Fix dependency policy and add to SECURITY-INSIGHTS.yml (#4907)

## Description of the changes Adding security policy to SECURITY.md Adding a couple of sections to the SECURITY-INSIGHTS.yml to fix missing items. Next step is to check the CLOMonitor for other gaps - Need to build a threat model too. ## How was this change tested? Only text changes in this PR. ## Checklist - [X] I have read https://github.com/jaegertracing/jaeger/blob/master/CONTRIBUTING_GUIDELINES.md - [X] I have signed all commits - [Not needed] I have added unit tests for the new functionality - [Not needed] I have run lint and test steps successfully --------- Signed-off-by: Jonah Kowall <[email protected]>
jaegertracing · Oct 30, 2023 · bbe6c58 · bbe6c58
1 parent 86a1fc3
commit bbe6c58
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 2 deletions.
diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml
@@ -26,7 +26,13 @@ distribution-points:
 - https://quay.io/organization/jaegertracing/ 
 security-artifacts:
   threat-model:
-    threat-model-created: false
+    threat-model-created: true
+    evidence-url:
+    - https://github.com/jaegertracing/jaeger/blob/main/THREAT-MODEL.md
+self-assessment:
+    self-assessment-created: true
+    evidence-url:
+    - https://github.com/jaegertracing/jaeger/blob/main/SELF-ASSESMENT.md
 security-testing:
 - tool-type: sca
   tool-name: Dependabot
@@ -47,7 +53,12 @@ vulnerability-reporting:
   comment: |
     The first and best way to report a vulnerability is by using private security issues in GitHub or opening an issue on Github. We are also available on the CNCF Slack in the jaeger channel.
 dependencies:
+  third-party-packages: true
+  dependencies-lists:
+  - https://github.com/jaegertracing/jaeger/blob/main/go.mod
   sbom:
   - sbom-file: https://github.com/jaegertracing/jaeger/releases/latest/download/jaeger-SBOM.spdx.json 
     sbom-format: SPDX
-    sbom-url: https://github.com/anchore/sbom-action 
+    sbom-url: https://github.com/anchore/sbom-action 
+  dependencies-lifecycle:
+    policy-url: https://github.com/jaegertracing/jaeger/blob/main/SECURITY.md#security-patch-policy
diff --git a/SECURITY.md b/SECURITY.md
@@ -6,6 +6,25 @@ The Jaeger project provides community support only for last minor version: bug f
 
 Security fixes are given priority and might be enough to cause a new version to be released.
 
+### Security Patch Policy
+
+CVEs in Jaeger code will be patched in the newest Jaeger releases. 
+
+### Dependencies Lifecycle Policy
+
+Dependencies are evaluated before being introduced to ensure they:
+
+1) are actively maintained
+2) are maintained by trustworthy maintainers
+3) are licensed in a way not to impact the Jaeger license based on [the CNCF license allowlist](https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md).
+
+These evaluations vary from dependency to dependencies.
+
+Dependencies are also scheduled for removal if the project has been deprecated or if the project is no longer maintained. Additionally based on license changes we replace dependencies as necessary.
+
+CVEs in dependencies will be patched for all supported versions if the CVE is applicable and is assessed by Snyk to be
+of high or critical severity. Automation generates a new dependabot scan daily and alerts are addressed.
+
 ## Reporting a Vulnerability
 
 _The following is a copy of the [Report a security issue](https://www.jaegertracing.io/report-security-issue/) page from our website. The website's version has precedence in case of conflicts._

diff --git a/SELF-ASSESMENT.md b/SELF-ASSESMENT.md
@@ -0,0 +1,20 @@
+# Jaeger Self-Assessment
+
+This is a placeholder document for the Jaeger project self-assessment. More details of what this will turn into can be found in the [TAG-Security documented standards.](https://github.com/cncf/tag-security/blob/main/assessments/guide/self-assessment.md) 
+
+## Table of Contents
+
+* [Metadata](#metadata)
+  * [Security links](#security-links)
+* [Overview](#overview)
+  * [Actors](#actors)
+  * [Actions](#actions)
+  * [Background](#background)
+  * [Goals](#goals)
+  * [Non-goals](#non-goals)
+* [Self-assessment use](#self-assessment-use)
+* [Security functions and features](#security-functions-and-features)
+* [Project compliance](#project-compliance)
+* [Secure development practices](#secure-development-practices)
+* [Security issue resolution](#security-issue-resolution)
+* [Appendix](#appendix)## Table of Contents
diff --git a/THREAT-MODEL.md b/THREAT-MODEL.md
@@ -0,0 +1,3 @@
+# Jaeger Threat Model
+
+This is a placeholder for the Jaeger Threat Model. This will be based on [OSSF standards](https://github.com/ossf/security-insights-spec/tree/main/docs/threat-model) and examples of existing threat models. This is a significant chunk of work for Jaeger due to the diversity and complexity of all the supported components in deployment.