Date: Thu, 24 Mar 2016 18:21:25 -0400
From: Quentin Machu <quentin.machu@coreos.com>
To: alpine-devel@lists.alpinelinux.org
Message-ID: <etPan.56f46865.4aa9575.644@coreos.com>
In-Reply-To: <1458853405.9023.10.camel@c89m3s1>
References: <CANtECw8gn93aiQ4qGoGcM3TJ4C6vLAK45cp62_nmHEL1usfg7A@mail.gmail.com>
 <1458852606.9023.4.camel@c89m3s1> <1458853405.9023.10.camel@c89m3s1>
Subject: Re: [alpine-devel] Alpine security tracker
Precedence: list
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="56f46865_28489127_644"

--56f46865_28489127_644
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Thanks for your open and quick answers.

=46rom:=C2=A0Leonardo Arena=C2=A0<rnalrd=40gmail.com>

We already do that in our bug traker:=C2=A0https://bugs.alpinelinux.org/p=
rojects/alpine/issues=3Fset=5Ffilter=3D1&status=5Fid=3Dc&tracker=5Fid=3D1=
=C2=A0

That=E2=80=99s great=21 I regret that I wasn=E2=80=99t aware of this yet.=


=46rom:=C2=A0Andy Shinn=C2=A0<andys=40andyshinn.as>

I wonder if just an additional field or two in Redmine could help=C2=A0
satisfy requirements for Clair without adding too much additional=C2=A0
overhead. What if Redmine had an additional tracker called Security=C2=A0=

and a custom CVE field that container the CVE. Would this be too much=C2=A0=

additional work for users / maintainers entering data when it is=C2=A0
related to a CVE=3F=C2=A0

Redmine already provides a way to grab data from the tracker in CSV=C2=A0=

and XML form. If Clair could filter on a Security tracker to get the=C2=A0=

CVE and associated packages then this might be a simple addition to=C2=A0=

start work on the Clair side (assuming this is a valid way of=C2=A0
consuming the CVE data).=C2=A0


Definitely, parsing properly seems to be the obstacle here. Extracting da=
ta from human-written text is unfortunately impracticable. However, Clair=
 could undoubtedly parse Alpine=E2=80=99s Redmine if it would expose data=
 in a fixed format (i.e. static fields available in CSV/XML/YAML/JSON=E2=80=
=A6).

About a vulnerability, Clair usually ingests:
- Vulnerability name,
- Severity (e.g. Negligible, Low, Medium, High, Critical),
- Short description about the vulnerability,
- Link (e.g. link to Redmine),
- A list of affected package names, with their fixed version if applicabl=
e (otherwise, all versions are considered vulnerable).

Typically, the affected packages are also namespaced by the operating sys=
tem version. This is useful to keep track of back ports. A specific vulne=
rability affecting a package X could be fixed by 1.44+bp2 in an oldstable=
 distribution but fixed by 1.59 in the stable distribution. In that case,=
 we would have twice package X in the list, but with two different namesp=
aces and versions. I am not familiar with Alpine Linux to know if this ma=
kes sense here. If it doesn't (i.e. if we can usually upgrade any package=
 to the latest versions), then it doesn=E2=80=99t matter, a single namesp=
ace can be used.

Another small concern, that we encounter with Arch Linux support =5B1=5D,=
 is reliability: it is quite important to be able to determine which data=
 can be trusted. We must avoid consuming data filled by malicious users w=
ho would like to manipulate 3rd party applications (such as Clair). This =
can be mitigated with various solutions though.

=46rom:=C2=A0Leonardo Arena=C2=A0<rnalrd=40gmail.com>

we try do more the actual=C2=A0work, than the paperwork ;-)=C2=A0

I absolutely agree with you on that point.=C2=A0If making Alpine=E2=80=99=
s security data a bit more formatted, thus enabling automated systems to =
collect data in an useful way, represents=C2=A0a tiny/modest amount of wo=
rk, I believe=C2=A0that it would be an important step forward for everybo=
dy in terms of security.

What do you think=3F

=5B1=5D:=C2=A0https://github.com/coreos/clair/pull/60=23issuecomment-1696=
99188

Best Regards,
Quentin Machu

=46rom:=C2=A0Leonardo Arena <rnalrd=40gmail.com>
Reply:=C2=A0Leonardo Arena <rnalrd=40gmail.com>
Date:=C2=A0March 24, 2016 at 5:03:28 PM
To:=C2=A0Quentin Machu <quentin.machu=40coreos.com>
CC:=C2=A0alpine-devel=40lists.alpinelinux.org <alpine-devel=40lists.alpin=
elinux.org>
Subject:=C2=A0 Re: =5Balpine-devel=5D Alpine security tracker =20

