The project does not have an objective means of evaluating the security of 3rd party components as they are being introduced to the EdgeX Foundry code base. A recent pull request introduced a 3rd party component, GoKey, to be used in password generation. No formal assessment was done of the library before deciding to include it as part of a security-critical flow.
This proposal is presented as an approach to present options to the EdgeX Foundry Security Working Group. This work is submitted for consideration of multiple options with a phased approach as outlined in Issue #1947 - crawl, walk, jog, run with the goal of implementing the best possible option for Hanoi scope of work - November 2020 release timeframe.
Someone researches the open source component that is desired, sometimes after the code has already been integrated into the EdgeX Project, without completion of any formal review.
The current high-level statistics are used in the manual research process (e.g. paper study) are:
Age: Age of the Open Source Project
Commits: Count - Total Commits
Issues: Count - Open Issues / Closed Issues
Releases: Count - Releases
Stars: Count - Stars
Forks: Count - Forks
Watchers: Count - Watchers
CVEs: Count - CVEs (query NVD database)
Other Criteria: Subjective Assessment of Reviewer
This request proposes the development of an objective process for assessing the security risk of 3rd party components. Such a process could take into consideration item such as the project's age, popularity / maturity, evidence of security practices, recent commit history, diversity of committers, established CVE practices, or other observable evidence.
Ideal process would include consideration of:
- Data acquisition via automation
- Disposition based on policy
- Consideration of BKMs from other OSS projects
- Assessment of overall maturity / health / ongoing current development by the OSS community
- Assessment of known CVEs for code and dependencies
Crawl:
Proposal: Paper study (manual) as completed previously. Submission of the paper study to a working group for review within the working group via Pull Request
Applicability: Applies to both consideration within review before moving out of holding repo as well as main org
Time / Frequency: As needed or requested by EdgeX WG chairs
Walk:
Proposal: Automation of paper study to include all required data points - scope includes automating the generation of the report (ad-hoc) + use of Community Bridge Advanced Snyk reporting AS-IS
Applicability: Applies to both consideration within review before moving out of holding repo as well as main org
Time / Frequency: As needed (ad-hoc) or as requested by EdgeX WG chairs
Jog:
Proposal: Combination of the automated paper study + use of Community Bridge Advanced Snyk reporting (assumes issues fixed) as a stretch goal
Applicability: Applies to both consideration within review before moving out of holding repo as well as main org
Time / Frequency: As needed (ad-hoc) or as requested by EdgeX WG chairs
Run:
Proposal: Combination of automated paper study + use of Community Bridge Advanced Snyk reporting + Sonatype - Nexus IQ (See Note)
-
Requires explore with LF to see what may exist already
-
Requires explore of landing a dedicated solution of Dependency Track on Linux Foundation infrastructure
Note: Linux Foundation offers Sonatype - Nexus IQ to the community. In this approach, the usefulness of the Community Bridge - Advanced Snyk reports is
Applicability: Applies to ongoing scans of main org.
Time / Frequency: Assumes integration and full automation via Jenkins
Continue the manual research process ad-hoc with review within the working group.
- Assumes manual process is good enough
- Requires periodic reassessment with no set schedule
Scan GitHub repos as defined by a list of projects with queries defined to pull last 5 years of data. Would require definition of the required metrics.
Current script pulls data on 20 data points
- Existence of a README beyond a one-liner (evidence of project maturity) + Link
- Tags (Count) + Link
- Releases (Count) + Link
- Pull Requests (Count) + Link
- Commits (Count) + Link
- Open Issues (Count) + Link
- Closed Issues (Count) + Link
- Open Security Issues (Count) + Link
- Closed Security Issues (Count) + Link
- Project Org / Project Name
Example: Automated Paper Study
Note: Does not currently include all of the data points which were included in the manual paper study (missing stars, forks, watchers,known vulnerabilities as per NVD)
Community bridge - Advanced Snyk Reporting is already set up with access to Security Working Group (EdgeX SIR Team)
- Includes all of the dependencies included in the project as defined by go.mod file
- Includes License
- Data extract does not include License
- Dependency Tree view displays nested dependencies and license
- Doesn't always show details
- Unknown licenses identified for several components
Community Bridge Team working on enhancements to the UI with plans to provide a separate tab to navigate license dependency for different repositories.
FOSSology is a open source license compliance software system and toolkit. As a toolkit you can run license, copyright and export control scans from the command line. As a system, a database and web ui are provided to give you a compliance workflow. License, copyright and export scanners are tools available to help with your compliance activities.
- Very manual process required for recording of decisions of review
- Requires a version of FOSSology to be running accessible / long lived with persistent storage of project database
- Someone would perform the analysis and disposition of every license within the project
- Requires deep knowledge of compliance related to licensing, copyright law, ECC etc..
Check for all of the following:
- All licenses are checked?
