search

ewilderj / doap

RDF schema for describing software projects
https://github.com/ewilderj/doap/wiki
Apache License 2.0
271 stars 57 forks source link

Security fields #60

Closed iamamoose closed 3 months ago

iamamoose commented 6 years ago

The Apache Software Foundation has hundreds of separate projects and many are described using DOAP, with various automation using that data. The security team was looking for ways to generate pages showing the security contact for each of the projects and how to get hold of their security updates. While the DOAP files would be the perfect place to hold this data, there isn't suitable fields we can use for this.

Meanwhile other projects, such as securitytxt.org, are trying to build up security-only metadata for projects (and websites) and have spent time looking at what fields are most useful. But it seems to me like DOAP would be a more natural place to describe this. I sent out a ping to Kjetil who recommended opening an issue here to discuss a proposal (and had some useful comments I've incorporated!)

One way of doing this:

Add a security contact

An address that anyone can use to report security issues they found in the described project. Most likely this will be an email address but it's possible it could be any URI

doap:security-contact mailto:security@httpd.apache.org

(securitytxt also has fields for the key that can be used for encrypted communication but I think that gets complex really fast (for example some Apache projects require multiple keys with all used, other projects are any used) and I believe these cases would be better handled by pointing to a security policy)

Add a security policy

A link to the projects security policy which describes how they deal with issues.

doap:security-policy https://www.apache.org/security/

(securitytxt also has a link for acknowledgements but I believe this is better handled by the projects security policy). Ideally you'd also have a link to a page listing the vulnerabilities themselves, but this might be better handled by the security-policy page too.

or

As an alternative perhaps could this be handled by a doap:security-forum in a similar way to the existing support-forum. I'm not familiar enough with SIOC to see if that would be sufficient to describe all these fields correctly.

kjetilk commented 6 years ago

Dear Mark,

Thank you for reaching out and posting the issue! I think this is a good fit for DOAP, but we need to come up with a concrete design.

I think we should do the two simplest use cases first. Indeed, linking a human-readable security policy seems very straightforward. I think the proposal to add the property doap:security-policy is obviously a good thing.

Then, I also think we should have a very simple way to show the security contact. I'm in a bit of doubt if it would be best (for the consumer, mostly) to have a property that says that a mailbox is expected. Like FOAF has foaf:mbox. So, would be the simplest thing be to have e.g. doap:security-mbox, or like you suggest to have doap:security-contact, and that can be any URI? Perhaps we should both, where the first is for the simplest possible case, where the security contact is just a mailbox, and the latter is used when you want to say something more about it, like attach a key. We could envision something like this (in Turtle syntax):

my:project doap:security-contact <http://example.org/security-team#us> .
<http://example.org/security-team#us> a foaf:Group ;
  foaf:mbox <mailto:security@example.org> ;
  foaf:name "Example Security Team" ;
  wot:hasKey [
    a wot:PubKey ;
    wot:pubkeyAddress <http://example.org/our-key.asc> ;
    wot:hex_id "DEADBEEF" 
  ] .

Potentially, you could attach a key to an mbox, like this:

my:project doap:security-mbox <mailto:security@example.org> .
<mailto:security@example.org> wot:hasKey [
    a wot:PubKey ;
    wot:pubkeyAddress <http://example.org/our-key.asc> ;
    wot:hex_id "DEADBEEF" 
  ] .

You usually attach the key to the person or group controlling it, not their mailbox, so I don't really like the latter design, but it is a possibility. It makes sense to have a simple mbox property for the simplest cases though. Therefore, I'm inclined to say that we should have both.

And yes, I also figured it may be nice to have a link to SIOC, e.g. doap:security-forum, as SIOC is suited to describe stuff like a mailing list, forums, lists of posts, etc. It could potentially be used for everything from a discussion list on security flaws to security advisories.

BTW, another way to write the doap:security-contact example is to use blank nodes, it can also be written as:

my:project doap:security-contact [
  a foaf:Group ;
  foaf:mbox <mailto:security@example.org> ;
  foaf:name "Example Security Team" ;
  wot:hasKey [
    a wot:PubKey ;
    wot:pubkeyAddress <http://example.org/our-key.asc> ;
    wot:hex_id "DEADBEEF" 
  ]
] .
kjetilk commented 6 years ago

I have made a feature branch with doap:security-policy and doap:security-contact as they seemed like really low-hanging fruit. They fit very well with what we already have, policy is like a (home)page and contact in this is very much like the properties developer, maintainer, and so on, except that they are persons, whereas the contact is an agent.

I'll add the other properties I talked about too, so that we have something concrete to discuss.

kjetilk commented 6 years ago

OK, like that :-)

So, arguably, within the current vocabulary doap:security-mbox is the odd one out. Without it, the simplest thing you could possibly do to add a contact address is 

my:project doap:security-contact [ foaf:mbox <mailto:security@example.org> ] .

I.e., you need two triples, with a URI or blank node between them. With doap:security-mbox, the simplest case of just having a contact address would be

my:project doap:security-mbox <mailto:security@example.org> .

but for the slightly more advanced case, where you want to say something more about the contact, you shouldn't use this property. IOW, this would be wrong:

my:project doap:security-contact [ doap:security-mbox <mailto:security@example.org> ] .

but you should probably use both forms, i.e. if you have a security contact, you should probably do

my:project doap:security-mbox <mailto:security@example.org> ;
  doap:security-contact [ foaf:mbox <mailto:security@example.org> ] .

So, there seems to be a trade-off between making the simplest case really simple, and making the slightly more advanced case more understandable.

With this, I'm inclined to drop the doap:security-mbox property, and have people use the pattern

my:project doap:security-contact [ foaf:mbox <mailto:security@example.org> ] .

