Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Review for Components #237

Closed
danmoseley opened this issue Sep 10, 2023 · 6 comments
Closed

Security Review for Components #237

danmoseley opened this issue Sep 10, 2023 · 6 comments
Assignees
@eerhardt
Labels
area-integrations Issues pertaining to Aspire Integrations packages security 🔐

Comments

@danmoseley
Copy link
Member

No description provided.

@danmoseley danmoseley added this to the some time after preview milestone Sep 25, 2023
@danmoseley
Copy link
Member Author

Let's synchronize with the service discovery reviews?

@danmoseley
Copy link
Member Author

Particular consideration: 3rd party libraries and their SLA/ship dates.

@eerhardt eerhardt transferred this issue from another repository Oct 11, 2023
@eerhardt eerhardt added the area-integrations Issues pertaining to Aspire Integrations packages label Oct 11, 2023
@danmoseley
Copy link
Member Author

@ReubenBond did threat modeling/review happen for service discovery? I don't see any issue for it, I can open one.

@mitchdenny I wonder whether we need one for app model as well. Below are their usual criteria --

• They're intending to make security guarantees; e.g, they use cryptography.
• They can reasonably be expected to process input which didn't originate from within the application or from a trusted config source. For example: "The typical use case for this component is that the app reads some incoming request header and then passes that header value to us to capture telemetry."
• The component itself makes an outbound connection or handles an incoming connection. Here, "connection" means anything reaching beyond the current process, encompassing network connections, LRPC, named pipes, and similar.
• The component deals with PII.
• The component utilizes serialization or implements a protocol parser.

examples if only for my own reference
https://github.com/dotnet/runtime/blob/main/src/libraries/System.Text.Json/docs/ThreatModel.md
and various aspnet ones internally from before they were openly posted.

@danmoseley
Copy link
Member Author

let's pick this up right after preview, so we don't do the last minute thing.

cc for @GrabYourPitchforks so he sees any discussion here about boundaries/scoping.

@danmoseley danmoseley removed this from the needs milestone (for GA) milestone Nov 13, 2023
This was referenced Jan 8, 2024
Closed
Closed
@eerhardt eerhardt added the task label Jan 10, 2024
@davidfowl davidfowl added this to the preview TBD (but in 8.0) milestone Jan 27, 2024
@eerhardt eerhardt self-assigned this Feb 27, 2024
@kvenkatrajan kvenkatrajan mentioned this issue Mar 6, 2024
Closed
10 tasks
@eerhardt eerhardt modified the milestones: preview 6 (Apr), GA Apr 15, 2024
eerhardt added a commit to eerhardt/aspire that referenced this issue Apr 16, 2024
@eerhardt
Move comments on generated password entropy to public API
5370ae8 
This allows for these comments to be seen by callers of the API so they can make educated decisions on what parameters should be set for the password generation.

Contributes to dotnet#237
@eerhardt eerhardt mentioned this issue Apr 16, 2024
Merged
eerhardt added a commit that referenced this issue Apr 17, 2024
@eerhardt
Move comments on generated password entropy to public API (#3729)
bafcacd 
* Move comments on generated password entropy to public API

This allows for these comments to be seen by callers of the API so they can make educated decisions on what parameters should be set for the password generation.

Contributes to #237

* Format the remarks section.
eerhardt added a commit to eerhardt/aspire that referenced this issue Apr 17, 2024
@eerhardt
Move comments on generated password entropy to public API (dotnet#3729)
eb0baba 
* Move comments on generated password entropy to public API

This allows for these comments to be seen by callers of the API so they can make educated decisions on what parameters should be set for the password generation.

Contributes to dotnet#237

* Format the remarks section.
@eerhardt eerhardt mentioned this issue Apr 17, 2024
Merged
danmoseley pushed a commit that referenced this issue Apr 18, 2024
@eerhardt
Move comments on generated password entropy to public API (#3729) (#3781
40b3961 
)

* Move comments on generated password entropy to public API

This allows for these comments to be seen by callers of the API so they can make educated decisions on what parameters should be set for the password generation.

Contributes to #237

* Format the remarks section.
@joperezr
Copy link
Member

Waiting on sign-off @GrabYourPitchforks

@eerhardt
Copy link
Member

eerhardt commented May 6, 2024

The work this is tracking is now complete. Closing.

@eerhardt eerhardt closed this as completed May 6, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Jun 6, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@eerhardt eerhardt

Labels
area-integrations Issues pertaining to Aspire Integrations packages security 🔐
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@davidfowl @danmoseley @eerhardt @joperezr