Last modified: 2014-10-29 21:24:29 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T74193, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 72193 - Have a check for reported security issues in dependencies
Have a check for reported security issues in dependencies
Status: NEW
Product: Wikimedia
Classification: Unclassified
Deployment systems (Other open bugs)
wmf-deployment
All All
: Normal enhancement (vote)
: ---
Assigned To: Chris Steipp
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-17 18:33 UTC by Chris Steipp
Modified: 2014-10-29 21:24 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Chris Steipp 2014-10-17 18:33:22 UTC 
As we start including 3rd party libraries into WMF code, we should have a way to regularly check that our deployed version includes any security fixes.

My initial thought is to have Jenkins use https://security.sensiolabs.org/api to check any composer.lock files that are included in our patches.

Since the database of vulnerabilities that sensiolabs includes is relatively small, I'd propose that part of the security review is ensuring that any 3rd party libraries get included by them (https://security.sensiolabs.org/contribute), keeping us more secure, and helping other projects be secure too.

Bd808 thinks he can help me get this setup.
Comment 1 Antoine "hashar" Musso (WMF) 2014-10-17 19:29:31 UTC 
I like the principle :-D

The database of CVE is at: https://github.com/sensiolabs/security-advisories  which provides a small utility to validate the YAML based format.   It is lacking a contributing license though.

I am not a huge fan of depending on a third party API and the above repository is missing the code to validate a composer.lock against the database.  But that should be trivial to reimplement.


We would probably want to have a daily run against all repositories maintained branches and produce a report.


So a summary a possible .plan would be:

- fill an issue to have the repository content under a free license
- implement an utility that reads a composer.lock and match it against the security repo 
- figure out a database of repos / branch we want to run the utility against
- Jenkins can daily run it on all repositories as well as on patch proposal (via the existing composer-validate job).
Comment 2 Bryan Davis 2014-10-26 22:24:47 UTC 
The database has a new home and license: <https://github.com/FriendsOfPHP/security-advisories/blob/master/LICENSE>
Comment 3 Chris Steipp 2014-10-29 21:24:29 UTC 
As a simple PoC, I setup

https://integration.wikimedia.org/ci/job/test-csteipp-sensiolabs-securityadvisorieschecker/

Which checks against https://security.sensiolabs.org/api. Now that the database is freely licensed, we can setup our own system to check against. But I'd like to see how stable their api is before taking on building that.

Eventually, I'd like a check like this to run each time the composer.lock file in mediawiki/vendor (or any repo with a composer.lock, but let's start with our vendor repo) is updated. I'm guessing that would be a zuul managed check?
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links