Protect your Cloud Native Applications running on Kubernetes from malicious attacks with pre-registered source code, pre-registered runtime processes monitoring, automated actions based on configure-actions, analytics, alerting and also sharing detections with community. Maybe save from Ransomware. Shift-Left your threat detection. Shift Right threat elimination.
License: Apache License 2.0
![deepsource-io[bot] avatar](https://avatars.githubusercontent.com/in/16372?v=4 "deepsource-io[bot]")
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Vulnerable Library - github.com/golang/crypto-5ff15b29337e062d850872081bcd9f4d784f4c25[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
Found in HEAD commit: 7c7cbc463791d4bd71514bd1e2ff1330e59fb423
Found in base branch: main
Vulnerability Details
There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.
Publish Date: 2021-11-10
URL: CVE-2021-43565
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43565
Release Date: 2021-11-10
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20211202.5770296-1;golang-go.crypto-dev - 1:0.0~git20211202.5770296-1
Step up your Open Source Security Game with Mend here
Capture eBPF pod related data fields as mentioned below
Vulnerable Library - golang.org/x/net-v0.0.0-20220225172249-27dd8689420f[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20220225172249-27dd8689420f.zip
Dependency Hierarchy:
Found in HEAD commit: 09aefa75b70358aa642a8cd6fdad4a71c77d1f68
Found in base branch: main
Vulnerability Details
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
Publish Date: 2022-09-06
URL: CVE-2022-27664
CVSS 3 Score Details (7.5)
Base Score Metrics:
Step up your Open Source Security Game with Mend here
https://about.gitlab.com/blog/2021/07/23/announcing-package-hunter/
This can be done later.
To implement this method, doesn't require any special code development in Tarian. Tarian already works similar to package-hunter but Tarian is more advanced. We just have to provide a documented steps on how to setup Tarian in a separate sandbox environment & hunt for malicious activities continuously in that sandbox & report the detected malicious activities for further examination.
Vulnerable Library - github.com/golang/crypto-5ff15b29337e062d850872081bcd9f4d784f4c25[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
Found in HEAD commit: 7c7cbc463791d4bd71514bd1e2ff1330e59fb423
Found in base branch: main
Vulnerability Details
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Publish Date: 2022-03-18
URL: CVE-2022-27191
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-27191
Release Date: 2022-03-18
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20220315.3147a52-1;golang-go.crypto-dev - 1:0.0~git20220315.3147a52-1
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/driftprogramming/pgxpoolmock-v1.1.0pgx postgresql pool
Dependency Hierarchy:
Found in HEAD commit: 7c7cbc463791d4bd71514bd1e2ff1330e59fb423
Found in base branch: main
Vulnerability Details
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
Publish Date: 2020-04-01
URL: CVE-2019-11254
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-10-02
Fix Resolution: v2.2.8
Step up your Open Source Security Game with Mend here
This issue is a placeholder for someone who wants to contribute to improve the test suite:
See also contributing.md
Vulnerable Library - github.com/golang/sys-3681064d51587c1db0324b3d5c23c2ddbcff6e8f[mirror] Go packages for low-level interaction with the operating system
Dependency Hierarchy:
Found in HEAD commit: 7c7cbc463791d4bd71514bd1e2ff1330e59fb423
Found in base branch: main
Vulnerability Details
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
Publish Date: 2022-06-23
URL: CVE-2022-29526
CVSS 3 Score Details (5.3)
Base Score Metrics:
Step up your Open Source Security Game with Mend here
tarian-pod-agent should send a signal to cluster-agent to destroy the pod that particular pod-agent is in. should send pod full ID so that cluster agent knows which pod to kill & which volumes of that pod to be deleted or archived.
Of course, final action should be triggered after collecting all violation related logs & info and sending to cluster-agent.
Integrate with Falco using grpc. Pull the alerts and save to tarian events.
The output of tarianctl get events was changed to support falco integration. File and process violations were displayed on separate field. Now that those are merged, the information needs to be improved.
A lot of events returned can be overwhelming. Let's add a limit param to only see the last N events.
Vulnerable Library - github.com/driftprogramming/pgxpoolmock-v1.1.0pgx postgresql pool
Dependency Hierarchy:
Found in HEAD commit: cc6c9f9cacce9cb0687bb10f9bae4c0752e98873
Found in base branch: main
Vulnerability Details
In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
Publish Date: 2021-01-02
URL: CVE-2020-28852
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28852
Release Date: 2021-01-02
Fix Resolution: golang-golang-x-text-dev - 0.3.5-1,0.3.5-1
Step up your Open Source Security Game with Mend here
The scope is to look at https://deepfence.io/threatmapper/ to see if there is anything we can integrate with Tarian. Issues with more focused scope will be created as a result of this.
