Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent supply chain attacks in open-telemetry repositories #58

Open
marcalff opened this issue Aug 6, 2024 · 2 comments
Open

Prevent supply chain attacks in open-telemetry repositories #58

marcalff opened this issue Aug 6, 2024 · 2 comments
Assignees
@jpkrohling

Comments

@marcalff
Copy link
Member

marcalff commented Aug 6, 2024

Today, opentelemetry-cpp got an attack in the form of:

  • a PR, that wants to add binary files (a .zip) and shell scripts in the repo

This PR is deleted already, audit trail shows:

File Changes

([5 files](https://github.com/open-telemetry/opentelemetry-cpp/pull/3018/files))

    M [.gitattributes](https://github.com/open-telemetry/opentelemetry-cpp/pull/3018/files#diff-618cd5b83d62060ba3d027e314a21ceaf75d36067ff820db126642944145393e) (11)
    A [.yamato/bin/python-3.11.5-embed-amd64.zip](https://github.com/open-telemetry/opentelemetry-cpp/pull/3018/files#diff-f5ac278b83378ade50ded6f9cc57a4f0e9d1108a1ea7f8dcdef4f3688bfd0104) (3)
    A [.yamato/main.yml](https://github.com/open-telemetry/opentelemetry-cpp/pull/3018/files#diff-792110253ce7d624130d2119785a277aeb0ac0847ac1497ebbc3119273820062) (61)
    A [.yamato/scripts/build.ps1](https://github.com/open-telemetry/opentelemetry-cpp/pull/3018/files#diff-001b58f0bc08fd2f98c2694df66277be766efd689816ac6b9eeca30a93d04d2a) (118)
    A [.yamato/scripts/build.sh](https://github.com/open-telemetry/opentelemetry-cpp/pull/3018/files#diff-cee5ccc59f492b371e08172ebf50b3a4be4b08170d6210c88408a44cf15efb16) (55)

I would like to add logic to find executable files and/or files that contain binary, to audit the code, and ring bells when this happens, should the PR (hypocrite commit) pass code review and be merged.

The problem is that if this logic itself is part of CI scripts located in the opentelemetry-cpp repository, any PR that wants to inject code will just disable or alter the scripts as well, making this useless.

Where could be a good place to have audit tools to scan for executables or data files, in each open-telemetry repositories ?

Related:

cc @open-telemetry/cpp-maintainers
@jpkrohling
Copy link
Member

I believe this is the role of CodeQL / Snyk. They can be integrated either via GitHub workflow, or as application. I can work with you to onboard opentelemetry-cpp on Snyk and see if that would have caught this situation.

@jpkrohling jpkrohling self-assigned this Aug 13, 2024
@jpkrohling
Copy link
Member

@marcalff, can you ping me via Slack? I'll need your email address in order to invite you to the Snyk organization. Once you are there, I'll include opentelemetry-cpp there for scanning. You should be able to make it a required check if you wish afterwards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jpkrohling jpkrohling

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jpkrohling @marcalff