Il giorno gio, 24/03/2016 alle 21.50 +0100, Leonardo Arena ha scritto: =20
> Il giorno gio, 24/03/2016 alle 16.34 -0400, Quentin Machu ha scritto: =20
> > Hi, =20
> > =20
> =20
> Hi, =20
> =20
> > =20
> > My name=E2=80=99s Quentin Machu and I am the primary maintainer of Cl=
air =5B1=5D, =20
> > an open source project for the static analysis of vulnerabilities in =
=20
> > containers, by CoreOS. The project, which aim at bringing security =20
> > awareness to everyone, recently went 1.0 =5B2=5D and is considerably =
well =20
> > received by the community. =20
> > =20
> > =20
> > As Alpine grows more and more popular, especially for containers to =20
> > which it becomes a really common base image, I believe that it would =
=20
> > be extremely valuable for Alpine to track vulnerabilities that may =20
> > affect its packages. =20
> =20
> We already do that in our bug traker: =20
> https://bugs.alpinelinux.org/projects/alpine/issues=3Fset=5Ffilter=3D1&=
status=5Fid=3Dc&tracker=5Fid=3D1 =20
> =20
> =20
> > Several Linux distributions, such as Debian =5B3=5D=5B4=5D, Ubuntu =5B=
5=5D=5B6=5D, =20
> > RHEL =5B7=5D=5B8=5D, Arch =5B9=5D, already do through advisories and =
parsable =20
> > databases. =20
> > =20
> =20
> We don't issue our own advisories if that's what you mean. That would =20
> require more man power which I think we prefer to spend on fixing the =20
> security issues. =20
> =20

Just as an example, apparently Debian stable and older are still =20
vulnerable to CVE-2016-3115 =5B1=5D. We didn't issue an advisory but Alpi=
ne =20
is no longer vulnerable =5B2=5D=5B3=5D, not even its older supported rele=
ase =20
=5B4=5D. =20

I'm not saying that's always the case, but we try do more the actual =20
work, than the paperwork ;-) =20

- leo =20

=5B1=5D https://security-tracker.debian.org/tracker/CVE-2016-3115 =20
=5B2=5D https://bugs.alpinelinux.org/issues/5286 =20
=5B3=5D https://bugs.alpinelinux.org/issues/5287 =20
=5B4=5D https://bugs.alpinelinux.org/issues/5288 =20