I'd like to hear the opinion of the user's side, so what do you think, @iamamoose ?

iamamoose commented 6 years ago

Hi! Nice work, and so quick :) It's a little tricky to determine the best approach as really everything could be collapsed into security-forum including the policy and reporting address.

While most projects have an email address for reporting security issues, and therefore this ought to be the easy default, I can think of cases where they may not and instead have a contact page that suggests an alternative (for example "file an issue in this bug tracker marking it private"). But that page would also be the policy, so you could say that a project without a security-mbox then the security-policy should be referred to on how to report issues (and how they'll be dealt with).

So that would lead me to prefer having security-mbox, security-policy (and possibly security-forum) in order to keep it simple. Otherwise with security-contact we'd be causing the majority of descriptions to pull in foaf?

kjetilk commented 6 years ago

On Friday, 16 February 2018 14:57:45 CET Mark J. Cox wrote:

Hi! Nice work, and so quick :)

Thanks! :-)

It's a little tricky to determine the best approach as really everything could be collapsed into security-forum including the policy and reporting address.

Yes, it could! Also, I'm always mindful of the tension between what makes sense in my head, and in the heads of users. Those are often somewhat tricky to understand :-)

While most projects have an email address for reporting security issues, and therefore this ought to be the easy default, I can think of cases where they may not and instead have a contact page that suggests an alternative (for example "file an issue in this bug tracker marking it private"). But that page would also be the policy, so you could say that a project without a security-mbox then the security-policy should be referred to on how to report issues (and how they'll be dealt with).

Right. One thing is that we might want to make sure that reporting can be automated. Not that I can think of concrete examples, but I guess there could be a situation where a certain class of vulnerability or practice makes many projects vulnerable and the reporter want to send a message to all of the projects with little effort. A simple human-readable policy would not satisfy that.

I think that the mechanism we choose should be powerful enough to enable the vast majority to formulate an automated reporting solution, yet simple enough to make sure that people will actually use it...

So that would lead me to prefer having security-mbox, security-policy (and possibly security-forum) in order to keep it simple. Otherwise with security-contact we'd be causing the majority of descriptions to pull in foaf?

Yeah. So, from my perspective, that's no big deal, but I understand that I don't always understand my users. :-)

We already pull in foaf; maintainer, developer, document, translator, tester, helper and vendor all have to formulated in terms of FOAF, and it would be quite similar.

Using foaf there would give us the benefit of being able to attach an encryption key to the contact address.

It could also bring benefits when trying to formulate automation of reporting, or at least make it less painful. Since we already have bug- database, we could do stuff like:

my:project doap:bug-database <https://github.com/example/project/issues> ;
  doap:security-contact [
    rdfs:comment "Please report issues to github and label security" 
] .

Or conceivably some hypermedia formulation of how to interact with the bug system. That's actually the stuff I'm working on right now. It would be a nice use case for it, but somewhat in the future. :-)

Still, I think we need to link a human-readable security policy, that's also probably the safest thing to do.

I just came to think of, for security advisories, the new Activity Streams are probably a better match than SIOC: https://www.w3.org/TR/activitypub/

Kjetil

kjetilk commented 6 years ago

Uh, seems like email didn't get the formatting, so here's the example:

my:project doap:bug-database <https://github.com/example/project/issues> ; 
   doap:security-contact [ rdfs:comment "Please report issues to github and label security" ] .
iamamoose commented 6 years ago

Looks like none of the ASF DOAP files pull in foaf at all, but I don't think it would affect any of the current parsing that would make it an issue.

So we're at "security-contact" using foaf for email/gpg or text/uri; drop "security-mbox", and "security-policy".

I don't think for my use case I'd end up using security-forum as this varies so much by project and I can't see a way it could be useful to automate (i.e. it's not going to be a machine readable list of vulnerabilities, and if that's what you want then a feed from the Mitre CVE db may be more appropriate).

kjetilk commented 6 years ago

Yeah, I think we can postpone security-forum until we understand the use cases more clearly and what role Activity Streams can possibly play in there.

Anyway, do you want to drop security-policy? I think linking a human-readable security policy is something that many would want to have regardless of a contact?

iamamoose commented 6 years ago

Agree, I think security-policyis really useful in conjunction with security-contact.

kjetilk commented 6 years ago

OK, great! I have opened a PR, in case @ewilderj wants to review it. We can certainly discuss more advanced features, but I feel we have a good consensus around these two.

kjetilk commented 6 years ago

BTW, we probably want to use the CERT ontology rather than the WOT ontology: https://www.w3.org/ns/auth/cert

ewilderj commented 4 months ago

@kjetilk understanding that it's 6 years later, I am still interested in merging this ;-) Should anything be updated before we look at the PR?

kjetilk commented 4 months ago

Not that I can think of, go ahead!

ewilderj commented 3 months ago

Ha, it looks like you merged it already. What we are missing is a ChangeLog entry for it.

kjetilk commented 3 months ago

Ah, right! I figured, better merge it, it could always be reverted before it is pushed. But then, we're good, I think.

ewilderj commented 3 months ago

Yeah we're good. I brought the Changelog up to date

On Sat, Jun 8, 2024, 3:49 PM Kjetil Kjernsmo @.***> wrote:

Ah, right! I figured, better merge it, it could always be reverted before it is pushed. But then, we're good, I think.

— Reply to this email directly, view it on GitHub https://github.com/ewilderj/doap/issues/60#issuecomment-2156215329, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAACKAZFNU4NNBEJXPXTXR3ZGOC75AVCNFSM6AAAAABI5ASTCGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNJWGIYTKMZSHE . You are receiving this because you were assigned.Message ID: @.***>