CVE Filing for OSS Projects Shut down (DWF)

[philips]

A requirement of graduation to CNCF is following the CII Criteria. And one of the requirements is having CVE numbers in release notes.

Unfortunately, two weeks ago the DWF system designed for OSS projects to generate CVE numbers shutdown. https://twitter.com/kurtseifried/status/1103858442479910913

This leaves CNCF projects in an awkward position. And I see four options:

0. CNCF becomes a CVE Numbering Authority (I have started a CNCF service desk request for this, Chris A has some thoughts)

1. Revise CII in the face of no practical CVE system for OSS projects to not have that requirement.

2. Update the CNCF Graduation criteria to not require projects to create CVEs and rely exclusively on researcher issued CVEs

3. Create a new CVE alternative that is fully distributed without a central authority.

Thank You,

Brandon

[caniszczyk]

I'm open to exploring CNCF becoming a CNA in the future, in the short term, projects can generate CVEs via this form https://cveform.mitre.org (Envoy just did it for some issues).

I'll write a document for projects on how to generate CVEs and their own security disclosure process and put that somewhere that's easy to reference.

[mattklein123]

@htuch can comment, but he recently used MITRE and it seemed pretty straightforward to me, I'm not sure that we need any additional solution?

[htuch]

We were advised by k8s folks that becoming a CNA is the way to go medium term. It's apparently not that hard to go through the training process and on-board as a CNA. Once you are a CNA, you have a reserved block of N CVEs each year that you can allocate to projects via your own processes. This makes private disclosure handling even easier. If CNCF do this and make the CNA scope all CNCF projects, that would be a useful common security infrastructure service IMHO.

For short term, the MITRE form works well and we had successful allocations via this process with < 1 day latency.

[lizrice]

+1 on CNCF becoming a CNA. I agree that in the shortish term going straight to MITRE should be fine.

I wouldn't want to see a relaxation of the requirements on projects.

On Fri, 22 Mar 2019 at 09:12, htuch notifications@github.com wrote:

We were advised by k8s folks that becoming a CNA is the way to go medium term. It's apparently not that hard to go through the training process and on-board as a CNA. Once you are a CNA, you have a reserved block of N CVEs each year that you can allocate to projects via your own processes. This makes private disclosure handling even easier. If CNCF do this and make the CNA scope all CNCF projects, that would be a useful common security infrastructure service IMHO.

For short term, the MITRE form works well and we had successful allocations via this process with < 1 day latency.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/cncf/toc/issues/213#issuecomment-475483782, or mute the thread https://github.com/notifications/unsubscribe-auth/AAb_eHOWCJI1XV4LJYk8qLoVwsdaIWN9ks5vZFEFgaJpZM4cCle9 .

-- Liz Rice @lizrice | lizrice.com | +44 (0) 780 126 1145

[david-a-wheeler]

The DWF shutdown is just a minor change in process. To submit a CVE, you now use the MITRE CVE submission form. Specifically , "Open Source software product vulnerabilities not already covered by a CNA listed on (that) page" are covered by cveform.mitre.org. So there's no absolute need for the CNCF or Linux Foundation to become a CVE Numbering Authority. CVEs can continue to be submitted about any open source software project.

That said, I think it's good idea for the CNCF (or maybe the Linux Foundation as a whole) to become a CVE Numbering Authority. It would speed up CVE processing and possibly speed response as well. I've not done it myself, but IIRC it requires a few people to go through a little training.

[mattfarina]

If the CNCF were to become a CNA would it be more appropriate for TLF to become a CNA? Then it could handle CVEs for all linux foundation projects that need a CVE?

[leecalcote]

@david-a-wheeler the LF overall becoming a CNA makes sense to me.

[caniszczyk]

@mattfarina I plan on having discussions with other LF sub foundations/initiatives to see if we can do something across the board, will take a bit of time to coordinate everyone. The MITRE CVE form is actually better than the previous DWF situation imho, faster response time

[RichiH]

Having used the MITRE form in the past, it's quite easy and straightforward to work with. I am not fully convinced LF taking up non-essential services which are already handled outside in a reliable manner is the best use of resources.

The CVE requirement should not be dropped, and creating a new system without substantial traction will invoke https://xkcd.com/927/

[philips]

Just so we know what we are dealing with: issuing a CVE via MITRE took 24 hours. I filed on Friday at 8am and got a CVE ID on Saturday at 8am.

On Mon, Mar 25, 2019 at 6:08 AM Richard Hartmann notifications@github.com wrote:

Having used the MITRE form in the past, it's quite easy and straightforward to work with. I am not fully convinced LF taking up non-essential services which are already handled outside in a reliable manner is the best use of resources.

The CVE requirement should not be dropped, and creating a new system without substantial traction will invoke https://xkcd.com/927/

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cncf/toc/issues/213#issuecomment-476188095, or mute the thread https://github.com/notifications/unsubscribe-auth/AACDCCMzvug9jx3aDdDMHa3d_0ApSd63ks5vaMo4gaJpZM4cCle9 .

[udinachmany]

@caniszczyk on the heels of our work with the LF on the Community Bridge launch, Snyk would be happy to help out (if we can) until CNCF is a CNA. Our HQ is one floor above Weave if Alexis is involved, we're also at CF Summit and other events coming up, otherwise zoom FTW.

[philips]

Second data point. I notified MITRE on Friday to publish CNI CVE-2019-9946 and they got around to it on Tuesday. https://nvd.nist.gov/vuln/detail/CVE-2019-9946

[philips]

What is the call on the CVE situation? Can the TOC please discuss and triage this?

[monadic]

thanks @philips

@lizrice please can we get this onto TOC agenda at some point?

[lizrice]

I've added to the agenda for May 7th. @philips would you like to take the lead on presenting this?

[caniszczyk]

added info on how to currently request a CVE for projects here: https://github.com/cncf/servicedesk/blob/master/README.md#how-do-i-file-a-security-cve-as-a-project

[philips]

Sorry Liz. Github notifications are really easy to miss. If you need me to followup on this at the next meeting please let me know via an email.

On Sat, May 4, 2019 at 2:39 AM Liz Rice notifications@github.com wrote:

I've added to the agenda for May 7th. @philips https://github.com/philips would you like to take the lead on presenting this?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cncf/toc/issues/213#issuecomment-489311702, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAIGCGE2UKMROW5RMWBD6TPTVKVHANCNFSM4HAKK66Q .

[lizrice]

My bad, it was a bit short notice! It is now in the working doc for a future session

[caniszczyk]

FYI GitHub has a new feature that solves a lot of issues: https://help.github.com/en/articles/about-maintainer-security-advisories https://help.github.com/en/articles/creating-a-maintainer-security-advisory

You still have the problem of requesting a CVE ID but GitHub is working on this so this may be a solved program in the future.

[RichiH]

@caniszczyk that sounds like the best option, provided they solve the CVE assignment in the medium term as well.

[philips]

@RichiH Why does that sound like the best option? Is there any indication that GitHub will become a CNA?

[caniszczyk]

GitHub is offering this built-in now and should be ready by GitHub Universe https://twitter.com/github/status/1174371016497405953