--56f46865_28489127_644
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<html><head><style>body=7Bfont-family:Helvetica,Arial;font-size:13px=7D</=
style></head><body style=3D=22word-wrap: break-word; -webkit-nbsp-mode: s=
pace; -webkit-line-break: after-white-space;=22><div id=3D=22bloop=5Fcust=
omfont=22 style=3D=22font-family:Helvetica,Arial;font-size:13px; color: r=
gba(0,0,0,1.0); margin: 0px; line-height: auto;=22><div class=3D=22airmai=
l=5Fext=5Fon=22>Thanks for your open and quick answers.</div><div class=3D=
=22airmail=5Fext=5Fon=22><br></div><div class=3D=22airmail=5Fext=5Fon=22>=
=46rom:&nbsp;Leonardo Arena&nbsp;<a href=3D=22mailto:rnalrd=40gmail.com=22=
>&lt;rnalrd=40gmail.com&gt;</a><br></div><div class=3D=22airmail=5Fext=5F=
on=22><br></div><blockquote type=3D=22cite=22 class=3D=22clean=5Fbq=22><s=
pan style=3D=22font-family: 'helvetica Neue', helvetica; font-size: 13.07=
6923370361328px;=22>We already do that in our bug traker:&nbsp;</span><a =
href=3D=22https://bugs.alpinelinux.org/projects/alpine/issues=3Fset=5Ffil=
ter=3D1&amp;status=5Fid=3Dc&amp;tracker=5Fid=3D1=22 style=3D=22font-size:=
 13.076923370361328px; font-family: 'helvetica Neue', helvetica;=22>https=
://bugs.alpinelinux.org/projects/alpine/issues=3Fset=5Ffilter=3D1&amp;sta=
tus=5Fid=3Dc&amp;tracker=5Fid=3D1</a><span style=3D=22font-size: 13.07692=
3370361328px; font-family: 'helvetica Neue', helvetica;=22>&nbsp;</span><=
/blockquote><div id=3D=22bloop=5Fcustomfont=22 style=3D=22margin: 0px;=22=
><br></div><div id=3D=22bloop=5Fcustomfont=22 style=3D=22margin: 0px;=22>=
That=E2=80=99s great=21 I regret that I wasn=E2=80=99t aware of this yet.=
</div><div id=3D=22bloop=5Fcustomfont=22 style=3D=22margin: 0px;=22><br><=
/div><div id=3D=22bloop=5Fcustomfont=22 style=3D=22margin: 0px;=22>=46rom=
:&nbsp;Andy Shinn&nbsp;<a href=3D=22mailto:andys=40andyshinn.as=22>&lt;an=
dys=40andyshinn.as&gt;</a></div><div class=3D=22airmail=5Fext=5Fon=22><br=
></div><blockquote type=3D=22cite=22 class=3D=22clean=5Fbq=22><div></div>=
<div>I wonder if just an additional field or two in Redmine could help&nb=
sp;<br>satisfy requirements for Clair without adding too much additional&=
nbsp;<br>overhead. What if Redmine had an additional tracker called Secur=
ity&nbsp;<br>and a custom CVE field that container the CVE. Would this be=
 too much&nbsp;<br>additional work for users / maintainers entering data =
when it is&nbsp;<br>related to a CVE=3F&nbsp;<br><br>Redmine already prov=
ides a way to grab data from the tracker in CSV&nbsp;<br>and XML form. If=
 Clair could filter on a Security tracker to get the&nbsp;<br>CVE and ass=
ociated packages then this might be a simple addition to&nbsp;<br>start w=
ork on the Clair side (assuming this is a valid way of&nbsp;<br>consuming=
 the CVE data).&nbsp;<br><br></div></blockquote><div><br></div><div>Defin=
itely, parsing properly seems to be the obstacle here. Extracting data fr=
om human-written text is unfortunately impracticable. However, Clair coul=
d undoubtedly parse Alpine=E2=80=99s Redmine if it would expose data in a=
 fixed format (i.e. static fields available in CSV/XML/YAML/JSON=E2=80=A6=
).</div><div><br></div><div>About a vulnerability, Clair usually ingests:=
</div><div>- Vulnerability name,</div><div>- Severity (e.g. Negligible, L=
ow, Medium, High, Critical),</div><div>- Short description about the vuln=
erability,</div><div>- Link (e.g. link to Redmine),</div><div>- A list of=
 affected package names, with their fixed version if applicable (otherwis=
e, all versions are considered vulnerable).</div><div><br></div><div>Typi=
cally, the affected packages are also namespaced by the operating system =
version. This is useful to keep track of back ports. A specific vulnerabi=
lity affecting a package X could be fixed by 1.44+bp2 in an oldstable dis=
tribution but fixed by 1.59 in the stable distribution. In that case, we =
would have twice package X in the list, but with two different namespaces=
 and versions. I am not familiar with Alpine Linux to know if this makes =
sense here. If it doesn't (i.e. if we can usually upgrade any package to =
the latest versions), then it doesn=E2=80=99t matter, a single namespace =
can be used.</div><div><br></div><div>Another small concern, that we enco=
unter with Arch Linux support =5B1=5D, is reliability: it is quite import=
ant to be able to determine which data can be trusted. We must avoid cons=
uming data filled by malicious users who would like to manipulate 3rd par=
ty applications (such as Clair). This can be mitigated with various solut=
ions though.</div><div><div class=3D=22airmail=5Fext=5Fon=22><br></div><d=
iv class=3D=22airmail=5Fext=5Fon=22>=46rom:&nbsp;Leonardo Arena&nbsp;<a h=
ref=3D=22mailto:rnalrd=40gmail.com=22>&lt;rnalrd=40gmail.com&gt;</a><br><=
/div></div><div><br></div><div><div><blockquote type=3D=22cite=22 class=3D=