Vulnerable Library - github.com/driftprogramming/pgxpoolmock-v1.1.0pgx postgresql pool
Dependency Hierarchy:
Found in HEAD commit: cc6c9f9cacce9cb0687bb10f9bae4c0752e98873
Found in base branch: main
Vulnerability Details
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
Publish Date: 2021-01-02
URL: CVE-2020-28851
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28851
Release Date: 2021-01-02
Fix Resolution: golang-golang-x-text-dev - 0.3.6-1,0.3.6-1
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/net-v0.4.0[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.4.0.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy:
Found in HEAD commit: 163225d6c0e779d3d7694a62f24afc5538039735
Found in base branch: main
Vulnerability Details
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Publish Date: 2023-10-11
URL: CVE-2023-39325
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2023-2102
Release Date: 2023-10-11
Fix Resolution: go1.20.10, go1.21.3, golang.org/x/net - v0.17.0
Step up your Open Source Security Game with Mend here
Extract the information of current working directory for providing more context for the captured data.
Vulnerable Library - github.com/driftprogramming/pgxpoolmock-v1.1.0pgx postgresql pool
Dependency Hierarchy:
Found in HEAD commit: 7c7cbc463791d4bd71514bd1e2ff1330e59fb423
Found in base branch: main
Vulnerability Details
Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs,
this may be used as a vector for a denial of service attack.
Publish Date: 2021-08-12
URL: CVE-2021-38561
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2021-0113
Release Date: 2021-08-12
Fix Resolution: v0.3.7
Step up your Open Source Security Game with Mend here
https://github.com/kube-tarian/tarian/projects/1#card-75459234
Phase1:
Integration with Falco & Alertmanager
Register processes
Detect unknown processes
Configure automate actions
Perform automated actions
Export & Import threat details to share with community
Create & configure policies
Automate all the above with simple yaml declarations to make it developer friendly
Phase2:
Integration with eBPF (For enhancement), Quirefence and ThreatMapper.
Phase3:
Develop full UI with IODC
All phases:
Continuously improve APIs with openAPI standards.
Add integrations with new security tools.
tarianctl get events already uses limits, but there is no pagination yet. The goal is to allow users to get events beyond the limits.
Vulnerable Library - github.com/driftprogramming/pgxpoolmock-v1.1.0pgx postgresql pool
Dependency Hierarchy:
Found in HEAD commit: 7c7cbc463791d4bd71514bd1e2ff1330e59fb423
Found in base branch: main
Vulnerability Details
Yaml in versions v2.2.0 to v2.2.2 is vulnerable to denial of service vector.
Related to decode.go
Publish Date: 2021-04-14
URL: WS-2021-0200
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2021-0061
Release Date: 2021-04-14
Fix Resolution: v2.2.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/prometheus/client_golang-v1.11.0Prometheus instrumentation library for Go applications
Dependency Hierarchy:
Found in HEAD commit: 7c7cbc463791d4bd71514bd1e2ff1330e59fb423
Found in base branch: main
Vulnerability Details
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass metric with method label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown method. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the method label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
Publish Date: 2022-02-15
URL: CVE-2022-21698
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-cg3q-j54f-5p7p
Release Date: 2022-02-15
Fix Resolution: v1.11.1
Step up your Open Source Security Game with Mend here
I think it will be cool to add this as feature in Tarian by automating this process:
integrate K8s Audit Logs with Falco to detect suspicious activity in your cluster ->
https://sysdig.com/blog/kubernetes-audit-log-falco/
The reason for DB migration is, that we did some assessments on which DB would be more reliable from ML analytics perspective. looks like graph DB is more efficient to be able to map relationships in 360 degrees and query bulk of data at once using GraphQL. Also, ML model will sit on every cluster as another daemonset and do the analysis of data immediately (even before storing data into a DB) as soon as Tarian daemonset fetches the data.
and a graph DB will help with further observability & querying in an efficient way.
This issue is a placeholder for someone who wants to contribute to improve the documentation:
Anything valuable would be accepted. It can be fixing example, fixing grammar, improving clarity, covering more cases, etc.
github.com/curiefense/curiefense
After integration tarian with tarian-detector, tarian-detector was adding lots of empty events to dgraph store. As part of this task, updated the dgraph query to avoid lot of empty rows.
Each pod may have different requirement for the validation interval. An annotation will be added to configure it.
https://kubernetes.io/docs/tutorials/clusters/seccomp/
reference blogs:-
https://martinheinz.dev/blog/41
Seccomp in Kubernetes — Part I
Seccomp in Kubernetes — Part 2
Seccomp in Kubernetes — Part 3
https://itnext.io/seccomp-in-kubernetes-part-3-the-new-syntax-plus-some-advanced-topics-95dd3835263a
The processes/files which needs to be marked as threats and take action against them, you already developed constraints. Give the flexibility to add constraints as add-ons (plug-ins) using a yaml file or json (preferably yaml). This will help to manage constraints easily. When using UI, these constraints should be built as yaml files in the background and saved as constraints configurations.
I am telling as yaml or json, you can come up with whichever easy process idea you get.
Basically, we want to make it easy to add/export/delete those constraints as a independent items. It will also help to easily share in the open-source community. For example, if a security expert figures out some process & it's files & it's logs are definitely a threat item(s), they can mark those are threats & add actions. The data related to that threat, what action to take, metadata & log data of that threat should be save as a configuration like a separate thing and can share that file (or few files) to opensource community of Tarian so that other Tarian Users can simply import that constraint configuration and add that threat related constraint config into their environment & be benefited from it without having to figure out same kind of threat again themselves.
Please let me know if it makes sense or want to discuss.
Vulnerable Library - golang.org/x/net-v0.4.0[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.4.0.zip
Dependency Hierarchy:
Found in HEAD commit: b0be065f9e28779265ec18f0ebb8e9580aca195c
Found in base branch: main
Vulnerability Details
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
Publish Date: 2023-02-28
URL: CVE-2022-41723
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2023-1568
Release Date: 2022-09-29
Fix Resolution: v0.7.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/net-v0.0.0-20220225172249-27dd8689420f[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20220225172249-27dd8689420f.zip
Dependency Hierarchy:
Found in HEAD commit: 09aefa75b70358aa642a8cd6fdad4a71c77d1f68
Found in base branch: main
Vulnerability Details
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
Publish Date: 2022-08-10
URL: CVE-2022-30633
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-30633
Release Date: 2022-05-13
Fix Resolution: go1.17.12,go1.18.4
Step up your Open Source Security Game with Mend here
As a user, I want to be able to easily register violated files / processes as a new constraint via tarianctl
Currently in the installation process, there is a step that runs db migrate. We can automate that by running a job using pre-install and pre-upgrade chart hooks.
Pod agent running in a pod with annotation pod-agent.k8s.tarian.dev/register: true would automatically register found processes and files as a constraint.
Vulnerable Library - golang.org/x/net-v0.0.0-20220225172249-27dd8689420f[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20220225172249-27dd8689420f.zip
Dependency Hierarchy:
Found in HEAD commit: 09aefa75b70358aa642a8cd6fdad4a71c77d1f68
Found in base branch: main
Vulnerability Details
In Decoder.Skip in encoding/xml in Go before 1.17.12 and 1.18.x before 1.18.4, stack exhaustion and a panic can occur via a deeply nested XML document.
Publish Date: 2022-08-10
URL: CVE-2022-28131
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-28131
Release Date: 2022-03-29
Fix Resolution: go1.17.12,go1.18.4
Step up your Open Source Security Game with Mend here
We are taking proactive steps to embed security into our coding practices, improve adherence to language-specific best practices, strengthen and secure our Software Configuration Management (SCM) workflow, and fortify our release process.
As part of this effort, we have prepared a process to include pre-commit hooks in our development workflow. These hooks serve as a crucial line of defense, helping us catch potential issues before they become problems.
To make it easy for all members of our development team to integrate these hooks, we have compiled templates for various languages and technologies. You can find these templates in our dedicated repository in Tarian's case, we can use pre-commit hooks for Golang:
Your cooperation in implementing these hooks is greatly appreciated. If you encounter any issues during the installation or have any recommendations or questions, please feel free to reach out to me.
Let's work together to make our development process more secure and efficient.
The Tarian project currently uses a variety of Dockerfiles. While these Dockerfiles are based on Chainguard's static images, we've pinned all base images to specific digests. However, Chainguard frequently updates their images, often daily, to address any discovered vulnerabilities. This practice of pinning to a digest means we miss out on automatically receiving these updated, more secure images.
My suggestion is to update the Dockerfiles' base images to use the latest tag from Chainguard's static image repository. Although generally, using the latest tag is not recommended, in the case of Chainguard images, it offers the significant benefit of ensuring our base images are always the most secure and vulnerability-free
@pratikjagrut @MrAzharuddin
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
