opentelemetry-cpp icon indicating copy to clipboard operation
opentelemetry-cpp copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

[SECURITY] Audit the opentelemetry-cpp repository for supply chain attacks

Open marcalff opened this issue 10 months ago • 2 comments

In light of the xz attack:

  • https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/

audit the opentelemetry-cpp repository for possible attack vectors.

Full list of checks to be determined.

To start with:

  • review executable permissions on files
  • audit and remove all binary files from the repository (not aware of any)
  • enforce CI to forbid binary files
  • audit binary downloads used during the build process
  • enforce checksums when appropriate
  • cutoff unnecessary dependencies when practical
  • prefer installing dependencies from the OS distribution, when practical

Subtasks:

  • [X] #2627
  • [ ] CI to forbid binary files

marcalff avatar Apr 02 '24 08:04 marcalff

Upstream unnecessary permission found, seen with github submodules:

  • https://github.com/open-telemetry/opentelemetry-proto/issues/540

marcalff avatar Apr 02 '24 08:04 marcalff

This issue was marked as stale due to lack of activity.

github-actions[bot] avatar Jun 05 '24 01:06 github-actions[bot]