The fuzzy tale of an x/crypto vulnerability Michael McLoughlin Gophercon 2019 Lightning Talks Uber Advanced Technologies Group 8,140 lines of amd64 assembly in crypto 10,474 lines of amd64 assembly

signing and validation − Identity integration and role-based access control − Security and vulnerability analysis − Image replication between instances − Internationalization (currently English and Architecture 13 13 API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Database Key/Value Image is pulled using digest • Perform vulnerability scanning – Prevent images with vulnerabilities from being pulled – Regular scanning based on updated vulnerability database 23 Content trust for image

Based on content trust • Based on vulnerability • Based on RBAC Main Features （ Cont. ） 7 Vulnerability Scanning • Kinds of scanning policies • Elaborate scanning report Content Trust • Digital signature API Routing API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Database Key/Value

capabilities to compress, migrate, or swap out those pages. User-Mode Module • Memory scanning triggers memory page scanning and collects results. • Hot and cold tiering classifies memory access results into Technical White Paper Innovation Projects CVE Manager Infrastructure SIG | Security Committee Vulnerability management integrates processes, tools, and mechanisms of the openEuler community to detect, collect The vulnerability response process is available across the openEuler LTS and its branch versions. See the following flowchart. Vulnerability Handling Process Disclosure scope SC Vulnerability status

:3000 info: (yuidoc): Starting YUIDoc@0.3.45 using YUI@3.9.1 with NodeJS@0.10.15 info: (yuidoc): Scanning for yuidoc.json file. info: (yuidoc): Starting YUIDoc with the following options: info: (yuidoc): (yuidoc): { port: 3000, nocode: false, paths: [ '.' ], server: true, outdir: './out' } info: (yuidoc): Scanning for yuidoc.json file. info: (server): Starting server: http://127.0.0.1:3000 and browse http://127 Documentation, Release 6.5.1 5.22 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.23 6.1.4 • Fix broken links to

:3000 info: (yuidoc): Starting YUIDoc@0.3.45 using YUI@3.9.1 with NodeJS@0.10.15 info: (yuidoc): Scanning for yuidoc.json file. info: (yuidoc): Starting YUIDoc with the following options: info: (yuidoc): (yuidoc): { port: 3000, nocode: false, paths: [ '.' ], server: true, outdir: './out' } info: (yuidoc): Scanning for yuidoc.json file. info: (server): Starting server: http://127.0.0.1:3000 and browse http://127 @kevin-bates • @virejdasani 5.21 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.22 6.1.4 • Fix broken links to

:3000 info: (yuidoc): Starting YUIDoc@0.3.45 using YUI@3.9.1 with NodeJS@0.10.15 info: (yuidoc): Scanning for yuidoc.json file. info: (yuidoc): Starting YUIDoc with the following options: info: (yuidoc): (yuidoc): { port: 3000, nocode: false, paths: [ '.' ], server: true, outdir: './out' } info: (yuidoc): Scanning for yuidoc.json file. info: (server): Starting server: http://127.0.0.1:3000 and browse http://127 @kevin-bates • @virejdasani 5.15 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.16 6.1.4 • Fix broken links to

:3000 info: (yuidoc): Starting YUIDoc@0.3.45 using YUI@3.9.1 with NodeJS@0.10.15 info: (yuidoc): Scanning for yuidoc.json file. info: (yuidoc): Starting YUIDoc with the following options: info: (yuidoc): (yuidoc): { port: 3000, nocode: false, paths: [ '.' ], server: true, outdir: './out' } info: (yuidoc): Scanning for yuidoc.json file. info: (server): Starting server: http://127.0.0.1:3000 and browse http://127 Documentation, Release 6.4.11 5.16 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.17 6.1.4 • Fix broken links to

:3000 info: (yuidoc): Starting YUIDoc@0.3.45 using YUI@3.9.1 with NodeJS@0.10.15 info: (yuidoc): Scanning for yuidoc.json file. info: (yuidoc): Starting YUIDoc with the following options: info: (yuidoc): (yuidoc): { port: 3000, nocode: false, paths: [ '.' ], server: true, outdir: './out' } info: (yuidoc): Scanning for yuidoc.json file. info: (server): Starting server: http://127.0.0.1:3000 and browse http://127 @kevin-bates • @virejdasani 5.15 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.16 6.1.4 • Fix broken links to

:3000 info: (yuidoc): Starting YUIDoc@0.3.45 using YUI@3.9.1 with NodeJS@0.10.15 info: (yuidoc): Scanning for yuidoc.json file. info: (yuidoc): Starting YUIDoc with the following options: info: (yuidoc): (yuidoc): { port: 3000, nocode: false, paths: [ '.' ], server: true, outdir: './out' } info: (yuidoc): Scanning for yuidoc.json file. info: (server): Starting server: http://127.0.0.1:3000 and browse http://127 Documentation, Release 6.4.12 5.16 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.17 6.1.4 • Fix broken links to