CloudEvents Project Security Self-Assessment - Security Pals

assessments/projects/cloudevents/CE-maintainers-communications.md

@@ -0,0 +1,213 @@
+# Communications with CloudEvents Maintainers
+
+## Slack Communications
+
+* **Security Pals Involved:**
+  * Igor Rodrigues (Igor Rodrigues)
+* **CloudEvents Team Members Involved:**
+  * Doug Davis (dug)
+
+### Slack Report
+
+#### Igor Rodrigues (Nov 29th at 4:29:13 PM)
+
+* [Message
+  Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701293353624819)
+
+Hello all, I'm a student at NYU involved in the SecurityPal effort from TAG
+Security. Our group is conducting a security assessment on CloudEvents, which we
+will later submit to the [TAG Security Assessments
+Repository](https://github.com/cncf/tag-security/tree/main). We have completed
+an [initial
+evaluation](https://github.com/Igor8mr/tag-security/blob/main/assessments/projects/cloud-events/self-assessment.md)
+of the project and would appreciate your feedback to validate the information we
+included. We also want to know if there are additional aspects we should include
+in the assessment to correctly represent your project, along with more details
+for sections like [security issue
+resolution](https://github.com/Igor8mr/tag-security/blob/main/assessments/projects/cloud-events/self-assessment.md#security-issue-resolution)
+and [secure development
+practices](https://github.com/Igor8mr/tag-security/blob/main/assessments/projects/cloud-events/self-assessment.md#secure-development-practices).
+Please, feel free to share your thoughts here on Slack, on GitHub, or on a call.
+Thank you!
+
+#### Dug (Nov 29th at 8:02:04 PM)
+
+* [Message
+  Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701306124114029?thread_ts=1701293353.624819&cid=C9DB5ABAA)
+
+Hi @Igor Rodrigues - will take a look. Just curious though, what made you decide
+to analyze CloudEvents?
+
+#### Igor Rodrigues (Nov 29th at 8:36:26 PM)
+
+* [Message
+  Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701308186825319?thread_ts=1701293353.624819&cid=C9DB5ABAA)
+
+Hi @dug, thank you. The assessment is one of our assignments for a class we are
+taking with Professor Justin Cappos. Each group was assigned to a CNCF project,
+and ours was CloudEvents. The project is interesting, so we are trying to do a
+bit more than expected. I hope the assessment helps in the future.
+
+#### Dug (Nov 30th at 10:24:13 AM)
+
+* [Message
+  Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701357853677559?thread_ts=1701293353.624819&cid=C9DB5ABAA)
+
+@Igor Rodrigues thanks. Just a few comments from my quick scan:
+
+* Where do you see ANTRL being used? I'm surprised you didn't include markdown
+  in the list despite it not being a "programming language", being a "spec"
+  markdown is kind of our "language" :slightly_smiling_face:
+* `CloudEvents was developed to address the lack of uniformity in event data
+  format...` be a bit careful here. While CE does provide a "structured" format,
+  that's just there are times when people want the event data and context
+  attributes in one doc. In general though CE is NOT trying to define "yet
+  another common event format (one format to rule them all)". In particular,
+  many people use/prefer "binary" format because it just augments their existing
+  events. And even with "structured", the stuff that does into the `data`
+  attribute is wide open - and should be defined by the business. I just don't
+  want people to think we're making the same mistake as other folks who tried to
+  force one format for all events. Rather CE is about standardizing "where to
+  find common metadata about the event w/o having to parse/understand the event
+  specific format".
+* Nit: in "Protocol Binding" section it mentions `structured-mode` but hasn't
+  defined that term yet. You may want to define binary vs structured CEs in the
+  doc before this section.
+* Not sure what the "trust boundary" is meant to represent in the diagram since
+  "trust" is kind of orthogonal to the roles.
+* Goals: may want to tweak some of those based on my comments above. Plus, some
+  of those aren't really goals for CE since CE doesn't control them. For
+  example, "generate events before consumers are listening" - a good idea, but
+  CE doesn't really talk about those in the spec itself. CE is just about the
+  format and how they might appear on the transports. With a few exceptions, it
+  doesn't get into the protocols themselves or event
+  management/subscriptions.....
