Track CVEs for kubernetes dependencies...

[brendandburns]

Kubernetes has a very large number of golang library dependencies. While there is some work to track and ensure license compatability, there is little to know work done to track vulnerabilities in these library dependencies.

Indeed, I don't know of a database (something like https://ossindex.sonatype.org/) for go libraries that we could use. (perhaps the CNCF can help here...)

But the lack of tools and databases isn't an excuse.

We need to do a better job here of tracking, reporting and updating our dependencies to fix known relevant security issues.

And ultimately, we also need to do a periodic audit to make sure that we aren't importing vulnerabilities into the codebase.

@philips @spiffxp @kubernetes/steering-committee

[jayunit100]

Agree , one highly visible critical CVE unchecked could really hurt a data center and even if not, if public it would hurt the growth and adoption of kubernetes in enterprises.

Should this
Be part of the build process ? We may be able to Integrate with blackduck copilot .

[dims]

@jayunit100 AFAICT copilot does not support golang (looking at https://copilot.blackducksoftware.com/)

[cblecker]

cc: @kubernetes/product-security-team

I know GitHub does this for other languages.. I wonder if they will start doing it for Go 🤔.

[brendandburns]

@jessfraz Do you know anything about tools that Github might be working on?

[jessfraz]

yes there is work on better tooling around this, so if you can hang tight for a little bit (maybe a few months but don't quote me on that) it will get better

[jessfraz]

I had bounced some ideas off @cblecker and the PST about our plans here with github integrations but happy to discuss with anyone else as well :) don't want to necessarily make promises in public in writing just in case things change a little but we would love feedback on the ideas going forward

[brendandburns]

@jessfraz any chance you can add me to the email?

[jessfraz]

Added!

[gjohnson]

In the interim, would something like dependabot work?

[tallclair]

• A lot of our dependencies are not mature enough to get CVEs for security issues. That doesn't mean we shouldn't care about the vulnerability.
• We also want to have insight into non-security bug fixes. See this slide: https://docs.google.com/presentation/d/1i3Qnt2yQOfqVLXXkyiaQ_6HOj5ZqkeWQ2wRmT1U2aBs/edit#slide=id.g499934ca8f_0_72
• We should also work on trimming dependencies to reduce the number we need to worry about

[bgrant0607]

On trimming dependencies: that's one of many reasons why I want provider-specific code (e.g., cloud providers, volume sources) out of tree.

[philips]

@brendanburns Did you ever see any response on the CNCF Service Desk request for Go dependency CVE tracking?

@tallclair Is there even a way for Go dependencies to express metadata about security right now?