Merge branch 'main' into supabase-cre-rules

RaghavArora14 · web-flow · commit ecdb04ae5fe5 · 2025-09-08T21:59:12.000+05:30
diff --git a/rules/cre-2025-0090/loki-log-line-long.yaml b/rules/cre-2025-0090/loki-log-line-long.yaml
@@ -46,6 +46,8 @@ rules:
         - grafana
       references:
         - "https://grafana.com/docs/grafana-cloud/send-data/logs/troubleshoot/#line-too-long"
+      impactScore: 5
+      mitigationScore: 5
     rule:
       set: # Using 'set' for single event matching, as it's a single log line detection
         event:
diff --git a/rules/cre-2025-0103/nats-connection-failure.yaml b/rules/cre-2025-0103/nats-connection-failure.yaml
@@ -48,6 +48,8 @@ rules:
       applications:
         - name: "nats"
           version: ">=2.0.0"
+      impactScore: 8
+      mitigationScore: 7
     rule:
       sequence:
         window: 30s
diff --git a/rules/cre-2025-0104/istio-ambient-xds.yaml b/rules/cre-2025-0104/istio-ambient-xds.yaml
@@ -37,6 +37,8 @@ rules:
       applications:
         - name: istio-ambient
           version: ">=1.26.0"
+      impactScore: 8
+      mitigationScore: 7 
     rule:
       set:
         event:
diff --git a/rules/cre-2025-0106/ambient-cni-sandbox-creation-failure.yaml b/rules/cre-2025-0106/ambient-cni-sandbox-creation-failure.yaml
@@ -43,6 +43,8 @@ rules:
       applications:
         - name: istio-cni
           version: ">=1.26.0"
+      impactScore: 9
+      mitigationScore: 7
     rule:
       set:
         window: 60s
diff --git a/rules/cre-2025-0108/istio-readiness-probe.yaml b/rules/cre-2025-0108/istio-readiness-probe.yaml
@@ -40,6 +40,8 @@ rules:
       applications:
         - name: istio-ambient
           version: ">=1.26.0"
+      impactScore: 9
+      mitigationScore: 6
     rule:
       set:
         window: 300s
diff --git a/rules/cre-2025-0109/istio-ambient-status-codes.yaml b/rules/cre-2025-0109/istio-ambient-status-codes.yaml
@@ -39,6 +39,8 @@ rules:
       applications:
         - name: ztunnel
           version: ">=1.26.0"
+      impactScore: 8
+      mitigationScore: 7
     rule:
       set:
         event:
diff --git a/rules/cre-2025-0110/ztunnel-traffic.yaml b/rules/cre-2025-0110/ztunnel-traffic.yaml
@@ -37,6 +37,8 @@ rules:
         - Monitor ztunnel logs for frequent timeouts & alert
       references:
         - https://github.com/istio/istio/wiki/Troubleshooting-Istio-Ambient#scenario-traffic-timeout-with-ztunnel
+      impactScore: 8
+      mitigationScore: 7
     rule:
       set:
         window: 180s
diff --git a/rules/cre-2025-0111/istio-ambient-troubleshoot.yaml b/rules/cre-2025-0111/istio-ambient-troubleshoot.yaml
@@ -46,6 +46,8 @@ rules:
         - network
       references:
         - https://github.com/istio/istio/wiki/Troubleshooting-Istio-Ambient#scenario-ztunnel-fails-with-failed-to-bind-to-address-115053-address-family-not-supported
+      impactScore: 8
+      mitigationScore: 7
     rule:
       set:
         event:
diff --git a/rules/cre-2025-0114/nginx-ingress-rewrite-failure.yaml b/rules/cre-2025-0114/nginx-ingress-rewrite-failure.yaml
@@ -53,6 +53,8 @@ rules:
           version: ">= 1.0.0"
         - name: nginx
           version: ">= 1.0.0"
+      impactScore: 8
+      mitigationScore: 6
     metadata:
       gen: 1
       kind: prequel
diff --git a/rules/cre-2025-0115/mongodb.yaml b/rules/cre-2025-0115/mongodb.yaml
@@ -33,6 +33,8 @@ rules:
       applications:
         - name: "mongodb"
           version: "8.0"
+      mitigationScore: 6
+      impactScore: 8
     rule:
       set:
         event:
diff --git a/rules/cre-2025-0120/nginx-configmap-size-limit.yaml b/rules/cre-2025-0120/nginx-configmap-size-limit.yaml
@@ -44,6 +44,8 @@ rules:
           version: "1.x"
