-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How can Opentelemtry Community ensure the future Opentelemetry Release version does not have vulnerability? #27013
Comments
@open-telemetry/sig-security-maintainers is working on providing guidance across the whole project. I can confirm we use Dependabot for vulnerability scanning and frequently update our dependencies. We can't ensure that a release won't have vulnerabilities since these may be flagged after a release has happened, but we aim to do a release patching known vulnerabilities within 30 days of their release (see here for more details). |
Closing, as I think @mx-psi provided enough information. One thing I would add is that we do not provide any SLAs, despite our goodwill to fix issues in a timely fashion. |
Hi @jpkrohling and @mx-psi , Can we make an assumption that Opentelemetry is still under very active development that it have high chances of having CVEs in this 1 or more year. Thank you. Best Regards, |
Hey @ericashi it's common for any product, even mature ones to have security vulnerabilities. It's almost impossible to write a program with no vulnerabilities especially as bugs in dependencies or run times are often identified after releases have occurred. A couple examples of widely used products with recent CVEs: The important thing is that the proper response processes are in place and that the vulnerabilities are addressed promptly. The community takes security vulnerability notifications very seriously and maintainers typically respond quickly upon incident notification. From a tooling perspective we use dependabot / renovate for dependency updating, GitHub Security Advisory Database for notification and external bug identification, and the GitHub CVEE scoring process. The SIG-security group is currently working on unifying community processes and improving our tooling even further to provide a similar level of disclosure and documentation as Kubernetes. If you have any concerns, feedback, or suggestions feel free to join a SIG meeting every Wednesday at 830 am PST or in the #otel-sig-security channel. Our priority is the security of our users, the dependability of our processes / tooling, and maintaining user trust. Companies like VMWare, Microsoft, F5, Amazon, Apple, Ebay, GitHub etc. have chosen OpenTelemetry as their Observability direction and rely on our community components, especially the Collector. But ultimately, it's what your organization is comfortable with! I hope this helps a bit 😎 |
Component(s)
No response
Describe the issue you're reporting
Hi,
How can Opentelemetry Community ensure the future Opentelemetry Release version does not have vulnerability?
The reason is because our company will have concerns taking version releases that have vulnerability.
For instance, the Opentelemetry Community will do a vulnerability check or scanning (Eg - using dependabot from Github) prior to do release and will not release if have vulnerabilities?
Thank you.
Best Regards,
Erica Ooi
The text was updated successfully, but these errors were encountered: