From f7a17602319dd3c7e96cda8d4b2ba6f87ec186f9 Mon Sep 17 00:00:00 2001 From: shipperizer Date: Tue, 12 Nov 2024 15:23:11 +0000 Subject: [PATCH] docs: adding CVE patching instructions Co-authored-by: zhijie-yang Co-authored-by: Nikos Sklikas Co-authored-by: cjdcordeiro Co-authored-by: pik4ez-canonical Co-authored-by: Barco --- SECURITY.md | 106 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..b6d1aff43 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,106 @@ +# Security + + + +## CVE patching for OCI factory artifacts + +When a CVE is reported we are bound to patch the existing OCI artifacts if within the EOL +maintenance window + + +based on when the artifact was published there are 2 different methods to operate + + +### before https://github.com/canonical/identity-platform-admin-ui/pull/452 merge + +In this case OCI tags include the patch version of the application +To be able to fix the OCI image with the related tag we need to: + +* checkout a new branch from the tag and name it `cve/` + +```git +git switch --detach v1.19.0 +git switch -c cve/v1.19.0 +``` + +* apply [oci-factory workflow patch](https://github.com/canonical/identity-platform-admin-ui/commit/eb0b7859f2210c9e2ce500e397ae3da688fef4de) +* apply CVE patches (conventional commits won't trigger a release here, so using a chore/feat/fix won't make a difference) +* retag to the head of the branch and push the tag + +```git +git tag -f v1.19.0 +git push -f --tags origin v1.19.0 +``` + +* let the machinery do its job + + + +### after https://github.com/canonical/identity-platform-admin-ui/pull/452 merge + + +In this case OCI tags don't include the patch version anymore, we should be able to simply use the current workflows + +Two cases are possible now: + + +#### latest release + +If tag is the latest, making `fix` commits to patch the issue and then use the `release-please` flow as usual +That will trigger the usual release PR with a patch version change, OCI tag won't be affected and OCI cli will push +the `.` with the following + +```yaml + - source: canonical/identity-platform-admin-ui + commit: c80436a8d26abd33f2d1901ac59393fde69dd987 + directory: ./ + release: + 1.21-22.04: + end-of-life: "2024-11-26T00:00:00Z" + risks: + - candidate + - edge +``` + + +#### previous release + +In the case tag is not on the same minor the same process describe for pre #452 merge applies with some exceptions, + + +To be able to fix the OCI image with the related tag we need to: + +* checkout a new branch from the tag and name it `cve/` + +```git +git switch --detach v1.19.0 +git switch -c cve/v1.19.0 +``` + +* apply git patch below (to be changed soon) to avoid pushing to latest stable + +```git +diff --git c/.github/workflows/publish.yaml w/.github/workflows/publish.yaml +index 31968d8..f2aa3e2 100644 +--- c/.github/workflows/publish.yaml ++++ w/.github/workflows/publish.yaml +@@ -94,7 +94,6 @@ jobs: + echo IMAGE_VERSION_CANDIDATE=$($YQ '.version | split(".").[0:2] | join(".")' rockcraft.yaml) >> $GITHUB_ENV + - name: Release + run: | +- $OCI_FACTORY upload -y --release track=$IMAGE_VERSION_STABLE-22.04,risks=stable,eol=$EOL_STABLE + $OCI_FACTORY upload -y --release track=$IMAGE_VERSION_CANDIDATE-22.04,risks=candidate,edge,eol=$EOL_CANDIDATE + env: + GITHUB_TOKEN: ${{ secrets.token }} +``` + + +* apply CVE patches (conventional commits won't trigger a release here, so using a chore/feat/fix won't make a difference) +* retag to the head of the branch and push the tag + +```git +git tag -f v1.19.0 +git push -f --tags origin v1.19.0 +``` + +* let the machinery do its job \ No newline at end of file