+* CE is under review for Graduation status right now... hopefully will be
+  approved very soon
+* CE doesn't really describe any encryption mechanism or deal with integrity -
+  the text you wrote kind of implies CE addresses it. Perhaps say something like
+  it's an implementation detail/choice??
+* Ecosystem - might be good to link to the [cloudevents.io](cloudevents.io) site
+  which includes a list of adopters.
+* The "Security issue resolution" section reads like an SDK specific section -
+  perhaps "SDK" should appear in the title to make it clear that the following
+  sections apply to the SDK repos and not the spec repo?
+* There's also a new security mailing list people should use to report security
+  concerns: https://lists.cncf.io/g/cncf-cloudevents-security/topics
+* There is no "CloudEvents Steering Committee" that's mentioned in the Threat
+  Modelling section (typo in Modelling)
+* It might be good to mention that (I think) all of the security issues found by
+  Trail of Bits have been addressed
+
+#### Igor Rodrigues (Nov 30th at 11:58:51 AM)
+
+* [Message
+  Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701363531073659?thread_ts=1701293353.624819&cid=C9DB5ABAA)
+
+Hi @dug, Thank you for all the comments! For ANTLR, GitHub marked it as 14.1% of
+the [CloudEvents spec](https://github.com/cloudevents/spec), so that's why I
+added it to the assessment, but I may remove it if it's not very relevant. I'll
+also definitely add Markdown, thanks for noticing that. We'll review the doc,
+update it with your comments and tell you about the changes. Thank you again!
+
+#### Igor Rodrigues (Dec 4th at 11:15:26 AM)
+
+* [Message
+  Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701706526314599?thread_ts=1701293353.624819&cid=C9DB5ABAA)
+
+Hi @dug, we fixed the comments you provided on the [security
+assessment](https://github.com/Igor8mr/tag-security/blob/main/assessments/projects/cloud-events/self-assessment.md),
+along with the comments from the meeting. Here are the [new
+changes](https://github.com/cncf/tag-security/commit/e75e0e0a908ffa462c7923fad6e6e201b5feaef0#diff-086780f8339d58b8abcf32f9cf930f8b11ebf1889ee3e36c4eeaede7dc21a7b7)
+since then. Please, let me know if there are more parts we could improve. Also,
+I wanted to CloudEvents have a public SBOM that we could link, and if you think
+there are more aspects we could add to the specification side of the [Security
+Issue
+resolution](https://github.com/Igor8mr/tag-security/blob/main/assessments/projects/cloud-events/self-assessment.md#cloudevents-specification).
+Thank you for all the help!
+
+#### Dug (Dec 4th at 11:36:23 AM)
+
+* [Message
+  Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701707783421699?thread_ts=1701293353.624819&cid=C9DB5ABAA)
+
+The closest thing we have to a SBOM is:
+https://github.com/cloudevents/spec#cloudevents-documents Thanks for the update.
+Will look it over in a bit.
+
+#### Igor Rodrigues (Dec 4th at 11:44:52 AM)
+
+* [Message
+  Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701708292972649?thread_ts=1701293353.624819&cid=C9DB5ABAA)
+
+Great, thanks!
+
+#### Dug (Dec 4th at 12:08:22 PM)
+
+* [Message
+  Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701709702994029?thread_ts=1701293353.624819&cid=C9DB5ABAA)
+
+I put just a few minor tweaks as comments on the commit.
+
+#### Igor Rodrigues (Dec 4th at 12:28:53 PM)
+
+* [Message
+  Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701710933601919?thread_ts=1701293353.624819&cid=C9DB5ABAA)
+
+Thanks, I'll fix those soon
+
+#### Igor Rodrigues (Dec 5th at 8:05:09 AM)
+
+* [Message
+  Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701781509377939?thread_ts=1701293353.624819&cid=C9DB5ABAA)
+
+Hi @dug, I forgot to ask this before, but are there any action items you are
+currently working on or plan to work on that would solve the concerns mentioned
+in the doc or other security concerns? I think it would be good to include those
+in the assessment. I remember you mentioned implementing bots to check the SDKs,
+do you have a pull request, issue, or any other link to the implementation of
+the bots idea? Also, we are willing to help implement one of those solutions to
+the concerns if you have some specific things in mind.
+
+#### Dug (Dec 5th at 11:57:30 AM)
+
+* [Message
+  Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701795450643219?thread_ts=1701293353.624819&cid=C9DB5ABAA)
+
+@Igor Rodrigues just this one: https://github.com/cloudevents/spec/issues/1235
+
+#### Dug (Dec 5th at 11:58:19 AM)
+
+* [Message
+  Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701795499076589?thread_ts=1701293353.624819&cid=C9DB5ABAA)
+
+If someone knows how to setup the bots and wants to submit a PR to add them...
+that would be great! Or even just a list of instructions for an admin to follow
+(if it's more than just a PR) that would be great too.
+
+#### Igor Rodrigues (Dec 5th at 12:12:57 PM)
+
+* [Message
+  Link](https://cloud-native.slack.com/archives/C9DB5ABAA/p1701796377013619?thread_ts=1701293353.624819&cid=C9DB5ABAA)
+
+Great, thanks! We are taking a look here
+
+## CloudEvents Team Meeting
+
+* **Security Pals Involved:**
+  * Igor Rodrigues
+* **CloudEvents Team Members Involved:**
+  * Doug Davis
+  * Tommy
+  * Erik
+  * David B
+  * Jon
+  * Calum
+  * Jem
+  * Clemens
+
+### Team Meeting Report
+
+The team joined the CloudEvents public team meeting on November 30th, 2023,
+which was [recorded on
+YouTube](https://www.youtube.com/watch?v=2OZPTQOqFEw&t=191s).

assessments/projects/cloudevents/files/CloudEvents SBOM.spdx

@@ -0,0 +1,174 @@
+SPDXVersion: SPDX-2.3
+DataLicense: CC0-1.0
+SPDXID: SPDXRef-DOCUMENT
+DocumentName: github.com/Igor8mr/spec-130ba0d183f5e45c1d141f5c1f272cf71d898623
+DocumentNamespace: https://s3.us-east-1.amazonaws.com/blob.fossa.io/FOSSA_BOMS/git%2Bgithub.com%2FIgor8mr%2Fspec%24130ba0d183f5e45c1d141f5c1f272cf71d898623
+Creator: Organization: NYU Igor
+Creator: Tool: FOSSA v0.12.0
+Created: 2023-11-28T08:10:45Z
+LicenseListVersion: 3.18
+DocumentDescribes: SPDXRef-pip-aiohttp-3.9.1
+DocumentDescribes: SPDXRef-pip-bs4-0.0.1
+DocumentDescribes: SPDXRef-pip-Markdown-3.5.1
+DocumentDescribes: SPDXRef-pip-pymdown-extensions-10.5
+DocumentDescribes: SPDXRef-pip-pytest-asyncio-0.21.1
+DocumentDescribes: SPDXRef-pip-tenacity-8.2.3
+DocumentDescribes: SPDXRef-pip-tqdm-4.66.1
+
+#### Packages
+
+PackageName: spec
+SPDXID: SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623
+PackageVersion: 130ba0d183f5e45c1d141f5c1f272cf71d898623
+FilesAnalyzed: true
+PackageOriginator: Organization: Git
+PackageLicenseDeclared: Apache-2.0
+PackageCopyrightText: 2021 The CloudEvents Authors.
+PackageDownloadLocation: NOASSERTION
+PackageLicenseConcluded: NOASSERTION
+ExternalRef: PACKAGE-MANAGER purl pkg:github/Igor8mr/spec@130ba0d183f5e45c1d141f5c1f272cf71d898623
+PackageChecksum: MD5: edde7edecb511530e340a6758e68469f
+PackageChecksum: SHA1: 68b11edf18e3ee4aefb010d0039b46678279cc35
+PackageChecksum: SHA256: ede64337447df771e0cca0261121bf4fb2f3fe9c1b48f2c74b75907bf9c6ef8f
+
+
+PackageName: aiohttp
+SPDXID: SPDXRef-pip-aiohttp-3.9.1
+PackageVersion: 3.9.1
+FilesAnalyzed: true
+PackageOriginator: Organization: Pip
+PackageLicenseDeclared: Apache-2.0
+PackageCopyrightText: aio-libs contributors.
+	 aio-libs contributors.
+PackageLicenseInfoFromFiles: MIT
+PackageDownloadLocation: https://files.pythonhosted.org/packages/54/07/9467d3f8dae29b14f423b414d9e67512a76743c5bb7686fb05fe10c9cc3e/aiohttp-3.9.1.tar.gz
+PackageLicenseConcluded: NOASSERTION
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected]
+PackageChecksum: MD5: a678b74da295fad8bc65e76ef882028d
+PackageChecksum: SHA1: 077a26885ada5fa78bd540d61ad96d7b25ff2f14
+PackageChecksum: SHA256: 60b3a90c477906cef6846cc60499bf25a5fb725b3966958bdcfc30681fefbe46
+
+
+PackageName: bs4
+SPDXID: SPDXRef-pip-bs4-0.0.1
+PackageVersion: 0.0.1
+FilesAnalyzed: true
+PackageOriginator: Organization: Pip
+PackageLicenseDeclared: MIT
+PackageCopyrightText: NONE
+PackageDownloadLocation: https://files.pythonhosted.org/packages/10/ed/7e8b97591f6f456174139ec089c769f89a94a1a4025fe967691de971f314/bs4-0.0.1.tar.gz
+PackageLicenseConcluded: NOASSERTION
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected]
+PackageChecksum: MD5: 0cf3b06d60f6de4e489ac9eaaf606e15
+PackageChecksum: SHA1: cb7eeca557338c2e6f83ded115730edb0358b5c5
+PackageChecksum: SHA256: f5238cfb5026c9846b4bbca72e3d1af0c98e750fe9c9fe610c7e1827dbd4cd8f
+
+
+PackageName: Markdown
+SPDXID: SPDXRef-pip-Markdown-3.5.1
+PackageVersion: 3.5.1
+FilesAnalyzed: true
+PackageOriginator: Organization: Pip
+PackageLicenseDeclared: BSD-3-Clause
+PackageCopyrightText: 2007, 2008 The Python Markdown Project (v. 1.7 and later)
+	2004, 2005, 2006 Yuri Takhteyev (v. 0.2-1.6b)
+	2004 Manfred Stienstra (the original version)
+PackageLicenseInfoFromFiles: ietf-trust BSD-2-Clause PIL
+PackageDownloadLocation: https://files.pythonhosted.org/packages/35/14/1ec9742e151f3b06a723a20d9af7201a389ebd3aae8b7d93b521819489dc/Markdown-3.5.1.tar.gz
+PackageLicenseConcluded: NOASSERTION
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected]
+PackageChecksum: MD5: 17521d1c48bec050461c9749648eb02e
+PackageChecksum: SHA1: 93ef9f0f2d38bb6a2e67b2e6b6928d8c6f3fd739
+PackageChecksum: SHA256: b33293b09516ec07f4f82388c82dc4101e2af4b0308d104a00a40c212dfda492
+
+
+PackageName: pymdown-extensions
+SPDXID: SPDXRef-pip-pymdown-extensions-10.5
+PackageVersion: 10.5
+FilesAnalyzed: true
+PackageOriginator: Organization: Pip
+PackageLicenseDeclared: MIT
+PackageCopyrightText: 2014 - 2023 Isaac Muse
+	2007-2008 Waylan Limberg](http://achinghead.com/).
+	2008-2014 The Python Markdown Project
+	2006-2008 Waylan Limberg](http://achinghead.com/).
+	2013 GitHub, Inc.