         - name: "kubernetes"
           version: "1.19+"
+      mitigationScore: 7
+      impactScore: 9
     metadata:
       kind: prequel
       id: UseRulerToGenerateThis
@@ -56,4 +58,4 @@ rules:
         match:
           - regex: "ConfigMap.*is invalid.*Too long.*must have at most 1048576 bytes"
           - regex: "failed to create configmap.*Too long.*must have at most"
-          - regex: "Error from server.*NotFound.*configmaps.*nginx-config"
+          - regex: "Error from server.*NotFound.*configmaps.*nginx-config"
diff --git a/rules/cre-2025-0127/cre-exit-127.yaml b/rules/cre-2025-0127/cre-exit-127.yaml
@@ -0,0 +1,44 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: TDtvSvVJU5vUaLZuRZBVk9
+    cre:
+      id: CRE-2025-0127
+      severity: 2
+      title: Container exited 127 due to command not found (bad entrypoint/command)
+      category: configuration-problem
+      author: CRE Community
+      description: |
+        Exit code 127 indicates the configured command/entrypoint was not found in the image or PATH.
+        New or misconfigured deployments commonly hit this and immediately crash.
+      cause: |
+        - Typo in command/entrypoint or wrong binary path.
+        - Missing executable in the image or non-executable file permissions.
+        - Different base image where the tool isn’t installed by default.
+      impact: |
+        - Pod fails to start; controllers may enter CrashLoopBackOff.
+        - Service remains unavailable until the image/command is fixed.
+      tags:
+        - k8s
+        - exit-code
+        - command
+        - entrypoint
+        - startup-failure
+      mitigation: |
+        - Verify the binary exists and is executable (`chmod +x`).
+        - Use absolute paths or fix PATH; test with `docker run` locally.
+        - Add pre-deploy checks in CI to validate entrypoint presence.
+      references:
+        - "https://kubernetes.io/docs/concepts/workloads/pods/"
+      applications:
+        - name: kubernetes
+          version: ">=1.16"
+      impactScore: 3
+      mitigationScore: 3
+      reports: 6
+    rule:
+      set:
+        event:
+          source: cre.log.k8s
+        match:
+          - regex: "^[^\\t]+\\t[^\\t/]+/[^\\t]+\\t[^\\t]+\\t[^\\t]*\\t127$"
diff --git a/rules/cre-2025-0127/test.log b/rules/cre-2025-0127/test.log
@@ -0,0 +1 @@
+2025-08-27T13:18:27Z	cre-demo/cmd-127	bad-cmd	Error	127
diff --git a/rules/cre-2025-0134/cre-exit-134.yaml b/rules/cre-2025-0134/cre-exit-134.yaml
@@ -0,0 +1,44 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: T8tPh6u4Bj7nXidQWbRvvj
+    cre:
+      id: CRE-2025-0134
+      severity: 2
+      title: Container exited 134 due to SIGABRT / assertion failure
+      category: runtime-problem
+      author: CRE Community
+      description: |
+        Exit code 134 indicates the process aborted via SIGABRT, commonly due to failed assertions,
+        allocator checks (e.g., glibc detecting heap corruption), or explicit abort() calls.
+      cause: |
+        - assert(false) / std::abort() in C/C++.
+        - Memory allocator consistency errors (double free, corruption).
+        - Defensive abort on unrecoverable invariant violations.
+      impact: |
+        - Immediate termination of the container; possible loss of in-flight work.
+        - Repeated crashes if the triggering condition is deterministic at startup.
+      tags:
+        - k8s
+        - exit-code
+        - sigabrt
+        - assertion
+        - native
+      mitigation: |
+        - Enable core dumps and symbols; capture backtraces.
+        - Run ASAN/UBSAN builds in staging to localize corruption.
+        - Pin and verify libc/libstdc++ versions; roll back recent native changes.
