How can Opentelemtry Community ensure the future Opentelemetry Release version does not have vulnerability?

[ericashi]

Component(s)

No response

Describe the issue you're reporting

Hi,

How can Opentelemetry Community ensure the future Opentelemetry Release version does not have vulnerability?
The reason is because our company will have concerns taking version releases that have vulnerability.
For instance, the Opentelemetry Community will do a vulnerability check or scanning (Eg - using dependabot from Github) prior to do release and will not release if have vulnerabilities?

Thank you.

Best Regards,
Erica Ooi

[mx-psi]

@open-telemetry/sig-security-maintainers is working on providing guidance across the whole project.

I can confirm we use Dependabot for vulnerability scanning and frequently update our dependencies. We can't ensure that a release won't have vulnerabilities since these may be flagged after a release has happened, but we aim to do a release patching known vulnerabilities within 30 days of their release (see here for more details).

[jpkrohling]

Closing, as I think @mx-psi provided enough information. One thing I would add is that we do not provide any SLAs, despite our goodwill to fix issues in a timely fashion.

[ericashi]

Hi @jpkrohling and @mx-psi ,

Can we make an assumption that Opentelemetry is still under very active development that it have high chances of having CVEs in this 1 or more year.
If our company is looking for a tool that guarantee to have no vulnerability, we should onhold using Opentelemetry to wait for it to be mature first and use it 1 or few years later?

Thank you.

Best Regards,
Erica Ooi

[cartersocha]

Hey @ericashi it's common for any product, even mature ones to have security vulnerabilities. It's almost impossible to write a program with no vulnerabilities especially as bugs in dependencies or run times are often identified after releases have occurred.

A couple examples of widely used products with recent CVEs:

• Kubernetes
• Splunk

The important thing is that the proper response processes are in place and that the vulnerabilities are addressed promptly. The community takes security vulnerability notifications very seriously and maintainers typically respond quickly upon incident notification. From a tooling perspective we use dependabot / renovate for dependency updating, GitHub Security Advisory Database for notification and external bug identification, and the GitHub CVEE scoring process.

The SIG-security group is currently working on unifying community processes and improving our tooling even further to provide a similar level of disclosure and documentation as Kubernetes. If you have any concerns, feedback, or suggestions feel free to join a SIG meeting every Wednesday at 830 am PST or in the #otel-sig-security channel. Our priority is the security of our users, the dependability of our processes / tooling, and maintaining user trust.

Companies like VMWare, Microsoft, F5, Amazon, Apple, Ebay, GitHub etc. have chosen OpenTelemetry as their Observability direction and rely on our community components, especially the Collector. But ultimately, it's what your organization is comfortable with! I hope this helps a bit 😎