Idea: Security advisories as part of crates.io metadata

retep998 · 2016-08-27T01:57:28.327Z

Extending yanking to be more descriptive of why it was yanked, and printing out warnings when using yanked crates, sounds like a good idea to me.

untitaker · 2016-08-27T12:54:24.837Z

Whenever I have time I’ll rewrite the RFC to extend yanking instead, it seems to be a much more popular option.

hgrecco · 2016-08-27T13:57:02.195Z

The RFC does not say anything about who could flag a crate as vulnerable. I guess it is implied that only the crate author can do it. However, it might be good to consider an alternative way for the (not unlikely) case in which an abandoned but commonly used crate is found vulnerable. A possibility would be that a group of people appointed by the core devs have permissions on crates.io to flag a crate as vulnerable. I understand that some would not like this for being invasive but I think it could be a good thing overall if it is done transparently.

untitaker · 2016-08-27T14:09:52.653Z

I’ll clarify this. I think intervention by “crates.io mods” in general doesn’t require an RFC and will happen anyway.

untitaker · 2016-08-27T14:23:01.779Z

I think when formulated this way, there are actually two proposals that might as well be split in two RFCs:

Adding extended, structured metadata to yanked crates
Changing Cargo’s behavior for yanked crates to allow using yank-ing for security announcements

Which of those even warrants a RFC?

mitsuhiko · 2016-08-27T23:19:45.404Z

I suppose one RFC would be enough particularly because it most likely will have to explain how to silence individual security warnings explicitly (would that go into Cargo.toml?)

vi0 · 2016-09-05T10:59:08.674Z

Shall it also extend to non-security serious bugs that can lead to data loss?

untitaker · 2016-09-05T12:13:15.000Z

Absolutely not. I don’t want to duplicate a bugtracker into Crates.io.

mcpherrinm · 2016-09-06T06:07:35.317Z

Getting a CVE issued is not guaranteed. Anything “out of scope” will not get one, and so blocking use of this feature on a 3rd party seems troublesome.

bascule · 2016-09-06T22:10:30.078Z

I would suggest using DWF instead of CVE:

GitHub

Distributed Weakness Filing

Distributed Weakness Filing Project

DWF was created by the guy who runs https://iwantacve.org/ to distributed the administrative overhead of acquiring CVEs.

All CVEs are valid DWFs, and a CVE can be converted into a DWF by doing s/CVE/DWF/. DWF can be thought of as a superset of the CVE space.

With DWF, https://crates.io could apply for a block of DWF identifiers, and automatically assign them when someone does cargo vuln (or, as I’d now personally prefer, cargo advisory). Or, crates that do get a CVE assigned can use that instead, but translating it to a DWF first.

bascule · 2016-09-07T01:52:25.479Z

As a separate issue, I would suggest NOT coupling security advisories to yanks. Yanks are extremely disruptive and not all vulnerabilities are created equal. Some vulnerabilities can be mitigated in ways other than upgrading a crate, like making local configuration changes. Some vulnerabilities may affect optional functionality not everyone is using or functionality that can be compiled out by e.g. disabling certain cargo feature settings for that crate. Some may be relatively innocuous and/or hard-to-exploit and therefore not warrant an immediate upgrade.

Advisories are just that: they should give advice on how to deal with an issue, without breaking your program and forcing an upgrade. I would argue that coupling this sort of functionality to yanks would severely diminish its utility to a point of near-uselessness.

I would suggest a well-considered second step after any sort of cargo vuln / cargo advisory feature ships could be to include something like a vulnerability class, severity, CVSS score, etc that people could potentially gate hard failures on (e.g. in CI). But I don’t think forcing a yank for any sort of security vulnerability you plan on issuing an advisory for makes sense.

steveklabnik · 2016-09-07T02:56:51.000Z

Yanks shouldn’t be extremely disruptive, as they don’t cause existing projects to not fetch that dep, only new ones, right?

(I still agree that coupling the two may not be the best idea, exactly.)

hsivonen · 2016-09-07T08:16:49.514Z

mitsuhiko:

I don’t think one could make CVEs mandatory. They just recently started issuing longer numbers. Pretty sure they would not appreciate if one starts to simplify the process so that they have to issue a few orders of magnitude more.

I think this isn’t a good reason for not using CVE numbers. CVE numbers are already used by C/C++ projects and various projects that use memory-safe languages. Rust’s safety properties should result in fewer vulnerabilities per line of code per time than C or C++, and the Rust ecosystem is still smaller.

Therefore, Crates.io using CVE numbers would get nowhere near even a single order of magnitude (times 10) increase–not even doubling the CVE issuing rate.

I think the only reason not to use CVE numbers would be the inability to get them assigned in an automated fashion. I have zero experience on that front, but on surface, what @bascule says about DWF seems promising.

I general, I think it would be very valuable to integrate security advisories into crates.io metadata.

mitsuhiko · 2016-09-07T08:34:29.160Z

hsivonen:

I think this isn’t a good reason for not using CVE numbers. CVE numbers are already used by C/C++ projects and various projects that use memory-safe languages. Rust’s safety properties should result in fewer vulnerabilities per line of code per time than C or C++, and the Rust ecosystem is still smaller.

It’s not about how many vulnerabilities there are but how many get CVE numbers. The vulnerabilities are a few orders of magnitude higher than issued CVEs.

untitaker · 2016-09-07T09:27:12.443Z

What about assigning DWF numbers automatically and letting the user optionally (and manually) specify a CVE number? This would result in two DWF numbers though.

I myself have no opinion on whether to use DWF or CVE but I would agree that assigning CVEs in an automated manner is not possible.

untitaker · 2016-09-07T09:45:01.431Z

Also I want to post a pre-RFC soon-ish. Some important questions where I’m unclear about the consensus:

vuln as separate command or integrated into yank?
Simple warning for compiling crates with advisories, or refusal unless overridden in Cargo.toml (see current RFC draft for details)?
Automated DWF filing, and/or optional DWF, and/or optional CVE?
Vulnerability scoring integrated into Crates.io?

bascule · 2016-09-07T18:35:02.110Z

My vote:

separate command instead of colluded with yank
warn by default with optional hard failure
store a DWF ID for each vuln. Obtaining one automatically if one isn’t passed in explicitly is gravy.
I would postpone any sort of severity scoring in the initial implementation. The existing methods (e.g. CVSS) are somewhat lousy and I’m worried trying to do anything else will turn into a giant bikeshedding debate. If people really have their hearts set on CVSS(v3), I wouldn’t be opposed though.

untitaker · 2016-09-08T17:22:14.554Z

warn by default with optional hard failure

Where would this option be? Something like #[deny(security_advisories)] or within Cargo.toml? Or just as a CLI option? I suspect that the former isn’t doable since that sort of metadata is not available anymore at compile time.

store a DWF ID for each vuln. Obtaining one automatically if one isn’t passed in explicitly is gravy.

Oh that makes sense, I’d vote for this too.

(TIL what gravy means in this context: optional)

Anybody else?

untitaker · 2016-09-10T16:15:18.410Z

I’ve posted a pre-RFC at [pre-RFC] Security advisories as part of crates.io metadata, please continue discussion there.

system · 2019-03-25T08:26:43.076Z

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.