+      references:
+        - "https://www.gnu.org/software/libc/manual/html_node/Aborting-a-Program.html"
+      applications:
+        - name: kubernetes
+          version: ">=1.16"
+      impactScore: 6
+      mitigationScore: 2
+      reports: 4
+    rule:
+      set:
+        event:
+          source: cre.log.k8s
+        match:
+          - regex: "^[^\\t]+\\t[^\\t/]+/[^\\t]+\\t[^\\t]+\\t[^\\t]*\\t134$"
diff --git a/rules/cre-2025-0134/test.log b/rules/cre-2025-0134/test.log
@@ -1,3 +1,4 @@
+
 2025-01-28T10:35:10Z ERROR   supabase-realtime invalid replication mode: 'invalid_mode' is not a supported replication mode
 2025-01-28T10:35:10Z ERROR   supabase-realtime REPLICATION_MODE configuration error: unknown value 'invalid_mode'
 2025-01-28T10:35:11Z ERROR   supabase-realtime realtime configuration error: INVALID_CONFIG_PARAM is not recognized
@@ -9,3 +10,6 @@
 2025-01-28T10:35:14Z ERROR   supabase-realtime realtime service crash: {:error, :invalid_config}
 
 
+=======
+2025-08-27T13:26:39Z	cre-demo/abort-134	aborter	Error	134
+
diff --git a/rules/cre-2025-0137/cre-exit-137.yaml b/rules/cre-2025-0137/cre-exit-137.yaml
@@ -0,0 +1,50 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: VuPxiuWkYodzUqupa7gh9N
+    cre:
+      id: CRE-2025-0137
+      severity: 1
+      title: Pod terminated with Exit Code 137 due to OOMKilled (memory limit exceeded)
+      category: memory-problem
+      author: CRE Community
+      description: |
+        The container exceeded its memory limit and was killed by the kernel OOM killer.
+        Kubernetes reports a terminated state with Reason=OOMKilled and exitCode=137.
+        This often manifests as CrashLoopBackOff under sustained memory pressure.
+      cause: |
+        - Memory limit too low relative to peak usage.
+        - Sudden traffic spikes causing allocation bursts.
+        - Memory leaks or fragmentation in long-running processes.
+        - Under-provisioned nodes or overly strict pod limits.
+      impact: |
+        - Request errors and latency spikes during restarts.
+        - CrashLoopBackOff and reduced availability.
+        - Potential loss of in-flight work not checkpointed to durable storage.
+      tags:
+        - k8s
+        - exit-code
+        - out-of-memory
+        - memory
+        - crash-loop
+        - reliability
+      mitigation: |
+        - Raise memory requests/limits; add headroom for peak allocations.
+        - Enable profiling and leak detection; tune GC/heap where applicable.
+        - Consider Vertical Pod Autoscaler for right-sizing.
+        - Watch node memory pressure and eviction thresholds.
+      references:
+        - "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-states"
+        - "https://kubernetes.io/docs/tasks/administer-cluster/out-of-resource/"
+      applications:
+        - name: kubernetes
+          version: ">=1.16"
+      impactScore: 6
+      mitigationScore: 2
+      reports: 12
+    rule:
+      set:
+        event:
+          source: cre.log.k8s      
+        match:
+          - regex: "^[^\\t]+\\t[^\\t/]+/[^\\t]+\\t[^\\t]+\\tOOMKilled\\t137$"
diff --git a/rules/cre-2025-0137/test.log b/rules/cre-2025-0137/test.log
@@ -1,3 +1,4 @@
+
 2025-01-28T10:50:32Z ERROR   supabase-db     ERROR: could not write to file "base/13442/16384": No space left on device
 2025-01-28T10:50:32Z ERROR   supabase-db     FATAL: could not write to WAL file: No space left on device
 2025-01-28T10:50:33Z ERROR   supabase-db     ERROR: disk full, could not extend file "base/13442/16385" to 8192 blocks
@@ -8,3 +9,6 @@
 2025-01-28T10:50:35Z ERROR   supabase-db     migration failed: disk full during large data operation
 
 
+=======
+2025-08-27T11:51:17Z	cre-demo/oom-137	eater	OOMKilled	137
+
diff --git a/rules/cre-2025-0139/cre-exit-139.yaml b/rules/cre-2025-0139/cre-exit-139.yaml
@@ -0,0 +1,44 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: KHtVUpTbZHaevdn4EABmQEe
+    cre:
+      id: CRE-2025-0139
+      severity: 2
+      title: Container exited 139 due to segmentation fault (SIGSEGV)
+      category: runtime-problem
+      author: CRE Community
+      description: |
+        Exit code 139 indicates SIGSEGV (invalid memory access) in native/runtime code.