=22clean=5Fbq=22>we try do more the actual&nbsp;work, than the paperwork =
;-)&nbsp;</blockquote></div><div><br class=3D=22Apple-interchange-newline=
=22></div><div>I absolutely agree with you on that point.&nbsp;<span styl=
e=3D=22font-family: inherit; font-size: inherit; font-style: inherit; fon=
t-variant: inherit;=22>If making Alpine=E2=80=99s security data a bit mor=
e formatted, thus enabling automated systems to collect data in an useful=
 way, represents&nbsp;a tiny/modest amount of work, I believe</span><span=
 style=3D=22font-family: inherit; font-size: inherit; font-style: inherit=
; font-variant: inherit;=22>&nbsp;that it would be an important step forw=
ard for everybody in terms of security.</span></div><div><span style=3D=22=
font-family: inherit; font-size: inherit; font-style: inherit; font-varia=
nt: inherit;=22><br></span></div><div><span style=3D=22font-family: inher=
it; font-size: inherit; font-style: inherit; font-variant: inherit;=22>Wh=
at do you think=3F</span></div><div><br></div></div><div><div class=3D=22=
airmail=5Fext=5Fon=22>=5B1=5D:&nbsp;<a href=3D=22https://github.com/coreo=
s/clair/pull/60=23issuecomment-169699188=22>https://github.com/coreos/cla=
ir/pull/60=23issuecomment-169699188</a></div></div></div> <br> <div id=3D=
=22bloop=5Fsign=5F1458858003890132992=22 class=3D=22bloop=5Fsign=22><div =
style=3D=22font-family:helvetica,arial;font-size:13px=22>Best Regards,</d=
iv><div style=3D=22font-family:helvetica,arial;font-size:13px=22>Quentin =
Machu</div></div> <div class=3D=22airmail=5Fext=5Fon=22 style=3D=22color:=
black=22><br>=46rom:&nbsp;<span style=3D=22color:black=22>Leonardo Arena<=
/span> <a href=3D=22mailto:rnalrd=40gmail.com=22>&lt;rnalrd=40gmail.com&g=
t;</a><br>Reply:&nbsp;<span style=3D=22color:black=22>Leonardo Arena</spa=
n> <a href=3D=22mailto:rnalrd=40gmail.com=22>&lt;rnalrd=40gmail.com&gt;</=
a><br>Date:&nbsp;<span style=3D=22color:black=22>March 24, 2016 at 5:03:2=
8 PM</span><br>To:&nbsp;<span style=3D=22color:black=22>Quentin Machu</sp=
an> <a href=3D=22mailto:quentin.machu=40coreos.com=22>&lt;quentin.machu=40=
coreos.com&gt;</a><br>CC:&nbsp;<span style=3D=22color:black=22>alpine-dev=
el=40lists.alpinelinux.org</span> <a href=3D=22mailto:alpine-devel=40list=
s.alpinelinux.org=22>&lt;alpine-devel=40lists.alpinelinux.org&gt;</a><br>=
Subject:&nbsp;<span style=3D=22color:black=22> Re: =5Balpine-devel=5D Alp=
ine security tracker <br></span></div><br> <blockquote type=3D=22cite=22 =
class=3D=22clean=5Fbq=22><span><div><div></div><div>Il giorno gio, 24/03/=
2016 alle 21.50 +0100, Leonardo Arena ha scritto:
<br>&gt; Il giorno gio, 24/03/2016 alle 16.34 -0400, Quentin Machu ha scr=
itto:
<br>&gt; &gt; Hi,
<br>&gt; &gt; =20
<br>&gt; =20
<br>&gt; Hi,
<br>&gt; =20
<br>&gt; &gt; =20
<br>&gt; &gt; My name=E2=80=99s Quentin Machu and I am the primary mainta=
iner of Clair =5B1=5D,
<br>&gt; &gt;  an open source project for the static analysis of vulnerab=
ilities in
<br>&gt; &gt; containers, by CoreOS. The project, which aim at bringing s=
ecurity
<br>&gt; &gt; awareness to everyone, recently went 1.0 =5B2=5D and is con=
siderably well
<br>&gt; &gt; received by the community.
<br>&gt; &gt; =20
<br>&gt; &gt; =20
<br>&gt; &gt; As Alpine grows more and more popular, especially for conta=
iners to
<br>&gt; &gt; which it becomes a really common base image, I believe that=
 it would
<br>&gt; &gt; be extremely valuable for Alpine to track vulnerabilities t=
hat may
<br>&gt; &gt; affect its packages. =20
<br>&gt; =20
<br>&gt; We already do that in our bug traker:
<br>&gt; https://bugs.alpinelinux.org/projects/alpine/issues=3Fset=5Ffilt=
er=3D1&amp;status=5Fid=3Dc&amp;tracker=5Fid=3D1
<br>&gt; =20
<br>&gt; =20
<br>&gt; &gt; Several Linux distributions, such as Debian =5B3=5D=5B4=5D,=
 Ubuntu =5B5=5D=5B6=5D,
<br>&gt; &gt; RHEL =5B7=5D=5B8=5D, Arch =5B9=5D, already do through advis=
ories and parsable
<br>&gt; &gt; databases.
<br>&gt; &gt; =20
<br>&gt; =20
<br>&gt; We don't issue our own advisories if that's what you mean. That =
would
<br>&gt; require more man power which I think we prefer to spend on fixin=
g the
<br>&gt; security issues.
<br>&gt; =20
<br>
<br>Just as an example, apparently Debian stable and older are still
<br>vulnerable to CVE-2016-3115 =5B1=5D. We didn't issue an advisory but =
Alpine
<br>is no longer vulnerable =5B2=5D=5B3=5D, not even its older supported =
release
<br>=5B4=5D.
<br>
<br>I'm not saying that's always the case, but we try do more the actual
<br>work, than the paperwork ;-)
<br>
<br>- leo
<br>
<br>=5B1=5D https://security-tracker.debian.org/tracker/CVE-2016-3115
<br>=5B2=5D https://bugs.alpinelinux.org/issues/5286
<br>=5B3=5D https://bugs.alpinelinux.org/issues/5287
<br>=5B4=5D https://bugs.alpinelinux.org/issues/5288
<br><hr></div></div></span></blockquote></body></html>
--56f46865_28489127_644--



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---