Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setup cargo audit (or similar) to report dependency CVEs and validate license #3

Open
howardjohn opened this issue Oct 19, 2022 · 9 comments
Open

Setup cargo audit (or similar) to report dependency CVEs and validate license #3

howardjohn opened this issue Oct 19, 2022 · 9 comments
Assignees
@keithmattix
Labels
area/security Area: Security area/testing Area: Testing P0 size/TBD
Milestone
M1: Development I...

Comments

@howardjohn
Copy link
Member

No description provided.

@thesurlydev
Copy link
Contributor

I'm happy to add this once there's CI. Is the plan to use GitHub Actions or something else?

@howardjohn
Copy link
Member Author

We use Prow. The job config is in https://github.com/istio/test-infra/blob/master/prow/config/jobs/ztunnel.yaml; its already running on the repo. So quick presubmits can be added to make presubmit; if we want to add more jobs in parallel theycan be added to that YAML.

For CVEs we probably dont want block PRs so can make that a nightly job. License checking could be a presubmit (assuming its fast?)

@stevenctl
Copy link
Contributor

We can use cargo audit (or similar) to automatically notify us of CVEs in our dependencies.

The process of handing reports and eventually patching will be shared with the rest of Istio.

Rust/library specific CVEs will be included in Istio’s security bulletins.

@howardjohn howardjohn self-assigned this Nov 29, 2022
@howardjohn howardjohn moved this to Doing in ztunnel tracking Dec 1, 2022
@keithmattix keithmattix assigned keithmattix and unassigned howardjohn Dec 1, 2022
@keithmattix
Copy link
Contributor

@hypernovasunnix is taking care of this, but I can't assign her since she's not a member of the Istio org yet

@stevenctl
Copy link
Contributor

OOO - paused

@stevenctl
Copy link
Contributor

@keithmattix any update? And we should add @hypernovasunnix via istio/community after she submits 1 pr

@stevenctl
Copy link
Contributor

PR incoming, no longer paused.

@hypernovasunnix hypernovasunnix mentioned this issue Dec 15, 2022
Merged
@SkyfireFrancisZ
Copy link

PR out for review

@howardjohn
Copy link
Member Author

Logic is merge, getting it into prow is in istio/tools#2330

howardjohn added a commit to howardjohn/ztunnel that referenced this issue Apr 4, 2024
@howardjohn
Get cargo deny passing
e4a414f 
For istio#3.

This has some TODOs, just getting current state green so we can chip
away.
@howardjohn howardjohn mentioned this issue Apr 4, 2024
Merged
istio-testing pushed a commit that referenced this issue Apr 8, 2024
@howardjohn
Get cargo deny passing (#879)
3b57f2d 
For #3.

This has some TODOs, just getting current state green so we can chip
away.
@howardjohn howardjohn removed the status in ztunnel tracking Jul 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@keithmattix keithmattix

Labels
area/security Area: Security area/testing Area: Testing P0 size/TBD
Projects
ztunnel tracking
Status: No status
Milestone
M1: Development Infrastructure
Development

No branches or pull requests
5 participants
@thesurlydev @howardjohn @keithmattix @stevenctl @SkyfireFrancisZ