+        Frequently caused by unsafe pointer operations, ABI/library mismatches, or native extensions.
+      cause: |
+        - Null dereference or out-of-bounds access in C/C++/Rust unsafe blocks.
+        - Incompatible glibc/musl or driver/library versions.
+        - Faulty JNI/ctypes/native extension code paths.
+      impact: |
+        - Hard crash; requests being processed may be dropped.
+        - Repeated crashes if the segfault occurs deterministically at startup.
+      tags:
+        - k8s
+        - exit-code
+        - segfault
+        - native
+        - reliability
+      mitigation: |
+        - Enable core dumps and symbol files; capture stack traces.
+        - Pin compatible base image/libc; verify ABI expectations.
+        - Use ASAN/UBSAN builds; bisect recent native/library changes.
+      references:
+        - "https://man7.org/linux/man-pages/man7/signal.7.html"
+      applications:
+        - name: kubernetes
+          version: ">=1.16"
+      impactScore: 7
+      mitigationScore: 2
+      reports: 5
+    rule:
+      set:
+        event:
+          source: cre.log.k8s
+        match:
+          - regex: "^[^\\t]+\\t[^\\t/]+/[^\\t]+\\t[^\\t]+\\t[^\\t]*\\t139$"
diff --git a/rules/cre-2025-0139/test.log b/rules/cre-2025-0139/test.log
@@ -1,3 +1,4 @@
+
 2025-01-28T11:00:12Z ERROR   supabase-kong   SSL certificate not found: /etc/ssl/certs/server.crt: no such file or directory
 2025-01-28T11:00:12Z ERROR   supabase-kong   SSL configuration error: certificate file missing or unreadable
 2025-01-28T11:00:13Z ERROR   supabase-kong   invalid certificate format: unable to load certificate
@@ -9,3 +10,5 @@
 2025-01-28T11:00:16Z ERROR   supabase-kong   TLS configuration failed: missing SSL certificate files
 
 
+=======
+2025-08-27T13:32:40Z	cre-demo/segv-139	segv	Error	139
diff --git a/rules/tags/tags.yaml b/rules/tags/tags.yaml
@@ -848,6 +848,7 @@ tags:
   - name: cluster-scaling
     displayName: Cluster Scaling
     description: Problems related to Kubernetes cluster scaling operations and capacity management
+
   - name: supabase
     displayName: Supabase
     description: Problems related to Supabase self-hosted deployments and services
@@ -875,6 +876,26 @@ tags:
   - name: data-integrity
     displayName: Data Integrity
     description: Problems that affect the completeness, accuracy, or consistency of data
+=======
+  - name: exit-code
+    displayName: Exit Code
+    description: Problems identified by specific process/container exit codes (e.g., 137, 127, 134, 139).
+  - name: entrypoint
+    displayName: Entrypoint
+    description: Failures caused by invalid or missing container ENTRYPOINT/CMD definitions.
+  - name: command
+    displayName: Command
+    description: Problems caused by invalid commands or arguments at startup (e.g., not found, bad path, non-executable).
+  - name: sigabrt
+    displayName: SIGABRT
+    description: Crashes where a process aborts with SIGABRT (exit 134), often due to assertion failures or allocator checks.
+  - name: native
+    displayName: Native
+    description: Issues in native code paths (C/C++/Rust, libc/ABI), including crashes and memory faults.
+  - name: reliability
+    displayName: Reliability
+    description: Unstable behavior such as unexpected restarts, crash loops, or intermittent failures affecting service reliability.
+
   - name: autogpt
     displayName: AutoGPT
     description: Problems related to AutoGPT autonomous AI agent framework
