Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[LFX-Q2]: Enhance/Upgrade chaos operator and chaos exporter module #3969

Closed
imrajdas opened this issue May 9, 2023 · 7 comments
Closed

[LFX-Q2]: Enhance/Upgrade chaos operator and chaos exporter module #3969

imrajdas opened this issue May 9, 2023 · 7 comments
Labels
LFX-MENTORSHIP Linux Foundation Mentor ship Issue

Comments

@imrajdas
Copy link
Member

imrajdas commented May 9, 2023
edited
Loading

This task is divided into multiple subtasks

  • Upgrade operator-sdk version and refactor code required for version upgrade in Chaos Operator
  • Upgrade the prometheus exporter version in Chaos Exporter and refactor code required for version upgrade
  • Add new prometheus metrics to the chaos exporter
  • Fix security vulnerability suggested by trivy and golangci-lint in the chaos-operator and chaos-exporter repository

Additional:

  • Add unit test cases to the chaos-operator and chaos-exporter repositories.

Repository Ref

Note:

  • Candidate should know Golang, Kubernetes, and backend development. It's okay if the individual is not familiar with litmuschaos.
@imrajdas imrajdas added the LFX-MENTORSHIP Linux Foundation Mentor ship Issue label May 9, 2023
@imrajdas imrajdas changed the title [LFX-Q2]: Request to enhance chaos operator and chaos exporter [LFX-Q2]: Enhance/Upgrade chaos operator and chaos exporter module May 9, 2023
@money8203
Copy link

Hey @imrajdas, I am currently exploring go and have some understanding of backend development. I'd love to work on this project as a part of lfx mentorship, I believe this project will be a great opportunity for me to apply my skills and gain hands-on experience.

So will it be idle for me to apply for the project ?

@Aadeesh11
Copy link

Hey @imrajdas, I am currently a final year student at IIT BHU. I have decent knowledge of backend development and Kubernetes and have been exploring Golang recently. I find this project interesting and would like to apply for it under the LFX mentorship.
Can you point me on how to go about this project?

Thank you.

@imrajdas
Copy link
Member Author

Hi Everyone, Please submit your application to LFX, and we will review it.

@prajak002
Copy link

prajak002 commented May 22, 2023
edited
Loading

Hi @imrajdas
i am currently a pre-final student from IEM kolkata. i have 3+ years of experiences in backend development , i have worked with Go and kubernetes in my past days, i have followed the codebase of limuschaos , and saw the architectural workflow of chaos.

i have seen the project objectives and i have studied on chaos exporter
here we find the metrics.go(our exporter instantiate file) and here we can add the prometheus metrics like this

package main

import (
	"net/http"
	"time"

	"github.com/prometheus/client_golang/prometheus"
	"github.com/prometheus/client_golang/prometheus/promhttp"
)

var (
	chaosExperimentFailures = prometheus.NewCounter(
		prometheus.CounterOpts{
			Name: "chaos_experiment_failures_total",
			Help: "Total number of failed chaos experiments",
		},
	)
)

func init() {
	prometheus.MustRegister(chaosExperimentFailures)
}

func main() {
	http.Handle("/metrics", promhttp.Handler())

	go func() {
		if err := http.ListenAndServe(":8080", nil); err != nil {
			panic(err)
		}
	}()

	failChaosExperiment()

	time.Sleep(10 * time.Second)
}

func failChaosExperiment() {
	// Simulate a failed chaos experiment
	chaosExperimentFailures.Inc()
}

Imported the promhttp package for a simpler handler registration and serving of the metrics endpoint.
Removed the unnecessary time import. The time package was not used in the original code, so it has been removed from the updated version.

Updated the way the HTTP server is started using an anonymous goroutine and a proper error handling check. This ensures that any potential errors during server startup are handled correctly.

Simplified the failChaosExperiment() function by removing the placeholder comment. You can replace the comment with the code that simulates a failed chaos experiment.

Aligned the closing parentheses for the chaosExperimentFailures counter declaration to improve readability.

for fixing the security vulnerabilities issued by trivy and golangcli-int

  1. by functional testing and security testing to validate the effectiveness of the vulnebalities' fixes. Re-run Trivy and GolangCI-Lint to verify that the vulnerabilities have been addressed.

  2. we can Implement continuous monitoring practices to stay informed about new vulnerabilities and security updates. Regularly update dependencies and follow security best practices to mitigate emerging risks.

  3. if trivy and GolangCI-Lint have flagged a potential SQL injection vulnerability in the exporter.go
    consider this codebase :-

package main

import (
	"database/sql"
	"fmt"
	"net/http"
)

func main() {
	http.HandleFunc("/export", func(w http.ResponseWriter, r *http.Request) {
		input := r.FormValue("input")
		// Sanitize the input to prevent SQL injection
		sanitizedInput := sanitizeInput(input)

		// Use a prepared statement to safely execute the SQL query
		query := "SELECT * FROM data WHERE column = ?"
		stmt, err := db.Prepare(query)
		if err != nil {
			// Handle the error
			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
			return
		}
		defer stmt.Close()

		rows, err := stmt.Query(sanitizedInput)
		if err != nil {
			// Handle the error
			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
			return
		}
		defer rows.Close()

		// Process and return the query results
		// ...
	})

	if err := http.ListenAndServe(":8080", nil); err != nil {
		panic(err)
	}
}

func sanitizeInput(input string) string {
	

	return input
}

In this example, we have added a sanitizeInput() function to sanitize the user input and prevent SQL injection. The function applies appropriate sanitization techniques specific to your database engine.

Additionally, we use a prepared statement (stmt) with a parameterized query to safely execute the SQL query. By passing the sanitized input as a parameter to the query, we avoid direct concatenation of user input into the SQL statement, thereby mitigating the SQL injection vulnerability.

Please note that the above example is a simplified illustration, and the actual fix may vary depending on the specific vulnerability reported and the structure of the exporter.go file in the Chaos Exporter repository. It is important to carefully analyze the reported vulnerability and refer to relevant secure coding practices and documentation to implement the appropriate fixes.

Any inputs and further guidance will be much appreciated.
Thank you all.

@imrajdas
Copy link
Member Author

Hi all, Today(May 23, 5:00 PM PDT) is the last day to submit your proposal to the LFX portal

Apply link- https://mentorship.lfx.linuxfoundation.org/project/bd6e875a-a64c-4405-af1c-677d8c45014b

@achiverram28
Copy link

Hey @imrajdas . Excited to work on this particular LFX Mentorship issue . I have submitted the respective details in the LFX mentorship portal

@imrajdas
Copy link
Member Author

imrajdas commented Jun 1, 2023
edited
Loading

Hi All, We have finalized the LFX mentee. We participate in LFX every 3 months. Please apply it for next term in case you didn't get selected.

Please feel free to contribute to the LitmusChaos project or join the monthly community call to learn about the project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
LFX-MENTORSHIP Linux Foundation Mentor ship Issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@imrajdas @Saranya-jena @Aadeesh11 @prajak002 @money8203 @achiverram28