Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V14.2.7 - move to V10 #2167

Closed
elarlang opened this issue Oct 20, 2024 · 8 comments · Fixed by #2191
Closed

V14.2.7 - move to V10 #2167

elarlang opened this issue Oct 20, 2024 · 8 comments · Fixed by #2191
Labels
4) proposal for review Issue contains clear proposal for add/change something V14 _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@elarlang
Copy link
Collaborator

Spin-off from #2088, the requirement comes in via #899

# Description L1 L2 L3 CWE
14.2.7 [ADDED] Verify that third party components are sourced separately from internally owned and developed applications to prevent dependency confusion attacks. 427

For me, it is not a configuration requirement. I think it is again something to "V10.X software architecture" or "Handling software components".
@elarlang elarlang added the V14 label Oct 20, 2024
@elarlang elarlang mentioned this issue Oct 20, 2024
Closed
@elarlang elarlang added next meeting Filter for leaders 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet labels Oct 21, 2024
@jmanico
Copy link
Member

jmanico commented Oct 21, 2024

This does not seem clear enough to me. We need more detail, IMO. How about:

Verify that third-party components are sourced from distinct, verifiable repositories separate from internally developed applications to prevent dependency confusion attacks. Implement rigorous validation processes, including signature verification and integrity checks, for all external dependencies. Additionally, monitor third-party repositories for updates and vulnerabilities to reduce the risk of malicious injection or supply chain attacks.

@tghosth
Copy link
Collaborator

tghosth commented Oct 22, 2024

I think the original wording is ok. @elarlang to consider merging into the new merged requirement discussed in #2165

@tghosth tghosth added 3) awaiting proposal There is some discussion in issue and reach to some results but it's not concluded with clear propos _5.0 - prep This needs to be addressed to prepare 5.0 and removed 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet next meeting Filter for leaders labels Oct 22, 2024
@elarlang
Copy link
Collaborator Author

"dependency confusion" is an attack against build-process and it is not something you going to check or fix with documentation.

Implementation process itself we considered to be out of scope - it is out of the application's responsibility, at the same time, we can not ignore this issue.

So we need to set the focus to the outcome - the built program code. Something like:

Verify that each 3rd party component for the application came from an expected repository for that component and there has not been dependency confusion in place.

@elarlang elarlang added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet and removed 3) awaiting proposal There is some discussion in issue and reach to some results but it's not concluded with clear propos labels Oct 23, 2024
@tghosth
Copy link
Collaborator

tghosth commented Oct 24, 2024
edited
Loading

@elarlang how about:

# Description L1 L2 L3 CWE
14.2.7 [ADDED] Verify that third party components are being included from the expected repository, whether that is internally owned or an external source, and that there is no risk of a dependency confusion attack. 427

@tghosth tghosth added 4) proposal for review Issue contains clear proposal for add/change something and removed 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet labels Oct 24, 2024
@elarlang
Copy link
Collaborator Author

Ok for me.

For section, it still seems dependency and can be together with current 14.2.1 and to be moved to V10?

@tghosth
Copy link
Collaborator

tghosth commented Oct 24, 2024

So we would create a new dependency section v10.6?

@tghosth
Copy link
Collaborator

tghosth commented Oct 24, 2024

Or is this an architecture thing?

@elarlang
Copy link
Collaborator Author

For me it's solving a dependency issue, not the application architecture. So, my proposal is to move current section V14.2 to V10.6.

@tghosth tghosth linked a pull request Oct 24, 2024 that will close this issue
Resolve #2167 by moving dependency confusion to v10 #2191
Merged
@tghosth tghosth mentioned this issue Oct 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
4) proposal for review Issue contains clear proposal for add/change something V14 _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Resolve #2167 by moving dependency confusion to v10 OWASP/ASVS
3 participants
@jmanico @tghosth @elarlang