Page MenuHomePhabricator
Create Task
Maniphest T74193

Have a check for reported security issues in dependencies
Closed, ResolvedPublic
Actions

Description

As we start including 3rd party libraries into WMF code, we should have a way to regularly check that our deployed version includes any security fixes.

My initial thought is to have Jenkins use https://security.sensiolabs.org/api to check any composer.lock files that are included in our patches. Their database is open for anyone to contribute to and in the public domain: https://github.com/FriendsOfPHP/security-advisories

A simple job that runs the following will work:

curl -i -H "Accept: text/plain" https://security.sensiolabs.org/check_lock -F lock=@composer.lock -o sensiolabs.check
cat sensiolabs.check && grep -F "X-Alerts: 0" sensiolabs.check

The job should run on patchset proposal, and once a day. Upon status change, an email notification should be sent to security@.

Details

Reference
bz72193
SubjectRepoBranchLines +/-
Add '{name}-composer-security' template and use it for mediawiki/vendorintegration/configmaster+24 -0
Add experimental mediawiki-vendor-composer jobintegration/configmaster+7 -0
Use sensiolabs/security-checker to check for any reported security issuesmediawiki/vendormaster+9 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:46 AM
bzimport added a project: Deployments.
bzimport set Reference to bz72193.
csteipp created this task.Oct 17 2014, 6:33 PM
hashar added a comment.Oct 17 2014, 7:29 PM

I like the principle :-D

The database of CVE is at: https://github.com/sensiolabs/security-advisories which provides a small utility to validate the YAML based format. It is lacking a contributing license though.

I am not a huge fan of depending on a third party API and the above repository is missing the code to validate a composer.lock against the database. But that should be trivial to reimplement.

We would probably want to have a daily run against all repositories maintained branches and produce a report.

So a summary a possible .plan would be:

  • fill an issue to have the repository content under a free license
  • implement an utility that reads a composer.lock and match it against the security repo
  • figure out a database of repos / branch we want to run the utility against
  • Jenkins can daily run it on all repositories as well as on patch proposal (via the existing composer-validate job).
bd808 added a comment.Oct 26 2014, 10:24 PM

The database has a new home and license: https://github.com/FriendsOfPHP/security-advisories/blob/master/LICENSE

csteipp added a comment.Oct 29 2014, 9:24 PM

As a simple PoC, I setup

https://integration.wikimedia.org/ci/job/test-csteipp-sensiolabs-securityadvisorieschecker/

Which checks against https://security.sensiolabs.org/api. Now that the database is freely licensed, we can setup our own system to check against. But I'd like to see how stable their api is before taking on building that.

Eventually, I'd like a check like this to run each time the composer.lock file in mediawiki/vendor (or any repo with a composer.lock, but let's start with our vendor repo) is updated. I'm guessing that would be a zuul managed check?

greg moved this task from To Triage to Backlog (Tech) on the Deployments board.Nov 25 2014, 10:55 PM
bd808 raised the priority of this task from Medium to High.Dec 24 2014, 6:08 PM
bd808 added a project: Librarization.
bd808 set Security to None.
bd808 moved this task from Untriaged to In Dev on the Librarization board.Dec 31 2014, 12:07 AM
bd808 added a project: MediaWiki-Core-Team.Dec 31 2014, 12:10 AM
bd808 moved this task from Backlog to In Dev/Progress on the MediaWiki-Core-Team board.
csteipp added a comment.Jan 15 2015, 5:43 PM

After https://github.com/FriendsOfPHP/security-advisories/pull/44 was merged, I reran the jenkins build and was notified about the update. Yay!

It looks like SensioLabs updated there DB within 5 minutes of the merge, so timing should be pretty quick on their end. I'd call the test a success.

Should I have Jenkins email security@ instead of just me?

greg added a comment.Jan 15 2015, 5:47 PM
In T74193#979878, @csteipp wrote:

Should I have Jenkins email security@ instead of just me?

+1 to redundancy

hashar added a comment.Jan 15 2015, 9:14 PM

Can we get the job defined with Jenkins Job Builder in integration/config.git. Multiple people should be able to help doing the conversion.

