-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node.js Security WG Initiatives 2023 #846
Comments
I can start: Action to update our dependencies easily and fast (#828).The issue was already created and @facutuesca is working on it. However, it's not officially a Security WG initiative yet. This will solve cases like the zlib update (nodejs/node#45387) that took a few weeks to be merged. Flag to emit a warning when vulnerableI was thinking of a flag (can be even without the flag) that checks if the current version is vulnerable. For instance, let's say the latest Security Release fixed a vulnerability on all active release lines (v14, v16, v18, v19). However, the v14 only applies to Windows (this is not true btw), which means, if you run Node.js v14.21.0 you shouldn't be affected by any known vulnerability, therefore, you shouldn't see the warning $ node --experimental-security-scan index.js
(node:1) SecurityWarning: your Node.js version is vulnerable to CVE-XXXXX and CVE-YYYYYY.
Update to ensure your system stability (nvm install v18). Enforce communication with Node.js dependenciesNowadays, when we get notified of an upcoming security release in any of our dependencies (OpenSSL for instance), we have the following workflow:
However, our security release process is a tough task, it requires at least 2 weeks in advance to plan and make it work -- besides the fact, you need more than 3 releasers to help in this process. I'm not quite sure if my suggestion is feasible, but I'd like to have a different communication with our dependency maintainers, mainly to get notified about the patch earlier. This way we can assess if the vulnerability affects Node.js or not. By the way, I'd like to hear @nodejs/releasers thoughts on this too. Security Status Page
|
Two suggestions which I think @BethGriggs has been thinking about:
|
And another one Explore how the projects stands on the OSSF Scorecard |
And one more that's been discussed in the past
|
I will also comment that I think |
@lukehinds and I have recently got together to explore using SigStore to sign Node.js releases (first proposed a long while back in nodejs/Release#642). For now we're exploring how/where it would fit into the release process and how the value could be surfaced. It hasn't reached a proposal state just yet - but I wanted to share that there are already thoughts/discussions on that topic. For 2023, I'm sure something should happen in that space.
The two that have been discussed are NIST SSDF and SLSA. We had a tentative plan to do an 'audit' of sorts where we can assess where the Node.js project is currently to then create actions to fulfil the not yet covered requirements. Early discussions were with @richardlau as it will likely involve a lot of build-related actions and context, and @sxa (who is doing similar work for another open source project). nodejs/build#3043 (comment) and SBOMs are likely topics to be explored as part of that work. Just wanted to share that for those two topics there are discussions/work in flight. |
@BethGriggs thanks for the info and great to have you confirm you are already pushing those two forward. |
Adding to the brainstorm
|
Update from #847Action to update our dependencies easily and fast (#828).It seems to have a positive consensus on this task. Flag to emit a warning when vulnerable
Enforce communication with Node.js dependencies
Security Status PageWe've agreed on this would require much work for a little improvement in the end. Therefore, it was removed. Explore using SigStore to sign our releases
Figure out how we stand in terms of key supply chain standards/frameworks
Explore how the projects stand on the OSSF Scorecard
Look at Fuzzing
Better versioning and management of tools need to build/update dependencies
|
The next session unfortunately clashes with a conference for me. I may be able to make the following session (if it happens, being so close to the holidays). But, in the meantime, I'll try and summarise the discussions we've had so far and share. |
@RafaelGSS this is the issue I mentioned related to |
That's more related to Security WG, but it may apply here too:
|
I will suggest to check the Github Actions rules (context: https://github.com/nodejs/moderation/issues/613). I see a lot of recommendations from other orgs that we might we interested to follow, like Salesforce | Github Actions Security Best Practices. |
Update 05/01Enforce communication with Node.js dependenciesOpen an issue/ticket to the OpenSSL asking how feasible is it. Better versioning and management of tools need to build/update dependencies
Security release script
Github Actions Security Best Practices
|
For 2023, we are proceeding following initiatives:
cc: @nodejs/security @nodejs/security-wg |
Hey!
Since May 2022 the Security WG was reactivated and the team took the lead in 4 initiatives:
First of all, thanks to everyone that helped on that journey, brilliant work.
As I mentioned on #843, it's time to think about future initiatives to improve the Node.js security ecosystem. So, I'd like to use this issue as a brainstorming thread to share some ideas. Ideally, share the problem and a potential solution, but, if you don't have a clear solution, don't worry, share it anyway.
This thread will be reviewed and discussed through the Node.js Security WG meetings (feel free to join).
@nodejs/security-wg
The text was updated successfully, but these errors were encountered: