 2-3 scenarios of real-world use cases. |
There was a problem hiding this comment.
@sunstonesecure-robert @castrojo This is still outstanding. Please add 2-3 real world use cases before we can merge in, otherwise everything is good to go.
|
I've added the case studies for you to copy and paste @sunstonesecure-robert https://gist.github.com/castrojo/9c6058bc170cef075075b8f1f90b7515 |
verbatim from https://gist.githubusercontent.com/castrojo/9c6058bc170cef075075b8f1f90b7515/raw/9a261a45589770fe266396192a7b46d407ffd9f8/gistfile1.txt but with formatting changes for linter happiness
|
added @castrojo content with formatting fixups |
|
@ashutosh-narkar please review |
| security flaws. As a utility tool, the review team feels the primary threat to | ||
| the project is compromise of the code itself, and packaging and distribution of | ||
| the tool or its dependencies - rather than an attack on individual c7n |
There was a problem hiding this comment.
I'm curious what led to this conclusion since we haven't done a code review or tried out a sample deployment.
| ## Hands-on Review | ||
|
|
||
| Although some of the reviews have previously used c7n in AWS, both as cli and | ||
| in Lambda, Cloud Custodian did not receive a join hands-on review from |
| | | | | | | | | ||
| | | | | | | | | ||
| +----------------------+------------------+----------+--------------------------+---------------+--------------------------------+ | ||
| ``` |
There was a problem hiding this comment.
Do we need the HIGH vulnerabilities to be resolved or at least require the c7n team to open issues for them and link them here ?
There was a problem hiding this comment.
These are operating system library level considerations not per se the project's responsibility to fix, but the distribution vendor, ie a libc high issue is something i would expect the os vendor to triage and fix as needed. This is also specific to a distribution channel, and immaterial for those that install the project's software directly into their own OS / container base. For direct application dependency graphs concerns we already address those pro actively (dependabot alerts etc).
There was a problem hiding this comment.
these were from the Github action docker scan - if the project is releasing/maintaining a docker image I think the user expectation is they should be fixing high security risks in the image as good hygiene.
maybe best to just do source releases? or clearly document that the image is not secure?
There was a problem hiding this comment.
This feels like a misunderstanding of operating system docker images, and what severity levels correspond to a need to immediate triage. If we take any production docker image out there using an operating system, they all have these sorts of cve nits wrt to high severity scoring. Take anything from redis to postgresql, (trivy image redis:latest etc), that doesn't make them insecure or high risk (trivy output for both here https://gist.github.com/cbdd697ce7f8ad0a40896c0a081c1a7c). The most relevant cves are those deemed critical, but all of operating system cves are triaged and dealt with by the security team of the respective distros which in many cases are professional security teams focused on exactly this topic. Moreover unlike postgresql or redis, we're talking about software in custodian that doesn't have an open port, its literally a cli, not a daemon or service running in a container.
There was a problem hiding this comment.
My original comment was related to direct dependancies of c7n. @kapilt I think you mentioned you have a process to handle those iiuc.
There was a problem hiding this comment.
for custodian's dependency graph, we rely on dependabot alerts https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies against our poetry.lock files which contain the version/hash dependency pins for the project. that alert is a prompt for us to update our dependency graph. our dep graph update process is automated and documented https://cloudcustodian.io/docs/developer/packaging.html and done regularly independent of vulnerabilities as a prelude to our release process.
There was a problem hiding this comment.
also to be specific there are zero cves extant on our application dependency graph at the moment.
There was a problem hiding this comment.
Thanks for the clarification.
|
@sunstonesecure-robert can you please rebase and we can merge this. Thanks. |
try now |
Thanks. Can you please also squash your commits. |
|
It happened! |
* Create joint-review.md * Update joint-review.md * Update joint-review.md * Update joint-review.md * Update joint-review.md * Consistency and refinement for initial land * Headers capitalized * Some grammar updates Various opinionated changes for readability and consistency. * Add files via upload attack paths * Delete CloudCustodian DFD.drawio.png * Add files via upload attack paths with source * Update joint-review.md adding some attack paths and diagram * Add files via upload adding overview matrix * Add files via upload fix colors * Update joint-review.md add missing matrix * Squashing paragraphs to 80-column line-length to appeasease `mdl` Markdown linter. Consolidating unordered list styles (i.e. `*` versus `-` to silence linter; trailing period style, etc.). Swapping out instances of "Custodian" and "c7n" with "Cloud Custodian" (where appropriate). Updating TOC via CLI TOC-generator tool. * Updating TOC. Adding reviewers/participant section. * Update joint-review.md adding additional CNCF recommendation for linter and/or locked down policy * Update assessments/projects/custodian/joint-review.md Co-authored-by: Emily Fox <[email protected]> * Update assessments/projects/custodian/joint-review.md Co-authored-by: Emily Fox <[email protected]> * Update assessments/projects/custodian/joint-review.md Co-authored-by: Emily Fox <[email protected]> * Update assessments/projects/custodian/joint-review.md Co-authored-by: Emily Fox <[email protected]> * add reviewer table per template both those who contributed on the first round and the most recent cycles * typo correction fix grammar * fix typo misspelling * Update assessments/projects/custodian/joint-review.md Co-authored-by: Emily Fox <[email protected]> * Update assessments/projects/custodian/joint-review.md Co-authored-by: Emily Fox <[email protected]> * Update assessments/projects/custodian/joint-review.md Co-authored-by: Emily Fox <[email protected]> * Update assessments/projects/custodian/joint-review.md Co-authored-by: Emily Fox <[email protected]> * update reviewers table last but NOT least * Update assessments/projects/custodian/joint-review.md Co-authored-by: Emily Fox <[email protected]> * Update assessments/projects/custodian/joint-review.md Co-authored-by: Emily Fox <[email protected]> * capitalize consistently * Update assessments/projects/custodian/joint-review.md Co-authored-by: Emily Fox <[email protected]> * Update assessments/projects/custodian/joint-review.md Co-authored-by: Emily Fox <[email protected]> * use consistent YAML the official docs use uppercase * What: non spelling linter corrections * Update joint-review.md fixing linter issues for markdown * What: ignore cSpell for GH handles * What: general spelling corrections * fixing my mistake * Update assessments/projects/custodian/joint-review.md * added case studies verbatim from https://gist.githubusercontent.com/castrojo/9c6058bc170cef075075b8f1f90b7515/raw/9a261a45589770fe266396192a7b46d407ffd9f8/gistfile1.txt but with formatting changes for linter happiness * What: add ignore for JPMC * What: fix lint * Update assessments/projects/custodian/joint-review.md Co-authored-by: Chase Pettet <[email protected]> Co-authored-by: Matthew Giassa <[email protected]> Co-authored-by: Emily Fox <[email protected]> Co-authored-by: Emily Fox <[email protected]>
needs review and final content