[Bug 1889688] Re: [MIR] nvme-cli
Steve Beattie
1889688 at bugs.launchpad.net
Tue Oct 20 05:03:57 UTC 2020
I reviewed nvme-cli 1.12-1ubuntu1 as checked into groovy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
nvme-cli is a set of command line tools for managing NVMe devices.
- No history of CVEs.
- No init scripts
- Four systemd units, that are used to trigger nvme discovery
- No dbus services.
- No setuid binaries.
- Only binary is /usr/sbin/nvme
- No sudo fragments.
- No polkit files.
- Two udev files, for supporting nvme over fiber channel.
- Unit tests are not run at buld time, due to needing an nvme
device. No autopkgtests.
- No cron jobs.
- No build errors or warnings.
- Processes spawned?
The micron and wdc plugins unfortunately both use system(), when
collecting log information, but are likely okay as the nvme tool is
not setuid.
- Memory management in the core looks reasonable, with lots of uses of
asprint(); the plugins tend to do more strcpy() and sprintf()
operations.
- For file I/O, most of the file operations are performed on the nvme
devices, and some abstraction is provided for that.
- Most logging is done through stderr, via perror or using strerror()m
and loks okay.
- Only one use of environment variabbles, ok.
- Only privileged function used is ioctl(), and given the purpose of the
software, expected.
- No apparent use of cryptography.
- No apparent use of tmpfiles.
- Use of networking is for fabric discovery, looks ok.
- No use of WebKit
- No use of PolicyKit
Coverity did find several issues, including some resource leaks
(file descriptors and unfreed memory in some situations); however,
a number of issues that Coverity raised were false positives due to
it's lack of understanding of asprintf(3) semantics, and really, seeing
widespread use of asprint() I consider a positive indicator of quality.
Security team ACK for promoting nvme-cli to main.
** Tags added: security-review-done
** Changed in: nvme-cli (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nvme-cli in Ubuntu.
https://bugs.launchpad.net/bugs/1889688
Title:
[MIR] nvme-cli
Status in nvme-cli package in Ubuntu:
Confirmed
Bug description:
[Availability]
Package is available in Universe. Builds are green for all arches
specified
[Rationale]
This is a request from Google as they utilize nvme-cli to manage nvme
drives in their cloud. The package offers tools for managing nvme
drives, including nvme over fabric (NVMEoF). NVMEoF is of particular
interest as cloud providers build out with nvme drives.
[Security]
No current security advisories. Has been a part of Universe since
Xenial, and shows supportability (the source in Github is updated with
regularity [within 1 hour of me opening the page, with regular commits
including 11 merged PRs in the past 30 days])
[Quality assurance]
Upstream bugs are tracked on the github repo: https://github.com
/linux-nvme/nvme-cli
nvme-cli has been a part of Debian since stretch:
https://packages.debian.org/stretch/nvme-cli.
[UI standards]
Autogenerated man pages for nvme commands and all subcommands (nvme-*)
Man pages are fleshed out with all options described.
[Dependencies]
libc6 (>= 2.14) [amd64]
GNU C Library: Shared libraries
also a virtual package provided by libc6-udeb
libc6 (>= 2.17) [arm64, ppc64el]
libc6 (>= 2.8) [armhf, s390x]
[Standards compliance]
nvmeexpress.org, the group maintaining the package, is a compliance
organization. They include many major technology groups as members.
[Maintenance]
Foundations will subscribe to the package
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvme-cli/+bug/1889688/+subscriptions
More information about the foundations-bugs
mailing list