Privatebin: Setup automatic vulnerability, security and license scanning service as part of CI/CD

Created on 23 Aug 2019  路  6Comments  路  Source: PrivateBin/PrivateBin


Steps to reproduce

  1. Go to Privatebin.info
  2. No third party vulnerability, security nor license scanning badge available.

What happens

People who want to know about vulnerability, security or license report from third party would be disappointed.

What should happen

People who want to know about vulnerability, security or license report from third party should be able to click on the badge to see current and historical reports.

Additional information

Basic information


Server address:


Server OS:


Webserver:


Browser:


PrivateBin version:

I can reproduce this issue on https://privatebin.net: Yes / No

community discuss me question securitprivacy

Most helpful comment

That is something we already do:

See also: BADGES.md

We had them for a while now. Personally I like some of the Scrutnizer warnings reg. potential risks that we may introduce as well as what parts of the code objectively have "smells". StyleCI (not listed above, as I don't think they offer a dashboard) is handy to catch those pesky white space formatting mistakes I occasionally make.

Edit: Github now has some built in stuff as well, not sure if this is visible beyond maintainers, though:

Edit 2: Reg. licenses - at the moment the LICENSE.md is manually curated, which is still easy, as we don't depend on tons of things and it rarely changes.

All 6 comments

Willing to be the first donor.

We did have one, but it's from a very long time ago and we think we have addressed most of the issues, except the fundamental problem of the user having to trust the JS not getting manipulated. Hence the urge to run PrivateBin on HTTPS and the move to webcrypto API. As an aside, we did try to do a threat model as well, the conclusion are at the end.

Getting such an audit would be a realistic sponsoring goal. I had discussions with @rugk about sponsoring a while back and our concern at the time was that as soon as money is involved you need to have some organization to manage it (i.e. an association or foundation) a physical location this is at (at least have to pick a country) and someone needs to manage the money, even if it's just a few thousand USD, EUR or similar.

I personally would not necessarily be willing to handle this, as I myself have quite high transparency standards as soon as money is involved. Hence I rather pay for the hosting and domains of the project myself then having to deal with accounting.

Input would in any case be very welcome on this matter. I purely write the above as documentation of why this hasn't happened so far, but I am very open on suggestions on:

  • What organization could provide a trustworthy report?
  • What would such a report cost (roughly)?
  • What our goal is with such a report, i.e. should it be actionable, so we can fix the things listed or explore the limitations of this project, so we can clearly communicate what things don't work with it and can't be "fixed"?
  • How can we handle the money? Do we need to have some kind of organization for this?
  • What would the expectations on transparency reg. accounting be? Publish full accounting and book keeping? Just a line of "by date x, amount y was received in funding, amount z was spent on report"?

We can start from free tools such like this one:

https://bolt.whitesourcesoftware.com/github

and this one:

https://snyk.io/plans/

the integration doesn't seemed too complex to setup.

Regarding the other questions, I would like to suggest following:

  • A poll for most desired organization for the report.
  • Then get the quote from the organization.
  • From the transparency and compliance wise, we can then fix technical problems and procedural problems, e.g. setup https://github.com/apps/cla-bot to ask contributes to sign license and force commits to be signed and public keys transferred to key server.
  • Unfortunately I didn't think about this, maybe some external fundraising organization will handle this? Maybe they can directly pay for the auditing service? I agreed this could be a headache.
  • Another good point I didn't think of originally, sounds like a little beyond my capability, maybe we should wait and observe how other people do this.

Descope the sponsoring part as lacking man power and knowledge, focus on setup scanning and auditing as part of CI/CD.

That is something we already do:

See also: BADGES.md

We had them for a while now. Personally I like some of the Scrutnizer warnings reg. potential risks that we may introduce as well as what parts of the code objectively have "smells". StyleCI (not listed above, as I don't think they offer a dashboard) is handy to catch those pesky white space formatting mistakes I occasionally make.

Edit: Github now has some built in stuff as well, not sure if this is visible beyond maintainers, though:

Edit 2: Reg. licenses - at the moment the LICENSE.md is manually curated, which is still easy, as we don't depend on tons of things and it rarely changes.

I totally disagree with the original issue/"bug" description. We don't really need any "shiny badge". There is nothing that can prove this is vulnerability-free anyway, so this would give a wrong impression.
Let's not get into the same way as online shops put many useless "seals" on their website...

Any automatic security scan or so, however, could indeed be useful. But as pointed out by @elrido we already have not that few...

Was this page helpful?
0 / 5 - 0 ratings