The process to objectively assess the security risk of 3rd party open source components or dependencies is outlined with consideration of the legacy way of performing the assessment, as well as the new process discussed within the project during the Hanoi development time frame.
...
Use Case | Process | Tools | Applicability |
---|---|---|---|
1.) Existing Code (Skeletons in the Closet) | Automated scan within build automation via Snyk CLI Scans of the published Docker images via Snyk with notifications to SIR Team members / Snyk Administrators Working groups should review any issues identified via the build automation tools and address within the context of the working group reviews. | Snyk Community Bridge Advanced Snyk Reports Clair | Scan automation occurs within the build - PR merge to master |
2.) Code in Holding (Analysis of code before it is accepted) | Review catalog of approved packages in this wiki. Compare that list to the list being submitted. Provide the summary of differences to include the list of new packages and why they are needed. | Complete the paper study for each package. See paper study process as written for use case 3. | When considering code that is under consideration for moving into the main EdgeX Foundry Org, out of holding |
3.) Pull Request with new dependency | Submitter of a Pull Request (PR) will complete the Pull Request template to include any new changes that introduce dependency changes (e.g. imports or go module dependencies) The standard Pull Request template includes a question that asks - "Are there any new imports or modules? If so, what are they used for and why?" Submitter of the PR will add a If the dependency is security related, the submitter will add the Submitter should include scan results which include consideration of compliance (license) as well as security vulnerability (e.g. CVE) data, that can be reviewed by a Security WG member. | Run this command at the root of your repo GO111MODULE=on go list -m all GO111MODULE=on go mod graph For a PR with new dependencies, the submitter of the PR will complete a manual paper study to collect the following data points for review:
| On a Pull Request, whenever there's a new dependency introduced as shown through changes to the go.mod |
Approved Go Modules (those in Red are being investigated for replacement - avoid them if possible
- bitbucket.org/bertimus9/systemstat v0.0.0-20180207000608-
...
- 0eeff89b0690
- github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e
- github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da
- github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310
- github.com/bgentry/speakeasy v0.1.0
- github.com/BurntSushi/toml v0.3.1
- github.com/cenkalti/backoff v2.2.1+incompatible
- github.com/cloudflare/gokey v0.1.0
- github.com/davecgh/go-spew v1.1.1
- github.com/dgrijalva/jwt-go v3.2.0+incompatible
- github.com/diegoholiveira/jsonlogic v1.0.1-0.20200220175622-ab7989be08b9
- github.com/eclipse/paho.mqtt.golang v1.1.1
- github.com/eclipse/paho.mqtt.golang v1.2.0
- github.com/edsrzf/mmap-go v1.0.0
- github.com/faceterteam/onvif4go v0.4.0
- github.com/fatih/color v1.7.0
- github.com/fsnotify/fsnotify v1.4.7
- github.com/fxamacker/cbor/v2 v2.2.0
- github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8
- github.com/go-kit/kit v0.8.0
- github.com/golang/mock v1.2.0
- github.com/golang/protobuf v1.3.2
- github.com/golang/snappy v0.0.1
- github.com/go-logfmt/logfmt v0.4.0
- github.com/gomodule/redigo v2.0.0+incompatible
- github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c
- github.com/google/uuid v1.1.0
- github.com/google/uuid v1.1.1
- github.com/go-redis/redis/v7 v7.2.0
- github.com/gorilla/mux v1.7.1
- github.com/gorilla/mux v1.7.4
- github.com/go-stack/stack v1.8.0
- github.com/hashicorp/consul/api v1.1.0
- github.com/hashicorp/consul/sdk v0.1.1
- github.com/hashicorp/errwrap v1.0.0
- github.com/hashicorp/go-cleanhttp v0.5.1
- github.com/hashicorp/go-immutable-radix v1.0.0
- github.com/hashicorp/golang-lru v0.5.0
