opentelemetry-dotnet-instrumentation icon indicating copy to clipboard operation
opentelemetry-dotnet-instrumentation copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

Improving dependencies security

Open RassK opened this issue 3 years ago • 1 comments
trafficstars

What

We have a practise in SFx (Splunk) to pinpoint exact versions (major.minor.patch.etc) of all dependencies. These dependencies then should be updated via dependabot or a custom script by opening a PR.

First mentioned here https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation/pull/1131#discussion_r957702202 by @Kielek

Why

Keeps dependencies in control, so no unexpected auto updates occur. Theoretically all updates must be verified also before accepting PR, not to let pass intentionally created vulnerable packages (hacked supply chain). We all know that manual verification is pretty much impossible in this volume (the whole dependency tree must be scanned). Splunk is using Fossa, I'm not really sure who should supply such tool for OTel.

Which ones?

  • Nuget packages - covered by dependabot
  • Docker files - images are covered by dependabot
  • Docker compose - unfortunately manual
  • CI files (yml) - actions are covered by dependabot
  • Linux packages - all manual
  • Executable scripts - verify by hash, all manual

(See example doc here)

RassK avatar Aug 30 '22 07:08 RassK

For the executable script, I suggest vendoring it instead. Thanks to it the build will not magically fail if the content changes.

This is how it is done in setup-dotnet GitHub Action here: https://github.com/actions/setup-dotnet/commits/main/externals/install-dotnet.sh

We can additionally create a GitHub workflow which checks if the file is up-to-date (and maybe create a PR that updates the content?)

pellared avatar Aug 30 '22 12:08 pellared