|
| 1 | +# Handling CVEs in the project |
| 2 | + |
| 3 | +## Introduction |
| 4 | + |
| 5 | +CVE, short for Common Vulnerabilities and Exposures, is a list of publicly |
| 6 | +disclosed computer security flaws. When someone refers to a CVE, they mean a |
| 7 | +security flaw that's been assigned a CVE ID number. |
| 8 | + |
| 9 | +## CVEs filed on dependencies |
| 10 | + |
| 11 | +### Checking if a CVE applies to Ramen |
| 12 | + |
| 13 | +**Note**: Ramen has two go modules, one for the main project and another for |
| 14 | +the api. You need to perform the check below for both the modules. |
| 15 | + |
| 16 | +When a CVE is filed on a direct or an indirect dependency of Ramen, you will |
| 17 | +first have to check if it applies to a particular branch. Some of the CVE |
| 18 | +analysis tools make use of the go.sum file to make this determination and there |
| 19 | +might be false positives in those methods. |
| 20 | + |
| 21 | +To check whether a package is really used in Ramen or not you can use the |
| 22 | +following command. |
| 23 | + |
| 24 | +``` |
| 25 | +go mod why -m <module path> |
| 26 | +``` |
| 27 | + |
| 28 | +This command shows only the shortest path to the module and there could be more |
| 29 | +usage of it elsewhere. |
| 30 | + |
| 31 | +Here is an example of the command for three different scenarios |
| 32 | + |
| 33 | +1. When the module is used by Ramen directly. The output shows that the |
| 34 | + controllers package makes use of the time module and specifically the rate |
| 35 | + package in it. |
| 36 | + |
| 37 | + ``` |
| 38 | + $ go mod why -m golang.org/x/time |
| 39 | + # golang.org/x/time |
| 40 | + github.com/ramendr/ramen/controllers |
| 41 | + golang.org/x/time/rate |
| 42 | + ``` |
| 43 | +
|
| 44 | +1. When the module is an indirect dependency |
| 45 | +
|
| 46 | + ``` |
| 47 | + $ go mod why -m github.com/go-logr/zapr |
| 48 | + # github.com/go-logr/zapr |
| 49 | + github.com/ramendr/ramen |
| 50 | + sigs.k8s.io/controller-runtime/pkg/log/zap |
| 51 | + github.com/go-logr/zapr |
| 52 | + ``` |
| 53 | +
|
| 54 | +1. When a module isn't used by Ramen directly or indirectly. If a module isn't |
| 55 | + used by Ramen then you can ignore the CVE. |
| 56 | +
|
| 57 | + ``` |
| 58 | + $ go mod why -m github.com/open-telemetry/opentelemetry-go-contrib |
| 59 | + # github.com/open-telemetry/opentelemetry-go-contrib |
| 60 | + (main module does not need module github.com/open-telemetry/opentelemetry-go-contrib) |
| 61 | + ``` |
| 62 | +
|
| 63 | +## Fixing the CVEs by updating the packages |
| 64 | +
|
| 65 | +1. When a module is a direct dependency, then using `go get` to update the |
| 66 | + version of the module to the one that fixes the CVE is sufficient. |
| 67 | +
|
| 68 | +1. When a module is an indirect dependency, you will have to determine if the |
| 69 | + module which brings in the transitive dependency has a fix for the CVE. If |
| 70 | + it does, you can update the version of the module to the one that fixes the |
| 71 | + CVE using `go get`. If it doesn't, you will have to wait for the module to |
| 72 | + update the version of the transitive dependency or you can use a replace |
| 73 | + directive in the go.mod file to update the version of the transitive |
| 74 | + dependency. |
0 commit comments