As I understand it, the security advisories are in the https://github.com/FriendsOfPHP/security-advisories repository. The Jenkins Git Plugin can be made to poll the repo and trigger a build whenever it find a change. That will nicely automatize the notifications (as I understand it the job is run manually once in a while).

JJB definition for the git plugin is http://ci.openstack.org/jenkins-job-builder/scm.html#scm.git

csteipp added a comment.Jan 17 2015, 12:11 AM
In T74193#980413, @hashar wrote:

Can we get the job defined with Jenkins Job Builder in integration/config.git. Multiple people should be able to help doing the conversion.

Is there documentation on how I can do that? Otherwise I'll ambush you while you're in town for a crash course :)

Krinkle subscribed.Jan 17 2015, 12:38 AM

Instead of adding the logic to a Jenkins job (whether via Jenkins web interface or via integration/config.git), I'd recommend adding this test to an individual project.

That way developers can also easily run it locally, and it moves maintenance much lighter by not requiring a change to Jenkins jobs when we change this test.

E.g. Add it to mediawiki/vendor.git as a bash script file and run it from a composer.json:/scripts.security property (or even embed it in that property directly) and run that from a Jenkins job.

csteipp removed a parent task: T85535: Upgrade monolog to 1.12.0.Jan 17 2015, 12:59 AM
csteipp moved this task from In Dev/Progress to Backlog on the MediaWiki-Core-Team board.Feb 4 2015, 8:13 PM
Krenair added a project: acl*security.Feb 4 2015, 8:27 PM
gerritbot subscribed.Feb 23 2015, 4:19 AM

Change 192264 had a related patch set uploaded (by Legoktm):
Use sensiolabs/security-checker to check for any reported security issues

https://gerrit.wikimedia.org/r/192264

Patch-For-Review

gerritbot added a comment.Feb 23 2015, 4:32 AM

Change 192265 had a related patch set uploaded (by Legoktm):
Add experimental mediawiki-vendor-composer job

https://gerrit.wikimedia.org/r/192265

Patch-For-Review

Aklapper added a project: Patch-For-Review.Feb 23 2015, 5:18 PM
Aklapper subscribed.
gerritbot added a comment.Feb 24 2015, 12:10 AM

Change 192264 abandoned by Legoktm:
Use sensiolabs/security-checker to check for any reported security issues

Reason:
Figured out an easier way to do this.

https://gerrit.wikimedia.org/r/192264

gerritbot added a comment.Feb 24 2015, 12:15 AM

Change 192265 abandoned by Legoktm:
Add experimental mediawiki-vendor-composer job

https://gerrit.wikimedia.org/r/192265

gerritbot added a comment.Feb 24 2015, 4:19 PM

Change 192564 had a related patch set uploaded (by Legoktm):
Add '{name}-composer-security' template and use it for mediawiki/vendor

https://gerrit.wikimedia.org/r/192564

Patch-For-Review

Legoktm updated the task description. (Show Details)Feb 24 2015, 4:33 PM
gerritbot added a comment.Feb 25 2015, 8:34 PM

Change 192564 merged by jenkins-bot:
Add '{name}-composer-security' template and use it for mediawiki/vendor

https://gerrit.wikimedia.org/r/192564

Legoktm mentioned this in rCICF20fa0947cb18: Add '{name}-composer-security' template and use it for mediawiki/vendor.Feb 25 2015, 8:34 PM
Legoktm subscribed.Feb 25 2015, 8:45 PM

Deployed it as an experimental job for now:

Legoktm closed this task as Resolved.Feb 27 2015, 6:44 AM

https://gerrit.wikimedia.org/r/193057

If there are any other repos committing a composer.lock file, a similar check can easily be set up for them as well.

bd808 moved this task from Backlog to Done on the MediaWiki-Core-Team board.Feb 27 2015, 7:33 PM
bd808 moved this task from Done to Archive on the MediaWiki-Core-Team board.Mar 3 2015, 5:00 PM
bd808 moved this task from In Dev to Done on the Librarization board.Mar 9 2015, 10:23 PM
greg moved this task from Backlog (Tech) to Done on the Deployments board.Mar 11 2015, 8:48 PM
Daimona mentioned this in T234623: releng/composer still using PHP 7.0.33.Oct 4 2019, 1:35 PM
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL