From 63b32a911a22d4dc719bd2e6c0279a2eab06e07d Mon Sep 17 00:00:00 2001 From: gehoern Date: Wed, 22 May 2024 10:19:39 +0200 Subject: [PATCH 1/7] initial user stories --- docs/user-stories.md | 91 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 docs/user-stories.md diff --git a/docs/user-stories.md b/docs/user-stories.md new file mode 100644 index 0000000..a0ca9fb --- /dev/null +++ b/docs/user-stories.md @@ -0,0 +1,91 @@ +## #1 Base layer CVE monitoring +**As a** Product Owner of a team using Gardenlinux (OS / Base image) +**I want** to register a certain version of Gardenlinux (or all packages used out of the Gardenlinux subscription), +**So that** I want be informed if a CVE in my base layer is raised over time or already exists. +### Acceptance Criteria +- [ ] The user can register an installed version (either via the version like 1443.3 or a list of packages) of Gardenlinux on the GLVD page +- [ ] The registration page contains fields like "version of Gardenlinux" or "list of Gardenlinux packages" and a way to contact the user for "email" or "id for anonymous subscription" +- [ ] The user receives / is able to see a list of current CVE's in the registered Gardenlinux version / packages +### Additional Details +**Description:** +The registration page should be accessible via a webpage. The fields for +- "version of Gardenlinux" should allow a registration for any valid version of Gardenlinux (Notes). +- "list of Gardenlinux packages" should allow to upload a list similar to our manifest list with the columns "packages name" "version". +- "email" should allow to enter a valid email address to receive notifications are the same output as the URL (Notes "output list") +- "id for anonymous subscription" is actually not an input field but URL containing a UUID for the requested list of packages to subscribe for. If I open the URL I want to see a "output list" as described in Notes. + +Once registered per email I want to get once per day an email about my CVE's if the information changes. +If I have only an URL with an "if for anonymous subscription" I want to get realtime informations whenever I open the page. The page should not be precomputed to safe resources and might be throttled to avoid denial of service if called to often. + +**Notes:** +- a valid version of Gardenlinux is any version that we have a manifest list of packages contained +- "output list" contains for any package I subscribed for with "list of Gardenlinux packages" or contained in my "version of Gardenlinux" with their corresponding CVEs and the date of first occurrence. e.g. + "bind9 CVE-2013-12234 240522" +- notification emails need to contain an "unsubscribe" button so we can stop to inform recipients permanently + +## #2 developer tests +**As a** a developer using a Gardenlinux base layer (OS / Container) +**I want** to know when I add a certain package so my selection what impact it has +**So that** I can see current CVE's introduced by adding the package +### Acceptance Criteria +- [ ] I want to use the webpage of GLVD to test for a single package and its introduced CVE's +- [ ] The state of a package shows a current state and clearly differentiate between current and historical CVE so I have an impression how much exposure this package has. +### Additional Details +**Description:** +This is probably the most simple call against the GLVD service and just provides for a single package state. + +## #3 gardener user / hyperscaler user +**As a** Gardener user (or user of a bigger hyperscaler) +**I want** to subscribe for a certain fixed version +**So that** I will get informed when this version updates or new CVE's occurring +### Acceptance Criteria +- [ ] subscription for a version works over the default name like 1443. +- [ ] If a minor version (like 1443.1) is included I want to get informations about CVE's added to that version. (see user story #1) +- [ ] If no minor version is supported (and therefore no package lists!) I want to get information about updates to that version +- [ ] I get a message when ever a new minor version or a new stable version is available. +### Additional Details +**Description:** +The important point in this story is, we have a special information format for new versions. e.g. 1443 new hotfix version 1443.5. This information should show what CVE's are closes and should also have a list of open CVE's in older versions. +So updates will be send out either there is a new CVE in a version or a new version closes one or more CVE's. + +**Notes:** +- as new version a new minor is considered e.g. 1443.5 but also historical versions like 1443.1 or 1443.2 etc must be listed since it was only subscribed for 1443 +- also follow on major versions should be listed. e.g. 1312 has a new stable successor 1443. Not all minor versions of the successor must be mentioned but a list of CVE's closed (so if there is a new minor of the successor there will be also some information on the old version since there is a new list of closed CVE's) +- older version are fully ignored ... it is only the subscribed version or newer +**Dependencies:** +- User Story #1 + +## #4 CLI +**As a** User of Gardenlinux +**I want** to have a simple CLI tool for API functions +**So that** I can use the GLVD functions from command line without a web browser +### Acceptance Criteria +- [ ] single package test (User Story #2) is integrated in apt installations. e.g. I install packages X and add therefore (output of apt) the following CVE's +- [ ] base layer monitoring (User Story #1) can be used anonymously by getting a URL based on my installed package list and the output can be shown everytime I login via motd. e.g. following open CVE's are know (...) + +### Additional Details +**Description:** +It is just a command line wrapper towards the functionality GLVD is providing. No subscription via email is mandatory (but possible so it is easy to script) + +**Notes:** +- based only on package lists since the version might be a valid entry point but since this will be command line based it will be very likely more modifications to the system are expected. No complicated convert back to the installed version should be implemented +- +**Dependencies:** +- User Story #1 +- User Story #2 + +## OCM +**As a** OCM tool +**I want** want to subscribe for CVE's of a certain Gardenlinux version +**So that** I can update my security relevant information based on the version of this product +### Acceptance Criteria +- [ ] the OCM tool creates a list of open CVE's for a certain version (like in User Story #1) and uploads it in the expected format to related OCM documents +- [ ] the check is either done once a day (User Story #1) or every time a new Gardenlinux version is released (part of the release process) +### Additional Details +**Description:** +Should be completely integrated in the release process (github) of Gardenlinux. And needs to contain the data expected by OCM. +**Notes:** +- the process is completely automated and should not rely on email subscription +**Dependencies:** +- User Story #1 + From 024a2d70a5583f15bef36a5b2bcdd8909af5ec38 Mon Sep 17 00:00:00 2001 From: Florian Wilhelm <2292245+fwilhe@users.noreply.github.com> Date: Tue, 11 Jun 2024 15:00:48 +0200 Subject: [PATCH 2/7] Update user-stories.md --- docs/user-stories.md | 184 ++++++++++++++++++++++--------------------- 1 file changed, 94 insertions(+), 90 deletions(-) diff --git a/docs/user-stories.md b/docs/user-stories.md index a0ca9fb..90ab6a8 100644 --- a/docs/user-stories.md +++ b/docs/user-stories.md @@ -1,91 +1,95 @@ -## #1 Base layer CVE monitoring -**As a** Product Owner of a team using Gardenlinux (OS / Base image) -**I want** to register a certain version of Gardenlinux (or all packages used out of the Gardenlinux subscription), -**So that** I want be informed if a CVE in my base layer is raised over time or already exists. -### Acceptance Criteria -- [ ] The user can register an installed version (either via the version like 1443.3 or a list of packages) of Gardenlinux on the GLVD page -- [ ] The registration page contains fields like "version of Gardenlinux" or "list of Gardenlinux packages" and a way to contact the user for "email" or "id for anonymous subscription" -- [ ] The user receives / is able to see a list of current CVE's in the registered Gardenlinux version / packages -### Additional Details -**Description:** -The registration page should be accessible via a webpage. The fields for -- "version of Gardenlinux" should allow a registration for any valid version of Gardenlinux (Notes). -- "list of Gardenlinux packages" should allow to upload a list similar to our manifest list with the columns "packages name" "version". -- "email" should allow to enter a valid email address to receive notifications are the same output as the URL (Notes "output list") -- "id for anonymous subscription" is actually not an input field but URL containing a UUID for the requested list of packages to subscribe for. If I open the URL I want to see a "output list" as described in Notes. - -Once registered per email I want to get once per day an email about my CVE's if the information changes. -If I have only an URL with an "if for anonymous subscription" I want to get realtime informations whenever I open the page. The page should not be precomputed to safe resources and might be throttled to avoid denial of service if called to often. - -**Notes:** -- a valid version of Gardenlinux is any version that we have a manifest list of packages contained -- "output list" contains for any package I subscribed for with "list of Gardenlinux packages" or contained in my "version of Gardenlinux" with their corresponding CVEs and the date of first occurrence. e.g. - "bind9 CVE-2013-12234 240522" -- notification emails need to contain an "unsubscribe" button so we can stop to inform recipients permanently - -## #2 developer tests -**As a** a developer using a Gardenlinux base layer (OS / Container) -**I want** to know when I add a certain package so my selection what impact it has -**So that** I can see current CVE's introduced by adding the package -### Acceptance Criteria -- [ ] I want to use the webpage of GLVD to test for a single package and its introduced CVE's -- [ ] The state of a package shows a current state and clearly differentiate between current and historical CVE so I have an impression how much exposure this package has. -### Additional Details -**Description:** -This is probably the most simple call against the GLVD service and just provides for a single package state. - -## #3 gardener user / hyperscaler user -**As a** Gardener user (or user of a bigger hyperscaler) -**I want** to subscribe for a certain fixed version -**So that** I will get informed when this version updates or new CVE's occurring -### Acceptance Criteria -- [ ] subscription for a version works over the default name like 1443. -- [ ] If a minor version (like 1443.1) is included I want to get informations about CVE's added to that version. (see user story #1) -- [ ] If no minor version is supported (and therefore no package lists!) I want to get information about updates to that version -- [ ] I get a message when ever a new minor version or a new stable version is available. -### Additional Details -**Description:** -The important point in this story is, we have a special information format for new versions. e.g. 1443 new hotfix version 1443.5. This information should show what CVE's are closes and should also have a list of open CVE's in older versions. -So updates will be send out either there is a new CVE in a version or a new version closes one or more CVE's. - -**Notes:** -- as new version a new minor is considered e.g. 1443.5 but also historical versions like 1443.1 or 1443.2 etc must be listed since it was only subscribed for 1443 -- also follow on major versions should be listed. e.g. 1312 has a new stable successor 1443. Not all minor versions of the successor must be mentioned but a list of CVE's closed (so if there is a new minor of the successor there will be also some information on the old version since there is a new list of closed CVE's) -- older version are fully ignored ... it is only the subscribed version or newer -**Dependencies:** -- User Story #1 - -## #4 CLI -**As a** User of Gardenlinux -**I want** to have a simple CLI tool for API functions -**So that** I can use the GLVD functions from command line without a web browser -### Acceptance Criteria -- [ ] single package test (User Story #2) is integrated in apt installations. e.g. I install packages X and add therefore (output of apt) the following CVE's -- [ ] base layer monitoring (User Story #1) can be used anonymously by getting a URL based on my installed package list and the output can be shown everytime I login via motd. e.g. following open CVE's are know (...) - -### Additional Details -**Description:** -It is just a command line wrapper towards the functionality GLVD is providing. No subscription via email is mandatory (but possible so it is easy to script) - -**Notes:** -- based only on package lists since the version might be a valid entry point but since this will be command line based it will be very likely more modifications to the system are expected. No complicated convert back to the installed version should be implemented -- -**Dependencies:** -- User Story #1 -- User Story #2 - -## OCM -**As a** OCM tool -**I want** want to subscribe for CVE's of a certain Gardenlinux version -**So that** I can update my security relevant information based on the version of this product -### Acceptance Criteria -- [ ] the OCM tool creates a list of open CVE's for a certain version (like in User Story #1) and uploads it in the expected format to related OCM documents -- [ ] the check is either done once a day (User Story #1) or every time a new Gardenlinux version is released (part of the release process) -### Additional Details -**Description:** -Should be completely integrated in the release process (github) of Gardenlinux. And needs to contain the data expected by OCM. -**Notes:** -- the process is completely automated and should not rely on email subscription -**Dependencies:** -- User Story #1 +# GLVD User Stories + +# USER-01 + +As a user of Garden Linux I want to know about security issues in Garden Linux so I can operate my systems responsibly. + +## Acceptance Criteria + +- [ ] The user can query for known CVEs of a list packages + +## Additional details + +- This does not yet require a nice user interface, an HTTP API is sufficient +- This does not yet include knowledge about which packages are included in any given Garden Linux image, the user provides a list of package names and versions + +# USER-02 + +As a user of Garden Linux I want to subscribe to updates on new security issues in the packages I care about. + +## Acceptance Criteria + +- [ ] The user can get notifications for new known CVEs affecting their list of packages +- [ ] The user can unsubscribe from notifications + +## Additional details + +- This might be implemented in an anonymous way where the user gets a tracking url/rss feed they need to bookmark +- The backend/db needs to keep track of tracking urls +- Users might want to subscribe with their email address; this introduces a new class of issues legally (data protection) + +# USER-03 + +As a user of Garden Linux I want to track security issues in any given Garden Linux *image* so I can make an informed decision about needed actions in my system. + +## Acceptance Criteria + +- [ ] The user can query for Garden Linux images such as `gardenlinux-gcp-gardener-prod-amd64-1443-5-bfb687a7` +- [ ] The user can provide additional packages from the Garden Linux APT repo (in the same release as the image) + +# USER-04 + +As a user of Garden Linux I want to be notified of new CVEs in the Garden Linux patch version I'm using. + +## Acceptance Criteria + +- [ ] I can select the Garden Linux version (like 1443.5) I'm using to be notified on new CVEs for that specific version +- [ ] I get a notification for new patch releases in that version (like 1443.6) so I can upgrade as soon as possible +- [ ] I can select a Garden Linux major version (like 1443) to be notified on new and fixed CVEs in that version + +# USER-05 + +As a user of Garden Linux I want to be notified of new major versions of Garden Linux so I can plan to upgrade. + +# USER-06 + +As a user of GLVD I want a simple web interface to work with the service in a convenient way. + +## Acceptance Criteria + +- [ ] Features described in the previous user stories can be accessed in a minimal web interface + +# USER-07 + +As a user of GLVD I want a CLI tool to interact with the service. + +## Acceptance Criteria + +- [ ] Features described in the previous user stories can be accessed using a command line tool + +# GLDEV-01 + +As a developer of Garden Linux I want to assess the security impact of adding packages to Garden Linux images. + +## Acceptance Criteria + +- [ ] I can query individual packages within the Garden Linux APT repo for known CVEs, for package versions included in the available releases +- [ ] I can use released Garden Linux images as a pre-set and add packages to see what additional CVEs are added with the additional packages + +# GLDEV-02 + +As a developer of Garden Linux I want to add context information on CVE that might be fixed or not applicable to Garden Linux. + +## Acceptance Criteria + +- [ ] I can add a text comment to any package version describing in what condition this security issue applies to Garden Linux +- [ ] I can add new package versions to account for rebuilt and manually patched packages in Garden Linux + +# GLDEV-03 + +As a developer of Garden Linux I want to generate parts of release notes for new patch and major versions of Garden Linux. + +## Acceptance Criteria + +- [ ] GLVD can create markdown output that is suitable for adding it to Github releases page From 164e42a5065d2df97181c334a346ec39c011645c Mon Sep 17 00:00:00 2001 From: Florian Wilhelm Date: Tue, 11 Jun 2024 16:10:35 +0200 Subject: [PATCH 3/7] feedback --- docs/user-stories.md | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/docs/user-stories.md b/docs/user-stories.md index 90ab6a8..aefe777 100644 --- a/docs/user-stories.md +++ b/docs/user-stories.md @@ -35,10 +35,18 @@ As a user of Garden Linux I want to track security issues in any given Garden Li ## Acceptance Criteria - [ ] The user can query for Garden Linux images such as `gardenlinux-gcp-gardener-prod-amd64-1443-5-bfb687a7` -- [ ] The user can provide additional packages from the Garden Linux APT repo (in the same release as the image) + # USER-04 +As a user of Garden Linux I want to track security issues that additional packages bring into my image. + +## Acceptance Criteria + +- [ ] The user can provide additional packages from the Garden Linux APT repo (in the same release as the image in use) + +# USER-05 + As a user of Garden Linux I want to be notified of new CVEs in the Garden Linux patch version I'm using. ## Acceptance Criteria @@ -47,11 +55,11 @@ As a user of Garden Linux I want to be notified of new CVEs in the Garden Linux - [ ] I get a notification for new patch releases in that version (like 1443.6) so I can upgrade as soon as possible - [ ] I can select a Garden Linux major version (like 1443) to be notified on new and fixed CVEs in that version -# USER-05 +# USER-06 As a user of Garden Linux I want to be notified of new major versions of Garden Linux so I can plan to upgrade. -# USER-06 +# USER-07 As a user of GLVD I want a simple web interface to work with the service in a convenient way. @@ -59,7 +67,7 @@ As a user of GLVD I want a simple web interface to work with the service in a co - [ ] Features described in the previous user stories can be accessed in a minimal web interface -# USER-07 +# USER-08 As a user of GLVD I want a CLI tool to interact with the service. @@ -67,6 +75,14 @@ As a user of GLVD I want a CLI tool to interact with the service. - [ ] Features described in the previous user stories can be accessed using a command line tool +# USER-09 + +As a user of Garden Linux (container images) I want to be informed about additional issues installed packages bring. + +## Acceptance Criteria + +- [ ] A 'apt install' cli wrapper prints information on additional CVEs introduced by that package + # GLDEV-01 As a developer of Garden Linux I want to assess the security impact of adding packages to Garden Linux images. From f851ec7761576010b338041c70946fb81ebc6399 Mon Sep 17 00:00:00 2001 From: Florian Wilhelm <2292245+fwilhe@users.noreply.github.com> Date: Mon, 17 Jun 2024 14:23:04 +0200 Subject: [PATCH 4/7] Update user-stories.md As discussed @gehoern @Akendo @pnpavlov --- docs/user-stories.md | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/docs/user-stories.md b/docs/user-stories.md index aefe777..440ddec 100644 --- a/docs/user-stories.md +++ b/docs/user-stories.md @@ -28,23 +28,6 @@ As a user of Garden Linux I want to subscribe to updates on new security issues - The backend/db needs to keep track of tracking urls - Users might want to subscribe with their email address; this introduces a new class of issues legally (data protection) -# USER-03 - -As a user of Garden Linux I want to track security issues in any given Garden Linux *image* so I can make an informed decision about needed actions in my system. - -## Acceptance Criteria - -- [ ] The user can query for Garden Linux images such as `gardenlinux-gcp-gardener-prod-amd64-1443-5-bfb687a7` - - -# USER-04 - -As a user of Garden Linux I want to track security issues that additional packages bring into my image. - -## Acceptance Criteria - -- [ ] The user can provide additional packages from the Garden Linux APT repo (in the same release as the image in use) - # USER-05 As a user of Garden