Skip to content

otp scan PRs for vulnerabilities #9790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: maint
Choose a base branch
from
Open

otp scan PRs for vulnerabilities #9790

wants to merge 8 commits into from

Conversation

kikofernandez
Copy link
Contributor

  • scan PRs for vendor vulnerabilities.
  • the submission of the vendor SBOM should happen only on push events.
  • vulnerability scanning of dependencies must happen on a per PR basis, and on a per push basis (although Dependatbot should inform us of this).

GH should fix actions/dependency-review-action#923 for us to get alerts about dependencies.

@kikofernandez kikofernandez self-assigned this May 2, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 2, 2025
edited
Loading

CT Test Results

    6 files    205 suites   2h 4m 50s ⏱️
2 122 tests 2 051 ✅ 71 💤 0 ❌
2 891 runs  2 796 ✅ 95 💤 0 ❌

Results for commit 9c412cb.

♻️ This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

// Erlang/OTP Github Action Bot

@kikofernandez kikofernandez added the team:VM Assigned to OTP team VM label May 2, 2025
@garazdawi
Copy link
Contributor

From what I can tell only our github actions dependencies are scanned by this right now, is that correct? Will it in the future be able to use the information in the sbom created in the job you are adding this step to? or is this check only for github actions?

@kikofernandez
Copy link
Contributor Author

kikofernandez commented May 5, 2025
edited
Loading

I think you are right @garazdawi
I have updated the PR to scan for vulnerabilities using OSV.

Summary

  • CC++ works better in OSV providing a sha, and they do range analysis.
  • Our vendor libraries should provide a versionInfo, and in the case of CC++ vendor libraries, we should provide the sha as well. If there is no sha, then we cannot do vulnerability scanning for this CC++ vendor library.
  • If a vendor library belongs to an ecosystem, we write its ecosystem in the vendorInfo.
    OSV works better for standard ecosystems, such as npm, maven, hex, etc.

I have tested that it works by manually hand-picking previous commit that fixed a known vulnerability reported to on github repos.

Information sent

{
  "queries": [
    {
      "commit": "1a8db63788c34a50e39e273d39b7e1033208aea2",
      "package": { "name": "github.com/madler/zlib" }
    },
    {
      "commit": "a465fe71ab3d0e224b2b4bd0fac69ae68ab9239d",
      "package": { "name": "github.com/asmjit/asmjit" }
    },
    {
      "commit": "f8745da6ff1ad1e7bab384bd1f9d742439278e99",
      "package": { "name": "github.com/facebook/zstd" }
    },
    {
      "commit": "442029c6fa37f1b6f9203357de09672d5704077c",
      "package": { "name": "github.com/microsoft/STL" }
    },
    {
      "commit": "1264a946ba66eab320e927bfd2362e0c8580c42f",
      "package": { "name": "github.com/ulfjack/ryu" }
    },
    {
      "commit": "cdfb0923a66155ce97640fca68ae57b3a2972029",
      "package": { "name": "github.com/openssl/openssl" }
    },
    {
      "commit": "1e09555d6950bfcf83bd98fa597b0c6440d43c9c",
      "package": { "name": "github.com/PCRE2Project/pcre2" }
    },
    {
      "commit": "636dfadc70ce26f2473870570bfd9ec352806b1d",
      "package": { "name": "github.com/openssl/openssl" }
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "tablesorter"
      },
      "version": "2.32"
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "jquery"
      },
      "version": "3.7.1"
    },
    {
      "commit": "fd0f60daea24e9c62d372d774be9e32ce2b0849d",
      "package": { "name": "github.com/wxWidgets/wxWidgets" }
    }
  ]
}

Result

[OSV] There are existing vulnerabilities:
- github.com/madler/zlib: CVE-2023-45853
- github.com/openssl/openssl: CVE-2024-12797
- github.com/PCRE2Project/pcre2: OSV-2024-1237
- github.com/wxWidgets/wxWidgets: CVE-2024-58249

@kikofernandez kikofernandez force-pushed the add-vendor-vulnerability-analysis branch from 86a4478 to c10c255 Compare May 5, 2025 19:59
@kikofernandez
Copy link
Contributor Author

The vendor vulnerability scanning now fails because I changed the vendor.json sha to refer to existing CVEs, and this PR detects them (https://github.com/erlang/otp/actions/runs/14845728041/job/41679578778?pr=9790 for otp, and this for my fork https://github.com/kikofernandez/otp/actions/runs/14845971887/job/41680388662)

@kikofernandez kikofernandez force-pushed the add-vendor-vulnerability-analysis branch 7 times, most recently from 4f13738 to f74a0f5 Compare May 7, 2025 06:35
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@kikofernandez kikofernandez force-pushed the add-vendor-vulnerability-analysis branch from e69d4c5 to b2ce706 Compare May 20, 2025 12:07
@kikofernandez
otp scan PRs for vulnerabilities
ea6dfb2 
- perform vulnerability analysis on a pull requests basis and on a
  scheduled basis.

- adds the option `osv-scan` to `otp-compliance.es` to submit requests
  to OSV API.

- adds hard-coded VEX filter to ignore CVEs for which OTP is not
  vulnerable, using the last three releases that we maintain.

- creation of reusable Github workflow to allow direct
  calls (workflow_call) and gh triggering events (workflow_dispatch).
@kikofernandez kikofernandez force-pushed the add-vendor-vulnerability-analysis branch from ed2b82b to ea6dfb2 Compare May 22, 2025 12:07
@kikofernandez kikofernandez force-pushed the add-vendor-vulnerability-analysis branch from b50cb4e to 007ae7f Compare May 23, 2025 13:04
@kikofernandez kikofernandez force-pushed the add-vendor-vulnerability-analysis branch from 007ae7f to 982b107 Compare May 23, 2025 13:06
@kikofernandez
Copy link
Contributor Author

kikofernandez commented May 23, 2025
edited
Loading

I have updated the scripts and this is the end result, using OSV for vulnerability scanning.

  1. Perform vulnerability scanning per PR. If a CVE is found the PR fails that test
  2. Perform vulnerability scanning as per scheduled and fan out per branch. If a CVE is found, create a SARIF file and upload to GH, such that GH Security contains those under Code Scanning on a per last three release basis. (we avoid duplicates via fingerprinting, and postpone the OpenVex integration for now)

@kikofernandez kikofernandez changed the base branch from master to maint May 23, 2025 14:18
garazdawi
garazdawi reviewed May 26, 2025
View reviewed changes
@kikofernandez
add more documentation, fix vendor commit
3aafd8e
@kikofernandez
test that downloadLocation is consistent
6fefba6 
tests that the downloadLocation of vendor dependencies is compatible
with vulnerability scanning of OSV. OSV scanner can detect and track
vulnerabilities in the Github ecosystem, and we enforce that all vendor
dependencies are part of Github or we manually add an exemption for
those that are outside of GH. Vendor dependencies do not change often,
so this manual exemption process prevents that we break OSV scanner from
looking into the wrong repo, which would mean missing possible vulnerabilities.
@kikofernandez
skip false positives to reduce initial noise
b33ed98
@garazdawi garazdawi self-requested a review May 26, 2025 13:49
garazdawi
garazdawi previously approved these changes May 26, 2025
View reviewed changes
@kikofernandez
add ignore of already open alerts
9c412cb 
download gh alerts for otp-compliance to download those existing issues
and ignore them when the PR is scan for vulnerability issues. those
issues should still be sent to GH because otherwise GH considers them
fixed. in the Alerts section from GH, we can mark them as fixed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DDupriest DDupriest DDupriest approved these changes

@garazdawi garazdawi garazdawi left review comments

@rickard-green rickard-green Awaiting requested review from rickard-green

At least 1 approving review is required to merge this pull request.

Assignees

@kikofernandez kikofernandez

Labels
team:VM Assigned to OTP team VM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Vulnerability, License and ScoreCard Info missing for API Dependency Submission
3 participants
@kikofernandez @garazdawi @DDupriest