Security Advisories Feature Requests & Improvements #12226
Replies: 11 comments 41 replies
-
Thanks for this feedback thread, @JLLeitschuh ! |
Beta Was this translation helpful? Give feedback.
-
Thank you for opening this. I notably agree that "User Story: As a repository maintainer with 'write' level permissions on a repository, I should be able to create a GHSA against my repository." is a major problem. In fact, the damn for Admin level permissions on a repository before being able to open a GHSA is a critical blocker towards effectively using the feature and severely limits the amount of people you can reasonably give this access to. Currently, GitHub has an all-or-nothing approach to the Security Advisories. This means that if you want multiple people to be able to open GHSA's, you must give them all Admin access to the repository. That's quite the extreme and technically introduces a security vulnerability by having to assign deep permissions to achieve something that ought to be very simple. It should indeed be moved to the "write" group, at the very least the "maintain" group, but ideally you can simply per repository/team assign the ability to open GHSA's without requiring further permissions. Moreover, there is the ability to assign "security managers" in organisations, but that role is again an all-or-nothing role. It demands that you give the user you assign this role to to get read access to ALL of the repositories; including those of other projects owned by the same organisation or other private repositories the user should not have access to. Currently, this all-or-nothing approach is far too aggressive and leads to an unworkable situation. |
Beta Was this translation helpful? Give feedback.
-
Hi @JLLeitschuh et al, First of all, really appreciate the feedback. For the last couple of quarters, we've been doubling down on user interviews, synthesis of feedback, and setting aside time to knock out UX issues large and small. In order to prioritize, we need every data point we can get, and this is an excellent and thoroughly written source of data. I'm going to walk through each of the issues I see voiced above one by one and let you know GitHub's game plan on each.
I see you've proposed a solution to this, but it feels like the real need you're voicing is resolving this problem: "Making contact with the maintainer can be one of most complex and annoying parts of vulnerability disclosure." If so, this is something we are working on addressing with some upcoming new features. User research and initial design are happening for that now.
This is an issue that's coming up in many of my user conversations and is something that requires change. I'm not committed to exactly what that change is at the moment, but I've got a process started for it and will be exploring many options.
This is definitely an interesting idea as we explore how to make our platform the primary place for researchers to operate. I'll document this ask so it's in our system.
@JLLeitschuh is the need on this one resolved by community contributions? In that case, you'd open a contribution for change, the maintainer is alerted if interested, and you can have an open back-and-forth on the PR about this issue. That said, it will change on the global advisory level instead of the repo-level, but that's the one most people view statistically. Let me know your thoughts on whether this one is partially or fully resolved.
This one I believe is resolve, at least at the global advisory level. If the advisory has changed at all (by our doing or a community contribution), you can click the link below the community contribution link to see all changes:
Creating a ticket to look into this one, feels like something we could fix. Thanks for raising, this was not on my radar.
This one is from @mkurz, I'll create an issue for this and circle back if there are problems with fixing it. That aligns with my expectation of that feature (as a new-ish PM here) as well! Thanks again to everyone for chiming in, please keep the feedback coming– it's how we grow. Kate Catin |
Beta Was this translation helpful? Give feedback.
-
Hi @KateCatlin, glad to see how active you and your team are among the GH community :). For instance:
Unfortunately, that's not true for Security Advisories. And IMO this is quite an important resource that should be easily monitored in multiple ways. Let's take the Nextcloud project as an example, they stop maintaining their own SA RSS-feed to switch to GHSA instead (https://github.com/nextcloud/security-advisories/security/advisories), but now I can no longer ingest these data into my scripts anymore. Everyday more and more open source project start using GHSA, which is great, but the risk is that security analysts may lose visibility on SA. I work in the security team of a widely used downstream Linux distribution, and being able to get these information in a non-human readable format is very important for us, RSS/Atom/Json would be a good fit. I'm sure many other users will benefit from this as well. |
Beta Was this translation helpful? Give feedback.
-
Hi, why my security advisory credit didn't update? It just showed 1 credit, but when I click-thru, it has 2 there. |
Beta Was this translation helpful? Give feedback.
-
Feature Requests: pull request created in the temporary private fork for the GHSA should still be visible after it is merged and published. We recently worked for the first time with the GHSA and there surprised that we could no longer view the merged and closed pull request created in the temporary private fork. |
Beta Was this translation helpful? Give feedback.
-
Feature Requests: optionally allow workflows to run in the private fork for the GHSA. Although probably a good idea to disable the workflows by default, it would be nice if one can still run the workflows if explicitly requested. The best thing would be if each job in a workflow could be independently marked as trusted to run in the the GHSA. |
Beta Was this translation helpful? Give feedback.
-
Feature Request: Be able to give more people access to all advisories in a repo.Right now only the org security team or repo admin can see all the security advisories on a repo. Either allow those with |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
The Asterisk team just did its first security release using Security Advisories back in December and it was neither fun nor pretty. The reasons have been mentioned before but let me give you a bit of history so you know why they're important. Asterisk has been around for 24 years so we've got lots of history, not just in terms of commits but also baggage. We moved our entire delivery pipeline from self hosted Gerrit/Jenkins to Github only this past May. We're currently maintaining 4 active release branches some of which receive new features but all of which receive bug fixes and security fixes (it's one of those "baggage" things we can't change). This means that a typical bug fix starts its life in the master branch and gets cherry-picked to release branches. Since Github doesn't have the ability to cherry-pick and we don't want to burden our contributors or staff with having to manage multiple PRs for the same change, we have workflows that pre-test a PR against all release branches by testing for a clean cherry-pick and running our over 600 test functional testsuite. When the PR is approved, it's merged into the master branch and automatically cherry-picked to the other branches. Can you tell where I'm going with this? :) OK so fast forward to mid-December. We had 4 security advisories, each with their own private fork, to go into 4 releases. Now bear in mind, our normal release process consists of filling out a workflow input form consisting of 1 string field for the new version and a few checkboxes. It took us all day to just get to the point where we could fill out that form. Why?...
Here's what we had to do...
In hindsight, we probably could have created 1 PR that had the 4 advisory commits in it instead of 1 PR for each commit but we didn't think of it at the time. What we're going to have to do going forward with the Security Advisory feature in its present state....
Not fun. |
Beta Was this translation helpful? Give feedback.
-
I've been working with GHSA since the feature was originally released. I've attempted to capture the collection of issues and features I've had over the past several years with GitHub Security Advisories (GHSA):
User Context: I'm primarily using GHSA as a security researcher, however, I've also been on the receiving end of reports (when I worked for Gradle). As such, my perspective more heavily comes from that of the party attempting to report security vulnerabilities, less the party on the receiving end, but I do have both perspectives.
Note to viewers outside of GitHub or GitHub Stars the slack links point to internal slack conversations with the GitHub Stars slack channel and aren't viewable by the public.
'User Pain Priority' is purely subjective based upon my own experience using GHSA. More stars, more painfully needed feature.
Preamble
Vulnerability handling does not end with disclosure. Vulnerabilities evolve after disclosure. They sometimes get worse. New information is discovered about the vulnerability. Threat actors begin abusing these vulnerabilities. This point plays into several of the feature requests below, so I figured that I'd open with this.
Feature Requests
Allow Security Researchers to Open GHSA without Requiring a Maintainer to be Involved
User Story: As a security researcher, I'd like to be able to open a GHSA against any OSS GitHub repository, without needing the maintainers to open the GHSA for me.
User Pain Priority: ⭐ ⭐ ⭐ ⭐ ⭐
Making contact with the maintainer can be one of most complex and annoying parts of vulnerability disclosure. As a security researcher, I've been begging for this feature since GHSA was released.
I understand that there's an argument about attempting to limit maintainer spam. The GitHub team doesn't want to create a private, potentially, information-restricted channel where maintainer harassment can be conducted. These concerns could be potentially mitigated by creating a list of known & trusted security researchers that have the permission to take advantage of this feature.
Allow Repository privileges below "Admin" to open GHSA
User Story: As a repository maintainer with 'write' level permissions on a repository, I should be able to create a GHSA against my repository.
User Pain Priority: ⭐ ⭐
According to the docs you still need to have the 'Admin' level permissions to create a GHSA against a repository.
https://docs.github.com/en/code-security/repository-security-advisories/creating-a-repository-security-advisory
IMHO, this permission is way too high. Having worked for a company that likes to keep the number of accounts with 'Admin' level permissions rather light (as it should be for a good security posture), requiring the 'Admin' permission level for simply creating a GHSA seems like a high bar to clear.
I'd argue that the permission of 'Write' should be enough to grant the permission to open a GHSA. If you have the permission to merge a PR, you should be able to open a GHSA and kick off a discussion with a researcher or your team about a sensitive vulnerability easily.
Discoverability of an individual GH users open/disclosed/closed GHSA
User Story: As a GitHub User who has been a part of several GHSA (either as a reporter or as a maintainer), I should be able to easily discover these GHSA across all organizations and repositories in a single GitHub UI.
User Pain Priority: ⭐ ⭐ ⭐ ⭐
As a security researcher, or maintainer, who has been involved with several GitHub Security Advisories, there is no way to "discover" these advisories in a simplified list or search via the GitHub API. User interfaces already exist for finding all open/closed issues and pull requests, however the same does not exist for GitHub Security Advisories.
This can make it easy to lose open/in-progress GitHub Security Advisories. The only way to reliably make these advisories 'pop' to the users attention is via the notification feed, either finding the advisory in your feed, or by sending a message so others are reminded about the GHSA.
Personally, I use a hacky notification search to keep track of all my GitHub Security Advisories, but this is imperfect and doesn't contain advisories for notifications (idk why some are missing but they are):
is:repository-advisory is:done is:read is:unread
A user interface to find all of the existing GitHub Security Advisories your user account has been a part of (ie. open/closed/disclosed) is sorely needed by the security research community.
Slack Conversation: https://github-partners.slack.com/archives/C01MF7QQK3P/p1614987770032300?thread_ts=1614987743.032200&cid=C01MF7QQK3P
GHSA Comments are Locked for EVERYONE After Disclosure
User Story: As a maintainer or reporter, I should be able to continue a discussion about a vulnerability after it has been published.
User Pain Priority: ⭐ ⭐ ⭐
See above note about 'vulnerability handling does not end with disclosure'.
When a GHSA is disclosed, no further discussion can happen on that GHSA amongst the maintainers/reporters. The rationale behind this has never been fully communicated to me, and it's baffling that this hasn't been fixed.
If GHSA truly want to be the location where maintainers disclose vulnerabilities, they should also be the way that the maintainers can keep their users updated as new information is disclosed about these vulnerabilities.
Keeping a dialogue/conversation channel open with the researcher through this is important. Sometimes the researcher finds new information that needs to be shared privately.
Currently, because GHSA are locked, to achieve this, the researcher must re-engage with the maintainers again instead of using the existing communication channel that had already existed prior to disclosure. From experience, this has been a cause for severe annoyance on my behalf as getting in touch with the maintainers via a secure channel is sometimes a significant amount of work. Having to spend this time again, is very annoying.
Ideally, additional comments should support the ability to either be private (exclusively to the the GHSA Collaborators & Publishers), or to make these additional comments public.
Slack Discussion: https://github-partners.slack.com/archives/C013VPD24BW/p1611951569123500
Discussion/Comment Support on GHSA
User Story: As a GitHub user, a GHSA should also allow me to comment on the GHSA to provide new/updated information or ask questions/clarification about the vulnerability.
User Pain Priority: ⭐ ⭐
See above note about 'vulnerability handling does not end with disclosure'.
New information about vulnerabilities can come from a variety of sources. Additionally, the discussion around a vulnerability can evolve and potentially uncover additional details or impacted conditions that were not originally understood by group fixing/disclosing the vulnerability.
A perfect example of this came regarding my disclosure of a vulnerability in Google Guava. When performing the initial disclosure, we assumed that the vulnerability only impacted unix like systems, but then the community brought it to our attention that the ramifications of the vulnerability could also adversely impact the Android ecosystem. This lead to a bunch of research by the community to capture this information and further refine the advice provided.
Google Guava Disclosure Issue Thread: google/guava#4011
Slack Discussion: https://github-partners.slack.com/archives/C013VPD24BW/p1611951569123500
GHSA Should Display Change History
User Story: As a visitor to the GitHub site looking at a GHSA, I should be able to easily see the edit history on that GHSA.
User Pain Priority: ⭐
As stated above, after a vulnerability is disclosed, it may evolve. New information may need to be communicated about the vulnerability.
ISO/IEC 29147:2018 Information technology — Security techniques — Vulnerability disclosure states the following:
GitHub is fundamentally built on Git and diffs are commonly rendered in places like the wiki's and even issue comments (you can view edit history). This history should also be viewable on advisories as well. Being able to see how an advisory has changed over time, with new information being disclosed is valuable to the defender community.
Additionally, the ability to subscribe to information changes on a GHSA could be very valuable as well.
Slack Discussion
Display Inline Code Blocks Consistently across GHSA
User Story: As a visitor to the GitHub site looking at a GHSA, I should be able to see inline code blocks no matter what variant of the GHSA I am viewing (ie. advisory feed, from repository, or from external repository referencing another repository).
User Pain Priority: ⭐ ⭐ ⭐
These two GHSA are from the same source but render differently:
Additionally, when GHSA are cross referencing another repository, the inline-code blocks don't render (for example):
Inline code block links should all render the same across GHSA publication locations.
Slack Discussion: https://github-partners.slack.com/archives/C013VPD24BW/p1642787947206400
Beta Was this translation helpful? Give feedback.
All reactions