Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CoreDNS Project Security Self-Assessment - Security Pals #1189

Merged
merged 25 commits into from
Jan 24, 2024
Merged

CoreDNS Project Security Self-Assessment - Security Pals #1189

merged 25 commits into from
Jan 24, 2024

Conversation

TomY-Zhang
Copy link
Contributor

Created and added first draft for CoreDNS Project Security Self-Assessment.
Please feel free to share your feedback on the security self-assessment.

TomY-Zhang and others added 8 commits December 3, 2023 15:38
@TomY-Zhang
Create coredns_sbom.json
48a350a 
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@TomY-Zhang
Add files via upload
e1a9ff2 
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@TomY-Zhang
Update self-assessment.md
a9cc4ea 
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@TomY-Zhang
Update formatting
27c056e 
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@TomY-Zhang
Update compliance
e422422 
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@TomY-Zhang
Update header
8d582fa 
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@TomY-Zhang
Fixed errors in accordance to feedback from project maintainers
874c505 
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@TomY-Zhang @maryammohagheghi
@rsc1102 @Vamshi-Madineni
Merge branch 'cncf:main' into main
4ea1950 
Co-Authored-By: maryammohagheghi <43008809+maryammohagheghi@users.noreply.github.com>
Co-Authored-By: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>
Co-Authored-By: Vamshi-Madineni <129896345+vamshi-madineni@users.noreply.github.com>
@netlify Netlify
Copy link

netlify bot commented Dec 7, 2023
edited
Loading

Deploy Preview for tag-security ready!

Name Link
🔨 Latest commit 9043b2b
🔍 Latest deploy log https://app.netlify.com/sites/tag-security/deploys/65b16004b60ce100080f7105
😎 Deploy Preview https://deploy-preview-1189--tag-security.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@eddie-knight
Copy link
Collaborator

Hi there, and thanks for your work on this self assessment!

I noticed that you included an SBOM along with the self assessment. There are two reasons that jump to the front of my mind for why this isn't needed...

  1. SBOMs should be associated with releases, as the bill of materials is only accurate and useful if it is created at build time and associated to a particular point in the code history.
  2. If you need to link to an SBOM for some reason in the self-assessment, you can just provide a link out to the latest build artifacts that contain an SBOM.

We still have plenty more to review, but as a starter— could you please remove the SBOM from this PR?

@TomY-Zhang
Delete assessments/projects/coredns/coredns_sbom.json
be93f62 
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@TomY-Zhang
Update SBOM
8c1c718 
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@TomY-Zhang
Copy link
Contributor Author

Hi @eddie-knight,

I removed the SBOM from the self-assessment. We do need a SBOM, but unfortunately, there isn't any SBOM released with each release of the project.

ragashreeshekar
ragashreeshekar suggested changes Dec 10, 2023
View reviewed changes
Copy link
Contributor

@ragashreeshekar ragashreeshekar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @TomY-Zhang and team, appreciate the efforts.
I have completed first pass of review. Please feel free to reach out here or on slack for any questions and clarifications.

Along with addressing the comments, kindly update the PR branch with the latest content in the repo as this branch is out-of-date with the base branch.

TomY-Zhang and others added 7 commits December 10, 2023 14:36
@TomY-Zhang
Merge branch 'cncf:main' into main
74fd240
@rsc1102
Fixed heading
7a7bbf4 
Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>
@TomY-Zhang
Added links to SECURITY.md and mailing lists
7463522 
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@rsc1102
Fixed section heading tags
6efdfc4 
Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>
@rsc1102
Removed "Security Incident Response" from secure development practice…
8b8fc5c 
…s section

Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>
@TomY-Zhang
Update formatting
174ca75 
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@TomY-Zhang
Re-added 'Compliance and Standards'
98040da 
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@rsc1102
Copy link
Contributor

rsc1102 commented Dec 11, 2023

Hi @ragashreeshekar,
Thank you for your suggestions. We have made the necessary changes.
Please review our self-assessment so that we can finalize the document.

TomY-Zhang and others added 2 commits December 12, 2023 11:08
@TomY-Zhang
Specified that CoreDNS does not generate SBOM in 'Metadata' section
94b0270 
Co-authored-by: Eddie Knight <iv.eddieknight@gmail.com>
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@TomY-Zhang
Updated 'Self-assessment use' section
0082b11 
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
TomY-Zhang and others added 3 commits December 12, 2023 12:37
@TomY-Zhang
Added "CoreDNS Plugins" to Actors
f9285ad 
Co-authored-by: Eddie Knight <iv.eddieknight@gmail.com>
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@TomY-Zhang
Updated "Actions" and added "Documentation" section
8af3a87 
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@TomY-Zhang
Fixed typo
76c210e 
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
@TomY-Zhang
Copy link
Contributor Author

Hi @eddie-knight ,

I have modified the assessment in accordance to your suggestions.

rsc1102 and others added 2 commits January 19, 2024 13:24
@rsc1102 @torinvdb
Update assessments/projects/coredns/self-assessment.md
191912b 
Co-authored-by: torinvdb <65670557+torinvdb@users.noreply.github.com>
Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>
@rsc1102 @torinvdb
Update assessments/projects/coredns/self-assessment.md
3a4fefe 
Co-authored-by: torinvdb <65670557+torinvdb@users.noreply.github.com>
Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>
@rsc1102
Copy link
Contributor

rsc1102 commented Jan 19, 2024

@torinvdb @ragashreeshekar the suggestions have been commited.

@JustinCappos
Copy link
Collaborator

@ragashreeshekar Can you update your review please?

JustinCappos
JustinCappos approved these changes Jan 24, 2024
View reviewed changes
Copy link
Collaborator

@JustinCappos JustinCappos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I approve. Looks good from my standpoint.

@ragashreeshekar ragashreeshekar merged commit da7ae76 into cncf:main Jan 24, 2024
9 checks passed
mrsabath pushed a commit to mrsabath/tag-security that referenced this pull request Mar 27, 2024
@TomY-Zhang @maryammohagheghi
@rsc1102 @Vamshi-Madineni @torinvdb @mrsabath
CoreDNS Project Security Self-Assessment - Security Pals (cncf#1189)
d15b0c6 
* Create coredns_sbom.json

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Add files via upload

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Update self-assessment.md

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Update formatting

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Update compliance

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Update header

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Fixed errors in accordance to feedback from project maintainers

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Delete assessments/projects/coredns/coredns_sbom.json

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Update SBOM

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Fixed heading

Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>

* Added links to SECURITY.md and mailing lists

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Fixed section heading tags

Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>

* Removed "Security Incident Response" from secure development practices section

Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>

* Update formatting

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Re-added 'Compliance and Standards'

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Specified that CoreDNS does not generate SBOM in 'Metadata' section

Co-authored-by: Eddie Knight <iv.eddieknight@gmail.com>
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Updated 'Self-assessment use' section

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Added "CoreDNS Plugins" to Actors

Co-authored-by: Eddie Knight <iv.eddieknight@gmail.com>
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Updated "Actions" and added "Documentation" section

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Fixed typo

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Update assessments/projects/coredns/self-assessment.md

Co-authored-by: torinvdb <65670557+torinvdb@users.noreply.github.com>
Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>

* Update assessments/projects/coredns/self-assessment.md

Co-authored-by: torinvdb <65670557+torinvdb@users.noreply.github.com>
Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>

---------

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>
Co-authored-by: maryammohagheghi <43008809+maryammohagheghi@users.noreply.github.com>
Co-authored-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>
Co-authored-by: Vamshi-Madineni <129896345+vamshi-madineni@users.noreply.github.com>
Co-authored-by: Eddie Knight <iv.eddieknight@gmail.com>
Co-authored-by: torinvdb <65670557+torinvdb@users.noreply.github.com>
Signed-off-by: Mariusz Sabath <mrsabath@gmail.com>
anvega pushed a commit to anvega/tag-security that referenced this pull request Jun 10, 2024
@TomY-Zhang @maryammohagheghi
@rsc1102 @Vamshi-Madineni @torinvdb @anvega
CoreDNS Project Security Self-Assessment - Security Pals (cncf#1189)
23cfd6b 
* Create coredns_sbom.json

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Add files via upload

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Update self-assessment.md

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Update formatting

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Update compliance

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Update header

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Fixed errors in accordance to feedback from project maintainers

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Delete assessments/projects/coredns/coredns_sbom.json

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Update SBOM

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Fixed heading

Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>

* Added links to SECURITY.md and mailing lists

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Fixed section heading tags

Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>

* Removed "Security Incident Response" from secure development practices section

Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>

* Update formatting

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Re-added 'Compliance and Standards'

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Specified that CoreDNS does not generate SBOM in 'Metadata' section

Co-authored-by: Eddie Knight <iv.eddieknight@gmail.com>
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Updated 'Self-assessment use' section

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Added "CoreDNS Plugins" to Actors

Co-authored-by: Eddie Knight <iv.eddieknight@gmail.com>
Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Updated "Actions" and added "Documentation" section

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Fixed typo

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>

* Update assessments/projects/coredns/self-assessment.md

Co-authored-by: torinvdb <65670557+torinvdb@users.noreply.github.com>
Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>

* Update assessments/projects/coredns/self-assessment.md

Co-authored-by: torinvdb <65670557+torinvdb@users.noreply.github.com>
Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>

---------

Signed-off-by: Tom Zhang <87039997+TomY-Zhang@users.noreply.github.com>
Signed-off-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>
Co-authored-by: maryammohagheghi <43008809+maryammohagheghi@users.noreply.github.com>
Co-authored-by: Rohit Chaudhari <46722995+rsc1102@users.noreply.github.com>
Co-authored-by: Vamshi-Madineni <129896345+vamshi-madineni@users.noreply.github.com>
Co-authored-by: Eddie Knight <iv.eddieknight@gmail.com>
Co-authored-by: torinvdb <65670557+torinvdb@users.noreply.github.com>
Signed-off-by: Andres Vega <av@monkey.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@torinvdb torinvdb torinvdb left review comments

@JustinCappos JustinCappos JustinCappos approved these changes

@ragashreeshekar ragashreeshekar ragashreeshekar approved these changes

@eddie-knight eddie-knight eddie-knight approved these changes

@achetal01 achetal01 Awaiting requested review from achetal01

@dshaw dshaw Awaiting requested review from dshaw

@sublimino sublimino Awaiting requested review from sublimino

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@TomY-Zhang @eddie-knight @rsc1102 @JustinCappos @ragashreeshekar @torinvdb