You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -16,7 +16,7 @@ Ada Logics found 16 security issues of which all except for one have been fixed
One CVE was assigned during the audit for a vulnerability that could allow an attacker with already escalated privileges to cause further damage in the cluster. The attacker needs to first establish a position in a Knative pod, and from there, they could exploit the vulnerability and cause denial of service of the Knative autoscaling, thereby denying any autoscaling of Knative. The issue was assigned CVE-2023-48713 of Moderate severity and has been fixed in v1.10.5, v1.12.0 and v1.11.3.
The auditors found that Knative does not include provenance with releases; Provenance is a critical component of complying with [SLSA](https://slsa.dev/) and ensuring tamper resistance of release artifacts. Recently, the SLSA community released v1.9.0 of the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) which produces SLSA L3 compliant provenance. slsa-github-generator ensures tamper-resistance of artifacts by producing verifiable provenance, thereby mitigating a series of known supply-chain risks, many of which have been exploited in the wild in recent years. Ada Logics recommend that Knative switches its build to the slsa-github-generator to comply with SLSA L3.
Prior to the audit, Knative had invested in building its own [provenance generator](https://github.com/knative/toolbox/tree/main/provenance-generator) which generates slsa-compliant provenance and adds it to releases. Users can verify the provenance using [the official SLSA guidelines](https://slsa.dev/spec/v1.0/verifying-artifacts) before consuming. The Knative maintainers found that Knative Serving was missing a few lines of Prow configuration which resulted in Knative Serving releases not having provenance. This was fixed [here](https://github.com/knative/infra/pull/288) which ensures that future releases of Knative Serving will include verifiable provenance.
Knative would like to thank Ada Logics for conducting the security audit, OSTIF for facilitating it and the CNCF for funding the audit.
