Application Security Review Request : OpenTelemetry PHP SDK
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	CDanis
	Jun 18 2024, 6:03 PM

Description

Project Information

Name of tool/project: OpenTelemetry PHP SDK
Project home page: https://opentelemetry.io/docs/languages/php/ and see also https://opentelemetry.io/docs/what-is-opentelemetry/
Name of team requesting review: SRE
Primary contact: @CDanis
Target date for deployment: 2024-08-14
Links to code repository / patchset:
- to be vendored: https://github.com/open-telemetry/opentelemetry-php
- unvendored Mediawiki proof-of-concept patchset: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1027519
Link to scc output for general sizing of codebases (https://github.com/boyter/scc):

───────────────────────────────────────────────────────────────────────────────
Language                 Files     Lines   Blanks  Comments     Code Complexity
───────────────────────────────────────────────────────────────────────────────
PHP                        909     73351    11129     17360    44862        951
Markdown                    28      1333      388         0      945          0
YAML                        28      1677       98       509     1070          0
JSON                        24       816        7         0      809          0
Shell                        3       168       28        22      118          6
Dockerfile                   2        69       13         0       56          4
Jinja                        2        74        9         3       62         15
C Header                     1         9        2         0        7          0
Docker ignore                1         2        0         0        2          0
License                      1       201       32         0      169          0
Makefile                     1       109        3         2      104          0
XML                          1         6        0         0        6          0
───────────────────────────────────────────────────────────────────────────────
Total                     1001     77815    11709     17896    48210        976
───────────────────────────────────────────────────────────────────────────────
Estimated Cost to Develop (organic) $1,580,845
Estimated Schedule Effort (organic) 16.37 months
Estimated People Required (organic) 8.58
───────────────────────────────────────────────────────────────────────────────
Processed 2624403 bytes, 2.624 megabytes (SI)
───────────────────────────────────────────────────────────────────────────────

Description of the tool/project:
OpenTelemetry is the de facto industry standard framework for distributed tracing. It also supports its own take on logs and metrics as well, which we won't be using -- so the scc count above is an overestimate.

Description of how the tool will be used at WMF:
We will use it to allow Mediawiki to insert spans into the distributed traces we are collecting. This will allow us to include Mediawiki-internal events like database queries, BagOStuff lookups, PoolCounter locks held, etc, in these traces.

Dependencies

"php-http/discovery": "^1.14",
"psr/http-client-implementation": "^1.0",
"psr/http-factory-implementation": "^1.0",
"psr/http-client": "^1.0",
"psr/http-message": "^1.0.1|^2.0",
"psr/log": "^1.1|^2.0|^3.0",
"ramsey/uuid": "^3.0 || ^4.0",
"symfony/polyfill-mbstring": "^1.23",
"symfony/polyfill-php82": "^1.26"

Has this project been reviewed before?
No

Working test environment
See T340552#9774101

Post-deployment
Mediawiki Platform + SRE Serviceops + SRE Observability.

Details

Risk Rating: Low
Author Affiliation: WMF Technology

Related Objects
Search...

Status	Assigned	Task
Open	None	T340551 distributed tracing epic
Open	None	T320549 distributed tracing v0 [minimum viable]
Open	None	T340573 Add support for request tracing to WikimediaDebug browser extension
Open	CDanis	T340552 Implement and wire-up minimal OpenTelemetry tracing client compatible with OTEL data model
Resolved	• Aprum	T367905 Application Security Review Request : OpenTelemetry PHP SDK

Event Timeline

CDanis created this task.Jun 18 2024, 6:03 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 18 2024, 6:03 PM

CDanis added a parent task: T340552: Implement and wire-up minimal OpenTelemetry tracing client compatible with OTEL data model.Jun 18 2024, 6:03 PM

TK-999 subscribed.Jun 18 2024, 6:07 PM

sbassett moved this task from Incoming to Back Orders on the secscrum board.Jun 20 2024, 3:46 PM

sbassett moved this task from Back Orders to Upcoming Quarter Planning Queue on the secscrum board.Jul 3 2024, 3:37 PM

sbassett moved this task from Upcoming Quarter Planning Queue to Waiting on the secscrum board.Jul 3 2024, 5:14 PM

• acooper assigned this task to • Aprum.Jul 16 2024, 5:33 PM

• Cleo_Lemoisson added a project: Privacy Engineering.Jul 17 2024, 1:15 PM

@Aprum is working on an new rapid assessment process that would allow us to unblock this ticket, we are hoping to get this done by next week.

Hi @CDanis , we took a look at this repository found minimal problems, please feel free to move forward with using OpenTelemetry!

One thing to note is that static application security testing (SAST) has not been run on all commits within the repository. At the moment it's unclear if this will pose any problems done the line. Overall you're good to go.

Thanks! - Aranya

aranyap moved this task from Incoming to Completed on the Privacy Engineering board.Jul 31 2024, 1:47 AM