Skip to content

otp scan PRs for vulnerabilities #9790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

otp scan PRs for vulnerabilities #9790

wants to merge 2 commits into from

Conversation

kikofernandez
Copy link
Contributor

  • scan PRs for vendor vulnerabilities.
  • the submission of the vendor SBOM should happen only on push events.
  • vulnerability scanning of dependencies must happen on a per PR basis, and on a per push basis (although Dependatbot should inform us of this).

GH should fix actions/dependency-review-action#923 for us to get alerts about dependencies.

@kikofernandez kikofernandez self-assigned this May 2, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 2, 2025
edited
Loading

CT Test Results

    6 files    205 suites   2h 4m 21s ⏱️
2 120 tests 2 049 ✅ 71 💤 0 ❌
2 889 runs  2 794 ✅ 95 💤 0 ❌

Results for commit e69d4c5.

♻️ This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

// Erlang/OTP Github Action Bot

@kikofernandez kikofernandez added the team:VM Assigned to OTP team VM label May 2, 2025
@garazdawi
Copy link
Contributor

From what I can tell only our github actions dependencies are scanned by this right now, is that correct? Will it in the future be able to use the information in the sbom created in the job you are adding this step to? or is this check only for github actions?

@kikofernandez
Copy link
Contributor Author

kikofernandez commented May 5, 2025
edited
Loading

I think you are right @garazdawi
I have updated the PR to scan for vulnerabilities using OSV.

Summary

  • CC++ works better in OSV providing a sha, and they do range analysis.
  • Our vendor libraries should provide a versionInfo, and in the case of CC++ vendor libraries, we should provide the sha as well. If there is no sha, then we cannot do vulnerability scanning for this CC++ vendor library.
  • If a vendor library belongs to an ecosystem, we write its ecosystem in the vendorInfo.
    OSV works better for standard ecosystems, such as npm, maven, hex, etc.

I have tested that it works by manually hand-picking previous commit that fixed a known vulnerability reported to on github repos.

Information sent

{
  "queries": [
    {
      "commit": "1a8db63788c34a50e39e273d39b7e1033208aea2",
      "package": { "name": "github.com/madler/zlib" }
    },
    {
      "commit": "a465fe71ab3d0e224b2b4bd0fac69ae68ab9239d",
      "package": { "name": "github.com/asmjit/asmjit" }
    },
    {
      "commit": "f8745da6ff1ad1e7bab384bd1f9d742439278e99",
      "package": { "name": "github.com/facebook/zstd" }
    },
    {
      "commit": "442029c6fa37f1b6f9203357de09672d5704077c",
      "package": { "name": "github.com/microsoft/STL" }
    },
    {
      "commit": "1264a946ba66eab320e927bfd2362e0c8580c42f",
      "package": { "name": "github.com/ulfjack/ryu" }
    },
    {
      "commit": "cdfb0923a66155ce97640fca68ae57b3a2972029",
      "package": { "name": "github.com/openssl/openssl" }
    },
    {
      "commit": "1e09555d6950bfcf83bd98fa597b0c6440d43c9c",
      "package": { "name": "github.com/PCRE2Project/pcre2" }
    },
    {
      "commit": "636dfadc70ce26f2473870570bfd9ec352806b1d",
      "package": { "name": "github.com/openssl/openssl" }
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "tablesorter"
      },
      "version": "2.32"
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "jquery"
      },
      "version": "3.7.1"
    },
    {
      "commit": "fd0f60daea24e9c62d372d774be9e32ce2b0849d",
      "package": { "name": "github.com/wxWidgets/wxWidgets" }
    }
  ]
}

Result

[OSV] There are existing vulnerabilities:
- github.com/madler/zlib: CVE-2023-45853
- github.com/openssl/openssl: CVE-2024-12797
- github.com/PCRE2Project/pcre2: OSV-2024-1237
- github.com/wxWidgets/wxWidgets: CVE-2024-58249

@kikofernandez kikofernandez force-pushed the add-vendor-vulnerability-analysis branch from 86a4478 to c10c255 Compare May 5, 2025 19:59
@kikofernandez
Copy link
Contributor Author

The vendor vulnerability scanning now fails because I changed the vendor.json sha to refer to existing CVEs, and this PR detects them (https://github.com/erlang/otp/actions/runs/14845728041/job/41679578778?pr=9790 for otp, and this for my fork https://github.com/kikofernandez/otp/actions/runs/14845971887/job/41680388662)

@kikofernandez kikofernandez force-pushed the add-vendor-vulnerability-analysis branch 6 times, most recently from 1d4dcb8 to 4f13738 Compare May 6, 2025 10:33
@kikofernandez
otp scan PRs for vulnerabilities
f74a0f5 
- scan PRs for vendor vulnerabilities.
- the submission of the vendor SBOM should happen only on push events.
- vulnerability scanning of dependencies must happen on a per PR basis,
  and on a per push basis (although Dependatbot should inform us of this).
@kikofernandez kikofernandez force-pushed the add-vendor-vulnerability-analysis branch from 4f13738 to f74a0f5 Compare May 7, 2025 06:35
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DDupriest DDupriest DDupriest approved these changes

@garazdawi garazdawi Awaiting requested review from garazdawi

@rickard-green rickard-green Awaiting requested review from rickard-green

At least 1 approving review is required to merge this pull request.

Assignees

@kikofernandez kikofernandez

Labels
team:VM Assigned to OTP team VM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Vulnerability, License and ScoreCard Info missing for API Dependency Submission
3 participants
@kikofernandez @garazdawi @DDupriest