- github.com/hashicorp/golang-lru v0.5.1
- github.com/hashicorp/go-msgpack v0.5.3
- github.com/hashicorp/go-multierror v1.0.0
- github.com/hashicorp/go.net v0.0.1
- github.com/hashicorp/go-rootcerts v1.0.0
- github.com/hashicorp/go-sockaddr v1.0.0
- github.com/hashicorp/go-sockaddr v1.0.1
- github.com/hashicorp/go-syslog v1.0.0
- github.com/hashicorp/go-uuid v1.0.1
- github.com/hashicorp/logutils v1.0.0
- github.com/hashicorp/mdns v1.0.0
- github.com/hashicorp/memberlist v0.1.3
- github.com/hashicorp/serf v0.8.2
- github.com/hpcloud/tail v1.0.0
- github.com/imdario/mergo v0.3.6
- github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515
- github.com/kr/pretty v0.1.0
- github.com/kr/pty v1.1.1
- github.com/kr/text v0.1.0
- github.com/mattn/go-colorable v0.0.9
- github.com/mattn/go-isatty v0.0.3
- github.com/miekg/dns v1.0.14
- github.com/miekg/dns v1.1.4
- github.com/mitchellh/cli v1.0.0
- github.com/mitchellh/consulstructure v0.0.0-20190329231841-56fdc4d2da54
- github.com/mitchellh/copystructure v1.0.0
- github.com/mitchellh/go-homedir v1.0.0
- github.com/mitchellh/go-homedir v1.1.0
- github.com/mitchellh/go-testing-interface v1.0.0
- github.com/mitchellh/go-wordwrap v1.0.0
- github.com/mitchellh/gox v0.4.0
- github.com/mitchellh/iochan v1.0.0
- github.com/mitchellh/mapstructure v1.1.2
- github.com/mitchellh/reflectwalk v1.0.0
- github.com/OneOfOne/xxhash v1.2.5
- github.com/OneOfOne/xxhash v1.2.6
- github.com/onsi/ginkgo v1.10.1
- github.com/onsi/gomega v1.7.0
- github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c
- github.com/pebbe/zmq4 v1.0.0
- github.com/pelletier/go-toml v1.2.0
- github.com/pkg/errors v0.8.1
- github.com/pmezard/go-difflib v1.0.0
- github.com/posener/complete v1.1.1
- github.com/remyoudompheng/bigfft v0.0.0-20190321074620-2f0d2b0e0001
- github.com/robfig/cron v0.0.0-20180505203441-b41be1df6967
- github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f
- github.com/ryanuber/columnize v2.1.0+incompatible
- github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529
- github.com/soniah/gosnmp v1.21.0
- github.com/spf13/cast v1.3.0
- github.com/stretchr/objx v0.1.0
- github.com/stretchr/objx v0.2.0
- github.com/stretchr/testify v1.5.1
- github.com/stretchr/testify v1.6.1
- github.com/x448/float16 v0.8.4
- golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3
- golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
- golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
- golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392
- golang.org/x/net v0.0.0-20181201002055-351d144fa1fc
- golang.org/x/net v0.0.0-20190213061140-3a22650c66bd
- golang.org/x/net v0.0.0-20190228165749-92fc7df08ae7
- golang.org/x/net v0.0.0-20190921015927-1a5e07d1ff72
- golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553
- golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4
- golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
- golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5
- golang.org/x/sys v0.0.0-20190411185658-b44545bcd369
- golang.org/x/sys v0.0.0-20190922100055-0a153f010e69
- golang.org/x/sys v0.0.0-20191010194322-b09406accb47
- golang.org/x/text v0.3.0
- golang.org/x/text v0.3.2
- golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e
- gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405
- gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127
- gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15
- gopkg.in/eapache/queue.v1 v1.1.0
- gopkg.in/fsnotify.v1 v1.4.7
- gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce
- gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7
- gopkg.in/yaml.v2 v2.2.8
- gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
- modernc.org/b v1.0.0
- modernc.org/db v1.0.0
- modernc.org/fileutil v1.0.0
- modernc.org/file v1.0.0
- modernc.org/golex v1.0.0
- modernc.org/internal v1.0.0
- modernc.org/lldb v1.0.0
- modernc.org/mathutil v1.0.0
- modernc.org/ql v1.0.0
- modernc.org/sortutil v1.0.0
- modernc.org/strutil v1.0.0
- modernc.org/zappy v1.0.0