+PackageDownloadLocation: https://files.pythonhosted.org/packages/fd/fe/a3f51f84844e7a493884dbd5d70775fc83e26e414234c212fb342d65a079/pymdown_extensions-10.5.tar.gz
+PackageLicenseConcluded: NOASSERTION
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected]
+PackageChecksum: MD5: 5307ac49eccdfedc0500e861454c1807
+PackageChecksum: SHA1: 999e7fc85d2be0e34e2f29306aae79aeaa77fd1d
+PackageChecksum: SHA256: f9bf4664db12301525699019a1325132b48e7f606d2cf85c9a10867addff5780
+
+
+PackageName: pytest-asyncio
+SPDXID: SPDXRef-pip-pytest-asyncio-0.21.1
+PackageVersion: 0.21.1
+FilesAnalyzed: true
+PackageOriginator: Organization: Pip
+PackageLicenseDeclared: Apache-2.0
+PackageCopyrightText: NONE
+PackageDownloadLocation: https://files.pythonhosted.org/packages/5a/85/d39ef5f69d5597a206f213ce387bcdfa47922423875829f7a98a87d33281/pytest-asyncio-0.21.1.tar.gz
+PackageLicenseConcluded: NOASSERTION
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected]
+PackageChecksum: MD5: b7a6b994b519756e167eb060f7b9c215
+PackageChecksum: SHA1: 4bd2b79d5335f9edc9d651223b371b8676e5027d
+PackageChecksum: SHA256: 9ed0689af4d77ce1a842e557a08346827c6f8e91432322568ef8e4d6454b2293
+
+
+PackageName: tenacity
+SPDXID: SPDXRef-pip-tenacity-8.2.3
+PackageVersion: 8.2.3
+FilesAnalyzed: true
+PackageOriginator: Organization: Pip
+PackageLicenseDeclared: Apache-2.0
+PackageCopyrightText: 2016 Étienne Bersac
+PackageDownloadLocation: https://files.pythonhosted.org/packages/89/3c/253e1627262373784bf9355db9d6f20d2d8831d79f91e9cca48050cddcc2/tenacity-8.2.3.tar.gz
+PackageLicenseConcluded: NOASSERTION
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected]
+PackageChecksum: MD5: 997f8584a7fc7a2fac8129e5b7b38660
+PackageChecksum: SHA1: 04832f7674ec9b765f5b5fa6eedd7dcc0e66fe33
+PackageChecksum: SHA256: fa1582aa8ae5ba5e44f54ccc7de63a8be0593a8d3f77aa8966785f4bfb75b7f7
+
+
+PackageName: tqdm
+SPDXID: SPDXRef-pip-tqdm-4.66.1
+PackageVersion: 4.66.1
+FilesAnalyzed: true
+PackageOriginator: Organization: Pip
+PackageLicenseDeclared: MPL-2.0 OR MIT
+PackageCopyrightText: 2013 noamraph
+PackageDownloadLocation: https://files.pythonhosted.org/packages/62/06/d5604a70d160f6a6ca5fd2ba25597c24abd5c5ca5f437263d177ac242308/tqdm-4.66.1.tar.gz
+PackageLicenseConcluded: NOASSERTION
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected]
+PackageChecksum: MD5: 7948f65ba4a5924756d4b0f96ffbd2ac
+PackageChecksum: SHA1: 8927f903a643ea9c15d2d1df91147d05f8f8f4b6
+PackageChecksum: SHA256: cc06ac41d0dca3fdd457918b98daabfb98ca4d37a5e875dbea3701c31ffc892e
+
+
+
+#### Relationships
+
+SPDXRef-DOCUMENT DESCRIBES SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623
+SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 DEPENDS_ON SPDXRef-pip-aiohttp-3.9.1
+SPDXRef-pip-aiohttp-3.9.1 DEPENDENCY_OF SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623
+SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 DEPENDS_ON SPDXRef-pip-bs4-0.0.1
+SPDXRef-pip-bs4-0.0.1 DEPENDENCY_OF SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623
+SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 DEPENDS_ON SPDXRef-pip-Markdown-3.5.1
+SPDXRef-pip-Markdown-3.5.1 DEPENDENCY_OF SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623
+SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 DEPENDS_ON SPDXRef-pip-pymdown-extensions-10.5
+SPDXRef-pip-pymdown-extensions-10.5 DEPENDENCY_OF SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623
+SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 DEPENDS_ON SPDXRef-pip-pytest-asyncio-0.21.1
+SPDXRef-pip-pytest-asyncio-0.21.1 DEPENDENCY_OF SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623
+SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 DEPENDS_ON SPDXRef-pip-tenacity-8.2.3
+SPDXRef-pip-tenacity-8.2.3 DEPENDENCY_OF SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623
+SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623 DEPENDS_ON SPDXRef-pip-tqdm-4.66.1
+SPDXRef-pip-tqdm-4.66.1 DEPENDENCY_OF SPDXRef-git-github.com-Igor8mr-spec-130ba0d183f5e45c1d141f5c1f272cf71d898623
+
+
+
+<!--FOSSA: Do not touch content below. -->
+
+<!--FOSSA: ==depsig=e38d396f2e3aed59b748f3806a15a63c8516b83377bd61fe06f3f81418432248== -->
+
+