- All copyrights are checked?
- ECC information is checked ?
- Main license is selected?
- Reviewed files for irrelevant sections?
Heavy Lift
Dependency-Track is an intelligent Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill-of-Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.
Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in Continuous Integration (CI) and Continuous Delivery (CD) environments.
Findings: Installed locally via Docker image and noted several issues where it did not work as expected. Decided to continue explore with Linux Foundation.
Heavy lift as this would require dedicated infrastructure and coordination with the Linux Foundation.
The Linux Foundation offers Nexus IQ to the community - Free.
Support for Go, Java, PHP, JavaScript and other languages.
Would require project to adopt use of go.sum files which were previously not allowed because of the problems we encountered in the JJB Freestyle Jenkins jobs. Per Trevor..."We found the Go team sometimes changed the manner in which hashes within the go.sum were calculated between patch versions. The hashes are used to identify a specific version of a dependency. This caused a problem whereby if a dev had a later patch version of Go on their box than what was in the build pipeline, our build env wouldn't know how to resolve the dependency versions on a verify job."
- Supports Policy Evaluation using Nexus Platform Plugin
- Supports use within Build Automation Sonatype - CI Build Automation Output
- Documentation looks good with Pipeline syntax examples Connecting Jenkins to Nexus IQ
- Support for Slack integration via webhooks
- Supports container scanning / Docker image scans like Clair / Snyk
- Report does include License Analysis
Note: Need to check if Linux Foundation has the license to support integration via plugin.
Per the explore with Linux Foundation, most of the projects are already registered in Nexus IQ since it's part of the Java jobs in global-jjb. Only a subset (3) of the projects are actively utilizing Nexus IQ.
Recommendation:
- Continue explore (deep dive) and assess ease of integration with Nexus IQ offering.
- Requires consideration of extra burden on developers to maintain both go.sum and go.mod files within each repo.
- Additional investigation required to understand full service offering by the Linux Foundation
- Assumes integration via Jenkins Plugin is included in the service offering
For Hanoi scope of work, Jog should be possible to complete by November timeframe. As a stretch goal, proposal is to continue explore of achieving integration with Nexus IQ if community agrees and Linux Foundation offering is deemed stable following deeper dive, and the community agrees to the additional heavy lift that would be required to suport use of go.sum + go.mod within each repo.
For individual developers or organizations just getting started with open source governance, Sonatype also offers a suite of free tools including:
Nexus Vulnerability Scanner - scans Go apps and creates a software bill of materials.
Nexus Repository Manager OSS - proxy and manage Go binaries.
DepShield - uses OSS Index to check for vulnerabilities in your Go dependencies at the commit level within GitHub. This could be an option for vetting Go, Java, JavasScript and others Sonatype DepShield is a GitHub App used by developers to identify and remediate vulnerabilities in their open source dependencies. DepShield will monitor your project's dependencies for publicly disclosed security vulnerabilities and alert you natively in GitHub when they are discovered. Security vulnerability data is powered by Sonatype OSS Index, a free service used by developers to identify open source dependencies and determine if there are any known, publicly disclosed, vulnerabilities.
There's a GitHub bot that can be used for dependency management that gives insight at the repo level and automatically opens up Issues when a new publically disclosed security vulnerability is found. Sonatype DepShield on GitHub Marketplace
Adding a DepShield badge to a repo would allow for the visualization of findings of components with a count of known vulnerabilities. In terms of the use cases which require spot check that include the consideration of some of the metrics considered in the paper study, this might be a means to identify where the project needs to spend some time to address findings identified as either high / medium. As a step to look at this closer, I forked the device-camera-go repo and added a DepShield badge. The results are immediately observed after adding the badge. A deeper dive with a scan would be required to know what component may need to be addressed.
Note: This results displayed in the DepShield badge, is without any integration to any additional tooling.
OSS Index - free service used by developers to identify open source dependencies and determine if there are any known, publicly disclosed, vulnerabilities. There is a REST API exposed for requesting component vulnerability reports. The REST API specification is available via Swagger interface for more details.
Nancy - uses OSS Index to identify vulnerabilities in Go dependencies. Nancy is available in GitHub, but does not have access to commits. Nancy runs on a private project or local machine. Reference: Nancy Scan Example of device-camera-go
Goalie - scans binaries against OSS Index data to identify component-level vulnerabilities.
Dependabot Preview Dependabot aggregates everyone's test results into a compatibility score, so you can be certain a dependency update is backwards compatible and bug-free.
Dependabot monitors security advisories for Ruby, JavaScript, PHP, Java, .NET, Python, Elixir and Rust. The bot will automatically create PRs immediately in response to new advisories.
Note: Dependabot is in preview and does not include security advisories for all languages (missing support for Go). It was also noted during the Architect's discussion on 05/18/2020, that the review of dependencies is orthogonal to the decisions that needed for this scope.