Linux I want to be notified of new CVEs in the Garden Linux patch version I'm using. @@ -83,6 +66,24 @@ As a user of Garden Linux (container images) I want to be informed about additio - [ ] A 'apt install' cli wrapper prints information on additional CVEs introduced by that package +# De-prioritized user stories + +# USER-03 + +As a user of Garden Linux I want to track security issues in any given Garden Linux *image* so I can make an informed decision about needed actions in my system. + +## Acceptance Criteria + +- [ ] The user can query for Garden Linux images such as `gardenlinux-gcp-gardener-prod-amd64-1443-5-bfb687a7` + +# USER-04 + +As a user of Garden Linux I want to track security issues that additional packages bring into my image. + +## Acceptance Criteria + +- [ ] The user can provide additional packages from the Garden Linux APT repo (in the same release as the image in use) + # GLDEV-01 As a developer of Garden Linux I want to assess the security impact of adding packages to Garden Linux images. From 0d2090e0cb31b59d3a3cfdce433f4904fb8d84d2 Mon Sep 17 00:00:00 2001 From: Florian Wilhelm Date: Wed, 19 Jun 2024 13:46:21 +0200 Subject: [PATCH 5/7] prio --- docs/user-stories.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/user-stories.md b/docs/user-stories.md index 440ddec..8f8e38b 100644 --- a/docs/user-stories.md +++ b/docs/user-stories.md @@ -13,7 +13,7 @@ As a user of Garden Linux I want to know about security issues in Garden Linux s - This does not yet require a nice user interface, an HTTP API is sufficient - This does not yet include knowledge about which packages are included in any given Garden Linux image, the user provides a list of package names and versions -# USER-02 +# USER-02 (lower prio) As a user of Garden Linux I want to subscribe to updates on new security issues in the packages I care about. @@ -42,13 +42,13 @@ As a user of Garden Linux I want to be notified of new CVEs in the Garden Linux As a user of Garden Linux I want to be notified of new major versions of Garden Linux so I can plan to upgrade. -# USER-07 +# USER-07 (higher prio) As a user of GLVD I want a simple web interface to work with the service in a convenient way. ## Acceptance Criteria -- [ ] Features described in the previous user stories can be accessed in a minimal web interface +- [ ] Features described in the previous user stories can be accessed in a minimal web interface, similar to debian security tracker UI # USER-08 From d421b679c8bea2e93a6a9b6f2216e26bfd0b4507 Mon Sep 17 00:00:00 2001 From: Florian Wilhelm <2292245+fwilhe@users.noreply.github.com> Date: Thu, 11 Jul 2024 09:48:02 +0200 Subject: [PATCH 6/7] Update user-stories.md --- docs/user-stories.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/user-stories.md b/docs/user-stories.md index 8f8e38b..56b282e 100644 --- a/docs/user-stories.md +++ b/docs/user-stories.md @@ -110,3 +110,14 @@ As a developer of Garden Linux I want to generate parts of release notes for new - [ ] GLVD can create markdown output that is suitable for adding it to Github releases page + + + + +# Notes from discussion + +- Get List of vuln by package name and version +- Get List of vuln packages by distro +- Get List of vuln packages by image + - needs manifest files from images (package list with version) +- Get List of vuln packages by CVE id From 3306c6287e1d8a1bb7c75e36ddabcb479c3d1c50 Mon Sep 17 00:00:00 2001 From: Florian Wilhelm <2292245+fwilhe@users.noreply.github.com> Date: Thu, 11 Jul 2024 10:21:08 +0200 Subject: [PATCH 7/7] Update user-stories.md --- docs/user-stories.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/user-stories.md b/docs/user-stories.md index 56b282e..c5c3c20 100644 --- a/docs/user-stories.md +++ b/docs/user-stories.md @@ -112,12 +112,14 @@ As a developer of Garden Linux I want to generate parts of release notes for new - - # Notes from discussion - Get List of vuln by package name and version - Get List of vuln packages by distro - Get List of vuln packages by image - - needs manifest files from images (package list with version) + - needs manifest files from images (package list with version), generated by builder +- Get List of vuln packages by ocm descriptor (maybe) - Get List of vuln packages by CVE id +- Triage for GL vuln + - output ocm (potential issues, immutability, pull/poll, api, ?) + - outbut bdba (maybe)