The highest priority item in the security roadmap is "Close Open Vulnerabilities." Where do we stand?
Dependabot Alerts: 36 Open, 126 Closed
go 23 open, 51 closed
- helm (7)
- containerd (6)
- opencontainers/runc (6)
- four other packages (1 each)
Discuss: this PR should address all the helm, containerd, and runc issues. It is blocked on testing. Can we get help from somebody who has already set up the operator?
npm 8 open, 71 closed
- postcss (2) (Open PR: magma/magma#13675)
- node-fetch (2) (Open PR: magma/magma#13674)
- ansi-regex (2)
- two packages (1 each)
Discuss: https://gist.github.com/lucasgonze/07a256990b0118fcdc04c02d9547b2dc
rubygems 3 open, 1 closed
- three packages (1 each)
pip 2 open, 3 closed
- two packages (1 each)
Discuss: "Closing Python upgrades blocked on testing Debian packages." - fixed with the 1.8 release, merged today.
5 open, 9 closed
https://github.com/magma/security/issues?q=is%3Aissue+disclosure+in%3Atitle+state%3Aopen
In progress:
- OpenSSH 2.3 < 7.7: paused until after June 3. Needs Tim Dzik time.
- Subscriber Keys Stored in Memory on Host (mirror): close when #13249 is complete. Discuss "Default is to always stream to AGW, that is to keep the existing setup. We can revisit that once Varun has made all the changes. If the TSC agrees, making the default switch is very straightforward."
- EPC and Backhaul Data Unencrypted: discussed but not started. Should be owned by dataplane owner, probably @pshelar and @panyogesh.
Not started yet:
- Items "Subscriber keys stored in memory on hosts" and "update and clean up dependencies" are subsets of Close known vulnerabilities. Let's move those rows into the the top row.
- We have made really good progress on known vulnerabilities. Next, we can move on to "Dangerous Workflows" and "Secure defaults".