-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: adding CVE patching instructions
Co-authored-by: zhijie-yang <[email protected]> Co-authored-by: Nikos Sklikas <[email protected]> Co-authored-by: cjdcordeiro <[email protected]>
- Loading branch information
1 parent
c80436a
commit 4e2cf5b
Showing
1 changed file
with
106 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
# Security | ||
|
||
|
||
|
||
## CVE patching for OCI factory artifacts | ||
|
||
When a CVE is reported we are bound to patch the existing OCI artifacts if within the EOL | ||
maintenance window | ||
|
||
|
||
based on when the artifact was published there are 2 different methods to operate | ||
|
||
|
||
### before https://github.com/canonical/identity-platform-admin-ui/pull/452 merge | ||
|
||
In this case OCI tags include the patch version of the application | ||
To be able to fix the OCI image with the related tag we need to: | ||
|
||
* checkout a new branch from the tag and name it `cve/<tag>` | ||
|
||
```git | ||
git switch --detach v1.19.0 | ||
git switch -c cve/v1.19.0 | ||
``` | ||
|
||
* apply [oci-factory workflow patch](https://github.com/canonical/identity-platform-admin-ui/commit/eb0b7859f2210c9e2ce500e397ae3da688fef4de) | ||
* apply CVE patches (conventional commits won't be trigger a release here, so using a chore/feat/fix won't make a difference) | ||
* retag to the head fo the branch and push the tag | ||
|
||
```git | ||
git tag -f v1.19.0 | ||
git push -f --tags origin v1.19.0 | ||
``` | ||
|
||
* let the machinery do its job | ||
|
||
|
||
|
||
### after https://github.com/canonical/identity-platform-admin-ui/pull/452 merge | ||
|
||
|
||
In this case OCI tags don't include the patch version anymore, we should be able to simply use the current workflows | ||
|
||
Two cases are possible now: | ||
|
||
|
||
#### latest release | ||
|
||
If tag is the latest, making `fix` commits to patch the issue and then use the `release-please` flow as usual | ||
That will trigger the usual release PR with a patch version change, OCI tag won't be affected and OCI cli will push | ||
the `<major>.<minor>` with the following | ||
|
||
```yaml | ||
- source: canonical/identity-platform-admin-ui | ||
commit: c80436a8d26abd33f2d1901ac59393fde69dd987 | ||
directory: ./ | ||
release: | ||
1.21-22.04: | ||
end-of-life: "2024-11-26T00:00:00Z" | ||
risks: | ||
- candidate | ||
- edge | ||
``` | ||
#### previous release | ||
In the case tag is not on the same minor the same process describe for pre #452 merge applies with some exceptions, | ||
To be able to fix the OCI image with the related tag we need to: | ||
* checkout a new branch from the tag and name it `cve/<tag>` | ||
|
||
```git | ||
git switch --detach v1.19.0 | ||
git switch -c cve/v1.19.0 | ||
``` | ||
|
||
* apply git patch below (to be changed soon) to avoid pushing to latest stable | ||
|
||
```git | ||
diff --git c/.github/workflows/publish.yaml w/.github/workflows/publish.yaml | ||
index 31968d8..f2aa3e2 100644 | ||
--- c/.github/workflows/publish.yaml | ||
+++ w/.github/workflows/publish.yaml | ||
@@ -94,7 +94,6 @@ jobs: | ||
echo IMAGE_VERSION_CANDIDATE=$($YQ '.version | split(".").[0:2] | join(".")' rockcraft.yaml) >> $GITHUB_ENV | ||
- name: Release | ||
run: | | ||
- $OCI_FACTORY upload -y --release track=$IMAGE_VERSION_STABLE-22.04,risks=stable,eol=$EOL_STABLE | ||
$OCI_FACTORY upload -y --release track=$IMAGE_VERSION_CANDIDATE-22.04,risks=candidate,edge,eol=$EOL_CANDIDATE | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.token }} | ||
``` | ||
|
||
|
||
* apply CVE patches (conventional commits won't trigger a release here, so using a chore/feat/fix won't make a difference) | ||
* retag to the head fo the branch and push the tag | ||
|
||
```git | ||
git tag -f v1.19.0 | ||
git push -f --tags origin v1.19.0 | ||
``` | ||
|
||
* let the machinery do its job |