Topics

Potential security issues with EdgeX

Alexandre Courouble <acourouble@...>
 

Hello,

 

Gosec (https://github.com/securego/gosec)  is a tool that parses the source code and looks for security anti-patterns.

 

We ran gosec against the EdgeX-go source code and uncovered a series of potential vulnerabilities including but not limited to:

 

  • Blacklisted import crypto/sha1: weak cryptographic primitive
  • Potential file inclusion via variable
  • Expect file permissions to be 0600 or less

 

I’ve attached the gosec output to this email.

 

Do these vulnerabilities seem critical to you? If so, we would love to contribute fixes.

 

We would like to know how we should proceed further?

 

Potentially we could integrate gosec into the build pipeline.

 

Best regards,

-- 

Alex Courouble

Member of Technical Staff – Open Source Engineer

VMware Open Source Technology Center

Benjamin Cabé <benjamin.cabe@...>
 

FWIW reporting security vulnerabilities on a *public* mailing list certainly sounds like a security anti-pattern as well…

On 17 Oct 2018, at 01:17, Alexandre Courouble <acourouble@...> wrote:

Hello,
 
Gosec (https://github.com/securego/gosec)  is a tool that parses the source code and looks for security anti-patterns.
 
We ran gosec against the EdgeX-go source code and uncovered a series of potential vulnerabilities including but not limited to:
 
  • Blacklisted import crypto/sha1: weak cryptographic primitive
  • Potential file inclusion via variable
  • Expect file permissions to be 0600 or less
 
I’ve attached the gosec output to this email.
 
Do these vulnerabilities seem critical to you? If so, we would love to contribute fixes.
 
We would like to know how we should proceed further?
 
Potentially we could integrate gosec into the build pipeline.
 
Best regards,
-- 
Alex Courouble
Member of Technical Staff – Open Source Engineer
VMware Open Source Technology Center
<results.json>

Malini Bhandaru
 

Agree Benjamin. We were under the impression the security mailing list was more restricted.

Does EdgeX have such a limited mailing list for security issues? If not we need to create one.

 

Regards

Malini

 

From: <EdgeX-TSC-Security@...> on behalf of Benjamin Cabé <benjamin.cabe@...>
Date: Wednesday, October 17, 2018 at 2:31 AM
To: "edgex-tsc-security@..." <edgex-tsc-security@...>
Subject: Re: [Edgex-tsc-security] Potential security issues with EdgeX

 

FWIW reporting security vulnerabilities on a *public* mailing list certainly sounds like a security anti-pattern as well…

 

On 17 Oct 2018, at 01:17, Alexandre Courouble <acourouble@...> wrote:

 

Hello,

 

Gosec (https://github.com/securego/gosec)  is a tool that parses the source code and looks for security anti-patterns.

 

We ran gosec against the EdgeX-go source code and uncovered a series of potential vulnerabilities including but not limited to:

 

  • Blacklisted import crypto/sha1: weak cryptographic primitive
  • Potential file inclusion via variable
  • Expect file permissions to be 0600 or less

 

I’ve attached the gosec output to this email.

 

Do these vulnerabilities seem critical to you? If so, we would love to contribute fixes.

 

We would like to know how we should proceed further?

 

Potentially we could integrate gosec into the build pipeline.

 

Best regards,

-- 

Alex Courouble

Member of Technical Staff – Open Source Engineer

VMware Open Source Technology Center

<results.json>

 

David Ferriera
 

Hi Alex,

    Thank you for the effort.  We welcome contributions.  We are always shorthanded in the security group.

   Code analysis has been on our list since the beginning.  If you have the resources to help us fix these and others, that would be great.  We would like to have this function be a part of our ongoing release process.

   Will you or any of your team be at the Edinburgh F2F next week?  If not, I will put this topic on one of our weekly meetings and invite you to discuss.

Thanks,
-David

David Ferriera | Forgerock
Senior Director, Cloud Technology | Office of the CTO
m +1 408.454.8189 | w forgerock.com

On October 16, 2018 at 4:17:11 PM, Alexandre Courouble (acourouble@...) wrote:

Hello,

 

Gosec (https://github.com/securego/gosec)  is a tool that parses the source code and looks for security anti-patterns.

 

We ran gosec against the EdgeX-go source code and uncovered a series of potential vulnerabilities including but not limited to:

 

  • Blacklisted import crypto/sha1: weak cryptographic primitive
  • Potential file inclusion via variable
  • Expect file permissions to be 0600 or less

 

I’ve attached the gosec output to this email.

 

Do these vulnerabilities seem critical to you? If so, we would love to contribute fixes.

 

We would like to know how we should proceed further?

 

Potentially we could integrate gosec into the build pipeline.

 

Best regards,

-- 

Alex Courouble

Member of Technical Staff – Open Source Engineer

VMware Open Source Technology Center

Beau Frusetta
 

We can potentially help out in regards to code analysis. Let’s chat more next week in Edinburgh…

 

From: EdgeX-TSC-Security@... [mailto:EdgeX-TSC-Security@...] On Behalf Of David Ferriera
Sent: Thursday, October 18, 2018 13:32
To: Alexandre Courouble <acourouble@...>; edgex-tsc-security@...
Cc: Malini Bhandaru <mbhandaru@...>
Subject: Re: [Edgex-tsc-security] Potential security issues with EdgeX

 

Hi Alex,

 

    Thank you for the effort.  We welcome contributions.  We are always shorthanded in the security group.

 

   Code analysis has been on our list since the beginning.  If you have the resources to help us fix these and others, that would be great.  We would like to have this function be a part of our ongoing release process.

 

   Will you or any of your team be at the Edinburgh F2F next week?  If not, I will put this topic on one of our weekly meetings and invite you to discuss.

 

Thanks,

-David

 

David Ferriera | Forgerock

Senior Director, Cloud Technology | Office of the CTO

m +1 408.454.8189 | w forgerock.com

 

On October 16, 2018 at 4:17:11 PM, Alexandre Courouble (acourouble@...) wrote:

Hello,

 

Gosec (https://github.com/securego/gosec)  is a tool that parses the source code and looks for security anti-patterns.

 

We ran gosec against the EdgeX-go source code and uncovered a series of potential vulnerabilities including but not limited to:

 

  • Blacklisted import crypto/sha1: weak cryptographic primitive
  • Potential file inclusion via variable
  • Expect file permissions to be 0600 or less

 

I’ve attached the gosec output to this email.

 

Do these vulnerabilities seem critical to you? If so, we would love to contribute fixes.

 

We would like to know how we should proceed further?

 

Potentially we could integrate gosec into the build pipeline.

 

Best regards,

-- 

Alex Courouble

Member of Technical Staff – Open Source Engineer

VMware Open Source Technology Center

Alexandre Courouble <acourouble@...>
 

Thank you for your response David. We are looking for ways to get involved with EdgeX, so this might be a good starting point.

 

Malini will be in Edinburgh for the F2F next week. I’m sure you two meetup.

 

Thanks,

--

Alex Courouble

Member of Technical Staff – Open Source Engineer

VMware Open Source Technology Center

 

From: David Ferriera <david.ferriera@...>
Date: Thursday, October 18, 2018 at 1:32 PM
To: Alexandre Courouble <acourouble@...>, "edgex-tsc-security@..." <edgex-tsc-security@...>
Cc: Malini Bhandaru <mbhandaru@...>
Subject: Re: Potential security issues with EdgeX

 

Hi Alex,

 

    Thank you for the effort.  We welcome contributions.  We are always shorthanded in the security group.

 

   Code analysis has been on our list since the beginning.  If you have the resources to help us fix these and others, that would be great.  We would like to have this function be a part of our ongoing release process.

 

   Will you or any of your team be at the Edinburgh F2F next week?  If not, I will put this topic on one of our weekly meetings and invite you to discuss.

 

Thanks,

-David

 

David Ferriera | Forgerock

Senior Director, Cloud Technology | Office of the CTO

m +1 408.454.8189 | w forgerock.com

 

On October 16, 2018 at 4:17:11 PM, Alexandre Courouble (acourouble@...) wrote:

Hello,

 

Gosec (https://github.com/securego/gosec)  is a tool that parses the source code and looks for security anti-patterns.

 

We ran gosec against the EdgeX-go source code and uncovered a series of potential vulnerabilities including but not limited to:

 

  • Blacklisted import crypto/sha1: weak cryptographic primitive
  • Potential file inclusion via variable
  • Expect file permissions to be 0600 or less

 

I’ve attached the gosec output to this email.

 

Do these vulnerabilities seem critical to you? If so, we would love to contribute fixes.

 

We would like to know how we should proceed further?

 

Potentially we could integrate gosec into the build pipeline.

 

Best regards,

-- 

Alex Courouble

Member of Technical Staff – Open Source Engineer

VMware Open Source Technology Center