[CNCF Graduation][Security][Required] Publish third-party security audit evidence for DD validation

[kfaseela]

For Graduation DD(cncf/toc#1861), the Third Party Security Review criterion is required and currently needs reviewer-verifiable evidence.

Could you please publish and link:

1. A public third-party audit report (or a public summary if full report cannot be shared), and
2. Evidence that findings are tracked/resolved (public issues/changelog/release notes, or reviewer-visible artifact shared with TOC/TAG Security).

Please add the link(s) in the graduation issue Security section as well as into your appropriate project security docs/website, so DD reviewers can validate quickly.

Reference examples:

• Crossplane audit post: https://blog.crossplane.io/security-audit-2023/
• Crossplane audit PDF: https://github.com/crossplane/crossplane/blob/main/security/ADA-security-audit-23.pdf
• Kyverno security audit section: https://kyverno.io/docs/security/#kyverno-third-party-security-audit-2023

[andreyvelich]

The report has been published: https://github.com/kubeflow/community/blob/master/security/Ada_Logics-Kubeflow-security-audit-2025.pdf
/close

[google-oss-prow]

@andreyvelich: Closing this issue.

Details

In response to this:

The report has been published: https://github.com/kubeflow/community/blob/master/security/Ada_Logics-Kubeflow-security-audit-2025.pdf
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[kfaseela]

@andreyvelich : Can we reopen this issue for further tracking based on this comment? The audit (Sept 2025) has 12 unresolved findings (3 Critical, 6 Moderate, 2 Low) with no tracking details yet - since it's been a while, these may already be fixed in a release. Could you or other maintainers please link here where the Critical and Moderate findings are fixed or tracked? That would unblock the security criterion in the DD.

[andreyvelich]

Sure, sounds good.
/reopen

@juliusvonkohout @thesuperzapper @HumairAK @droctothorpe @mprahl @franciscojavierarceo @jeffspahr @SvenTo could you help to link the corresponding issues/PRs with the security fixes that was proposed after the audit?

[google-oss-prow]

@andreyvelich: Reopened this issue.

Details

In response to this:

Sure, sounds good.
/reopen

@juliusvonkohout @thesuperzapper @HumairAK @droctothorpe @mprahl @franciscojavierarceo @jeffspahr @SvenTo could you help to link the corresponding issues/PRs with the security fixes that was proposed after the audit?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[andreyvelich]

@kfaseela Here is the list of PRs that fix the security findings:

• ADA-KUBEFL-01: feat(backend): Remediate ADA-KUBEFL-01: Server-Side Request Forgery pipelines#12750
• ADA-KUBEFL-04: Implemented HTTP Artifact Streaming to Prevent OOM Errors with Large Files pipelines#12394
• ADA-KUBEFL-05: fix(metrics-collector): Use strict validation to get remote image katib#2583
• ADA-KUBEFL-06: fix(backend) stream metrics artifact extraction pipelines#13562
• ADA-KUBEFL-07: fix(backend): Added path traversal mitigation to DownloadBlob and improve unit test coverage pipelines#12928
• ADA-KUBEFL-09: chore: add GH Workflow linter & format existing workflows pipelines#12371
• ADA-KUBEFL-11: doc: more explicit comment for ADA-KUBEFL-11 hub#1593
• ADA-KUBEFL-12: ADA-KUBEFL-12: remove pprof from "production code" hub#1594
• ADA-KUBEFL-14: fix: possible int overflow hub#1470
• ADA-KUBEFL-15: [frontend] MinIO client in ml-pipeline-ui uses the default admin credentials instead of per-profile secrets pipelines#12373
• ADA-KUBEFL-16: [backend] Security exploit in mlpipeline-UI pipelines#9889

cc @kubeflow/kubeflow-hub-team @kubeflow/wg-pipeline-chairs @juliusvonkohout in case I missed something from the Model Registry or KFP side.

[jeffspahr]

Adding a reviewer-verifiable matrix for the Ada Logics 2025 audit findings. The published report is here:
https://github.com/kubeflow/community/blob/master/security/Ada_Logics-Kubeflow-security-audit-2025.pdf

The report itself contains ADA-KUBEFL-01 through ADA-KUBEFL-14. ADA-KUBEFL-15 and ADA-KUBEFL-16 are included below as supplemental KFP security tracking items because they were referenced in the earlier comment, but I do not see them as finding IDs in the published PDF.

ID	Severity	Component	Current DD status	Public evidence / remaining tracking
ADA-KUBEFL-01	Moderate	Pipelines	Resolved	Fixed by kubeflow/pipelines#12750.
ADA-KUBEFL-02	Moderate	KServe	Needs public tracking/fix	KServe HTTPS downloader SSRF still needs an issue/PR linked here, unless maintainers have a newer remediation link.
ADA-KUBEFL-03	Moderate	KServe	Needs public tracking/fix	KServe GCS path traversal still needs an issue/PR linked here, unless maintainers have a newer remediation link.
ADA-KUBEFL-04	Moderate	Pipelines	Partially resolved / scope needs confirmation	kubeflow/pipelines#12394 fixed artifact HTTP streaming. Please confirm whether this fully scopes the finding; remaining object-store GetFile callers should be bounded or tracked if in scope.
ADA-KUBEFL-05	Low	Katib	Resolved	Fixed by kubeflow/katib#2583.
ADA-KUBEFL-06	Low	Pipelines	Fix pending merge	Tracked by kubeflow/pipelines#13562.
ADA-KUBEFL-07	Moderate	Pipelines	Resolved	Fixed by kubeflow/pipelines#12928.
ADA-KUBEFL-08	Moderate	Kubeflow manifests / dependencies	Needs public tracking/evidence	NetworkPolicy coverage needs a linked issue/PR or rendered-manifest evidence showing intended workload coverage and documented exemptions.
ADA-KUBEFL-09	Critical	Pipelines	Resolved	Fixed by kubeflow/pipelines#12371.
ADA-KUBEFL-10	Critical	Trainer	Resolved	Fixed by kubeflow/trainer#2829.
ADA-KUBEFL-11	Informational	Model Registry / Hub	Resolved / accepted test fixture	Documented by kubeflow/hub#1593.
ADA-KUBEFL-12	Moderate	Model Registry / Hub	Resolved	Fixed by kubeflow/hub#1594.
ADA-KUBEFL-13	Critical, provisional	Katib / Notebooks	Needs threat-model decision and public tracking	The report marks this as an incomplete/provisional assessment. DD evidence should link the trusted-proxy/authentication invariant, direct-service-access controls, and spoofed-header test coverage or a tracking issue for that work.
ADA-KUBEFL-14	Informational	Model Registry dependency	Linked, but closure should be confirmed by maintainers	kubeflow/hub#1470 is linked as the remediation. Because the report references restricted crash details/trusted input, maintainer confirmation should be enough if the restricted OSS-Fuzz details cannot be public.

Supplemental KFP security tracking items mentioned above:

Supplemental ID	Status	Public evidence
ADA-KUBEFL-15	Closed	kubeflow/pipelines#12373
ADA-KUBEFL-16	Closed	kubeflow/pipelines#9889

Remaining public DD gaps from this matrix: ADA-KUBEFL-02, ADA-KUBEFL-03, ADA-KUBEFL-08, ADA-KUBEFL-13, and the exact residual scope for ADA-KUBEFL-04.